Dash Core  0.12.2.1
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10 
11 #include <stdio.h>
12 #include <stdlib.h>
13 
14 #include <time.h>
15 
16 #include "secp256k1.c"
17 #include "include/secp256k1.h"
18 #include "testrand_impl.h"
19 
20 #ifdef ENABLE_OPENSSL_TESTS
21 #include "openssl/bn.h"
22 #include "openssl/ec.h"
23 #include "openssl/ecdsa.h"
24 #include "openssl/obj_mac.h"
25 #endif
26 
27 #include "contrib/lax_der_parsing.c"
28 #include "contrib/lax_der_privatekey_parsing.c"
29 
30 #if !defined(VG_CHECK)
31 # if defined(VALGRIND)
32 # include <valgrind/memcheck.h>
33 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
34 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
35 # else
36 # define VG_UNDEF(x,y)
37 # define VG_CHECK(x,y)
38 # endif
39 #endif
40 
41 static int count = 64;
42 static secp256k1_context *ctx = NULL;
43 
44 static void counting_illegal_callback_fn(const char* str, void* data) {
45  /* Dummy callback function that just counts. */
46  int32_t *p;
47  (void)str;
48  p = data;
49  (*p)++;
50 }
51 
52 static void uncounting_illegal_callback_fn(const char* str, void* data) {
53  /* Dummy callback function that just counts (backwards). */
54  int32_t *p;
55  (void)str;
56  p = data;
57  (*p)--;
58 }
59 
60 void random_field_element_test(secp256k1_fe *fe) {
61  do {
62  unsigned char b32[32];
63  secp256k1_rand256_test(b32);
64  if (secp256k1_fe_set_b32(fe, b32)) {
65  break;
66  }
67  } while(1);
68 }
69 
70 void random_field_element_magnitude(secp256k1_fe *fe) {
71  secp256k1_fe zero;
72  int n = secp256k1_rand_int(9);
73  secp256k1_fe_normalize(fe);
74  if (n == 0) {
75  return;
76  }
77  secp256k1_fe_clear(&zero);
78  secp256k1_fe_negate(&zero, &zero, 0);
79  secp256k1_fe_mul_int(&zero, n - 1);
80  secp256k1_fe_add(fe, &zero);
81  VERIFY_CHECK(fe->magnitude == n);
82 }
83 
84 void random_group_element_test(secp256k1_ge *ge) {
85  secp256k1_fe fe;
86  do {
87  random_field_element_test(&fe);
88  if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
89  secp256k1_fe_normalize(&ge->y);
90  break;
91  }
92  } while(1);
93 }
94 
95 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
96  secp256k1_fe z2, z3;
97  do {
98  random_field_element_test(&gej->z);
99  if (!secp256k1_fe_is_zero(&gej->z)) {
100  break;
101  }
102  } while(1);
103  secp256k1_fe_sqr(&z2, &gej->z);
104  secp256k1_fe_mul(&z3, &z2, &gej->z);
105  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
106  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
107  gej->infinity = ge->infinity;
108 }
109 
110 void random_scalar_order_test(secp256k1_scalar *num) {
111  do {
112  unsigned char b32[32];
113  int overflow = 0;
114  secp256k1_rand256_test(b32);
115  secp256k1_scalar_set_b32(num, b32, &overflow);
116  if (overflow || secp256k1_scalar_is_zero(num)) {
117  continue;
118  }
119  break;
120  } while(1);
121 }
122 
123 void random_scalar_order(secp256k1_scalar *num) {
124  do {
125  unsigned char b32[32];
126  int overflow = 0;
127  secp256k1_rand256(b32);
128  secp256k1_scalar_set_b32(num, b32, &overflow);
129  if (overflow || secp256k1_scalar_is_zero(num)) {
130  continue;
131  }
132  break;
133  } while(1);
134 }
135 
136 void run_context_tests(void) {
137  secp256k1_pubkey pubkey;
138  secp256k1_ecdsa_signature sig;
139  unsigned char ctmp[32];
140  int32_t ecount;
141  int32_t ecount2;
142  secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
143  secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
144  secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
145  secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
146 
147  secp256k1_gej pubj;
148  secp256k1_ge pub;
149  secp256k1_scalar msg, key, nonce;
150  secp256k1_scalar sigr, sigs;
151 
152  ecount = 0;
153  ecount2 = 10;
154  secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
155  secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
156  secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
157  CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
158 
159  /*** clone and destroy all of them to make sure cloning was complete ***/
160  {
161  secp256k1_context *ctx_tmp;
162 
163  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
164  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
165  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
166  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
167  }
168 
169  /* Verify that the error callback makes it across the clone. */
170  CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
171  /* And that it resets back to default. */
172  secp256k1_context_set_error_callback(sign, NULL, NULL);
173  CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
174 
175  /*** attempt to use them ***/
176  random_scalar_order_test(&msg);
177  random_scalar_order_test(&key);
178  secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
179  secp256k1_ge_set_gej(&pub, &pubj);
180 
181  /* Verify context-type checking illegal-argument errors. */
182  memset(ctmp, 1, 32);
183  CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
184  CHECK(ecount == 1);
185  VG_UNDEF(&pubkey, sizeof(pubkey));
186  CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
187  VG_CHECK(&pubkey, sizeof(pubkey));
188  CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
189  CHECK(ecount == 2);
190  VG_UNDEF(&sig, sizeof(sig));
191  CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
192  VG_CHECK(&sig, sizeof(sig));
193  CHECK(ecount2 == 10);
194  CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
195  CHECK(ecount2 == 11);
196  CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
197  CHECK(ecount == 2);
198  CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
199  CHECK(ecount2 == 12);
200  CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
201  CHECK(ecount == 2);
202  CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
203  CHECK(ecount2 == 13);
204  CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
205  CHECK(ecount == 2);
206  CHECK(secp256k1_context_randomize(vrfy, ctmp) == 0);
207  CHECK(ecount == 3);
208  CHECK(secp256k1_context_randomize(sign, NULL) == 1);
209  CHECK(ecount2 == 13);
210  secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
211  secp256k1_context_set_illegal_callback(sign, NULL, NULL);
212 
213  /* This shouldn't leak memory, due to already-set tests. */
214  secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
215  secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
216 
217  /* obtain a working nonce */
218  do {
219  random_scalar_order_test(&nonce);
220  } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
221 
222  /* try signing */
223  CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
224  CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
225 
226  /* try verifying */
227  CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
228  CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
229 
230  /* cleanup */
231  secp256k1_context_destroy(none);
232  secp256k1_context_destroy(sign);
233  secp256k1_context_destroy(vrfy);
234  secp256k1_context_destroy(both);
235  /* Defined as no-op. */
236  secp256k1_context_destroy(NULL);
237 }
238 
239 /***** HASH TESTS *****/
240 
241 void run_sha256_tests(void) {
242  static const char *inputs[8] = {
243  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
244  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
245  "For this sample, this 63-byte string will be used as input data",
246  "This is exactly 64 bytes long, not counting the terminating byte"
247  };
248  static const unsigned char outputs[8][32] = {
249  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
250  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
251  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
252  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
253  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
254  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
255  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
256  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
257  };
258  int i;
259  for (i = 0; i < 8; i++) {
260  unsigned char out[32];
261  secp256k1_sha256_t hasher;
262  secp256k1_sha256_initialize(&hasher);
263  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
264  secp256k1_sha256_finalize(&hasher, out);
265  CHECK(memcmp(out, outputs[i], 32) == 0);
266  if (strlen(inputs[i]) > 0) {
267  int split = secp256k1_rand_int(strlen(inputs[i]));
268  secp256k1_sha256_initialize(&hasher);
269  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
270  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
271  secp256k1_sha256_finalize(&hasher, out);
272  CHECK(memcmp(out, outputs[i], 32) == 0);
273  }
274  }
275 }
276 
277 void run_hmac_sha256_tests(void) {
278  static const char *keys[6] = {
279  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
280  "\x4a\x65\x66\x65",
281  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
282  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
283  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
284  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
285  };
286  static const char *inputs[6] = {
287  "\x48\x69\x20\x54\x68\x65\x72\x65",
288  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
289  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
290  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
291  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
292  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
293  };
294  static const unsigned char outputs[6][32] = {
295  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
296  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
297  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
298  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
299  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
300  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
301  };
302  int i;
303  for (i = 0; i < 6; i++) {
304  secp256k1_hmac_sha256_t hasher;
305  unsigned char out[32];
306  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
307  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
308  secp256k1_hmac_sha256_finalize(&hasher, out);
309  CHECK(memcmp(out, outputs[i], 32) == 0);
310  if (strlen(inputs[i]) > 0) {
311  int split = secp256k1_rand_int(strlen(inputs[i]));
312  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
313  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
314  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
315  secp256k1_hmac_sha256_finalize(&hasher, out);
316  CHECK(memcmp(out, outputs[i], 32) == 0);
317  }
318  }
319 }
320 
321 void run_rfc6979_hmac_sha256_tests(void) {
322  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
323  static const unsigned char out1[3][32] = {
324  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
325  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
326  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
327  };
328 
329  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
330  static const unsigned char out2[3][32] = {
331  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
332  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
333  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
334  };
335 
336  secp256k1_rfc6979_hmac_sha256_t rng;
337  unsigned char out[32];
338  int i;
339 
340  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
341  for (i = 0; i < 3; i++) {
342  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
343  CHECK(memcmp(out, out1[i], 32) == 0);
344  }
345  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
346 
347  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
348  for (i = 0; i < 3; i++) {
349  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
350  CHECK(memcmp(out, out1[i], 32) != 0);
351  }
352  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
353 
354  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
355  for (i = 0; i < 3; i++) {
356  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
357  CHECK(memcmp(out, out2[i], 32) == 0);
358  }
359  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
360 }
361 
362 /***** RANDOM TESTS *****/
363 
364 void test_rand_bits(int rand32, int bits) {
365  /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
366  * get a false negative chance below once in a billion */
367  static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
368  /* We try multiplying the results with various odd numbers, which shouldn't
369  * influence the uniform distribution modulo a power of 2. */
370  static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
371  /* We only select up to 6 bits from the output to analyse */
372  unsigned int usebits = bits > 6 ? 6 : bits;
373  unsigned int maxshift = bits - usebits;
374  /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
375  number, track all observed outcomes, one per bit in a uint64_t. */
376  uint64_t x[6][27] = {{0}};
377  unsigned int i, shift, m;
378  /* Multiply the output of all rand calls with the odd number m, which
379  should not change the uniformity of its distribution. */
380  for (i = 0; i < rounds[usebits]; i++) {
381  uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
382  CHECK((((uint64_t)r) >> bits) == 0);
383  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
384  uint32_t rm = r * mults[m];
385  for (shift = 0; shift <= maxshift; shift++) {
386  x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
387  }
388  }
389  }
390  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
391  for (shift = 0; shift <= maxshift; shift++) {
392  /* Test that the lower usebits bits of x[shift] are 1 */
393  CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
394  }
395  }
396 }
397 
398 /* Subrange must be a whole divisor of range, and at most 64 */
399 void test_rand_int(uint32_t range, uint32_t subrange) {
400  /* (1-1/subrange)^rounds < 1/10^9 */
401  int rounds = (subrange * 2073) / 100;
402  int i;
403  uint64_t x = 0;
404  CHECK((range % subrange) == 0);
405  for (i = 0; i < rounds; i++) {
406  uint32_t r = secp256k1_rand_int(range);
407  CHECK(r < range);
408  r = r % subrange;
409  x |= (((uint64_t)1) << r);
410  }
411  /* Test that the lower subrange bits of x are 1. */
412  CHECK(((~x) << (64 - subrange)) == 0);
413 }
414 
415 void run_rand_bits(void) {
416  size_t b;
417  test_rand_bits(1, 32);
418  for (b = 1; b <= 32; b++) {
419  test_rand_bits(0, b);
420  }
421 }
422 
423 void run_rand_int(void) {
424  static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
425  static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
426  unsigned int m, s;
427  for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
428  for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
429  test_rand_int(ms[m] * ss[s], ss[s]);
430  }
431  }
432 }
433 
434 /***** NUM TESTS *****/
435 
436 #ifndef USE_NUM_NONE
437 void random_num_negate(secp256k1_num *num) {
438  if (secp256k1_rand_bits(1)) {
439  secp256k1_num_negate(num);
440  }
441 }
442 
443 void random_num_order_test(secp256k1_num *num) {
444  secp256k1_scalar sc;
445  random_scalar_order_test(&sc);
446  secp256k1_scalar_get_num(num, &sc);
447 }
448 
449 void random_num_order(secp256k1_num *num) {
450  secp256k1_scalar sc;
451  random_scalar_order(&sc);
452  secp256k1_scalar_get_num(num, &sc);
453 }
454 
455 void test_num_negate(void) {
456  secp256k1_num n1;
457  secp256k1_num n2;
458  random_num_order_test(&n1); /* n1 = R */
459  random_num_negate(&n1);
460  secp256k1_num_copy(&n2, &n1); /* n2 = R */
461  secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
462  CHECK(secp256k1_num_is_zero(&n1));
463  secp256k1_num_copy(&n1, &n2); /* n1 = R */
464  secp256k1_num_negate(&n1); /* n1 = -R */
465  CHECK(!secp256k1_num_is_zero(&n1));
466  secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
467  CHECK(secp256k1_num_is_zero(&n1));
468  secp256k1_num_copy(&n1, &n2); /* n1 = R */
469  secp256k1_num_negate(&n1); /* n1 = -R */
470  CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
471  secp256k1_num_negate(&n1); /* n1 = R */
472  CHECK(secp256k1_num_eq(&n1, &n2));
473 }
474 
475 void test_num_add_sub(void) {
476  secp256k1_num n1;
477  secp256k1_num n2;
478  secp256k1_num n1p2, n2p1, n1m2, n2m1;
479  random_num_order_test(&n1); /* n1 = R1 */
480  if (secp256k1_rand_bits(1)) {
481  random_num_negate(&n1);
482  }
483  random_num_order_test(&n2); /* n2 = R2 */
484  if (secp256k1_rand_bits(1)) {
485  random_num_negate(&n2);
486  }
487  secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
488  secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
489  secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
490  secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
491  CHECK(secp256k1_num_eq(&n1p2, &n2p1));
492  CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
493  secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
494  CHECK(secp256k1_num_eq(&n2m1, &n1m2));
495  CHECK(!secp256k1_num_eq(&n2m1, &n1));
496  secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
497  CHECK(secp256k1_num_eq(&n2m1, &n1));
498  CHECK(!secp256k1_num_eq(&n2p1, &n1));
499  secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
500  CHECK(secp256k1_num_eq(&n2p1, &n1));
501 }
502 
503 void run_num_smalltests(void) {
504  int i;
505  for (i = 0; i < 100*count; i++) {
506  test_num_negate();
507  test_num_add_sub();
508  }
509 }
510 #endif
511 
512 /***** SCALAR TESTS *****/
513 
514 void scalar_test(void) {
515  secp256k1_scalar s;
516  secp256k1_scalar s1;
517  secp256k1_scalar s2;
518 #ifndef USE_NUM_NONE
519  secp256k1_num snum, s1num, s2num;
520  secp256k1_num order, half_order;
521 #endif
522  unsigned char c[32];
523 
524  /* Set 's' to a random scalar, with value 'snum'. */
525  random_scalar_order_test(&s);
526 
527  /* Set 's1' to a random scalar, with value 's1num'. */
528  random_scalar_order_test(&s1);
529 
530  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
531  random_scalar_order_test(&s2);
532  secp256k1_scalar_get_b32(c, &s2);
533 
534 #ifndef USE_NUM_NONE
535  secp256k1_scalar_get_num(&snum, &s);
536  secp256k1_scalar_get_num(&s1num, &s1);
537  secp256k1_scalar_get_num(&s2num, &s2);
538 
539  secp256k1_scalar_order_get_num(&order);
540  half_order = order;
541  secp256k1_num_shift(&half_order, 1);
542 #endif
543 
544  {
545  int i;
546  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
547  secp256k1_scalar n;
548  secp256k1_scalar_set_int(&n, 0);
549  for (i = 0; i < 256; i += 4) {
550  secp256k1_scalar t;
551  int j;
552  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
553  for (j = 0; j < 4; j++) {
554  secp256k1_scalar_add(&n, &n, &n);
555  }
556  secp256k1_scalar_add(&n, &n, &t);
557  }
558  CHECK(secp256k1_scalar_eq(&n, &s));
559  }
560 
561  {
562  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
563  secp256k1_scalar n;
564  int i = 0;
565  secp256k1_scalar_set_int(&n, 0);
566  while (i < 256) {
567  secp256k1_scalar t;
568  int j;
569  int now = secp256k1_rand_int(15) + 1;
570  if (now + i > 256) {
571  now = 256 - i;
572  }
573  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
574  for (j = 0; j < now; j++) {
575  secp256k1_scalar_add(&n, &n, &n);
576  }
577  secp256k1_scalar_add(&n, &n, &t);
578  i += now;
579  }
580  CHECK(secp256k1_scalar_eq(&n, &s));
581  }
582 
583 #ifndef USE_NUM_NONE
584  {
585  /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
586  secp256k1_num rnum;
587  secp256k1_num r2num;
588  secp256k1_scalar r;
589  secp256k1_num_add(&rnum, &snum, &s2num);
590  secp256k1_num_mod(&rnum, &order);
591  secp256k1_scalar_add(&r, &s, &s2);
592  secp256k1_scalar_get_num(&r2num, &r);
593  CHECK(secp256k1_num_eq(&rnum, &r2num));
594  }
595 
596  {
597  /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
598  secp256k1_scalar r;
599  secp256k1_num r2num;
600  secp256k1_num rnum;
601  secp256k1_num_mul(&rnum, &snum, &s2num);
602  secp256k1_num_mod(&rnum, &order);
603  secp256k1_scalar_mul(&r, &s, &s2);
604  secp256k1_scalar_get_num(&r2num, &r);
605  CHECK(secp256k1_num_eq(&rnum, &r2num));
606  /* The result can only be zero if at least one of the factors was zero. */
607  CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
608  /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
609  CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
610  CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
611  }
612 
613  {
614  secp256k1_scalar neg;
615  secp256k1_num negnum;
616  secp256k1_num negnum2;
617  /* Check that comparison with zero matches comparison with zero on the number. */
618  CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
619  /* Check that comparison with the half order is equal to testing for high scalar. */
620  CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
621  secp256k1_scalar_negate(&neg, &s);
622  secp256k1_num_sub(&negnum, &order, &snum);
623  secp256k1_num_mod(&negnum, &order);
624  /* Check that comparison with the half order is equal to testing for high scalar after negation. */
625  CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
626  /* Negating should change the high property, unless the value was already zero. */
627  CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
628  secp256k1_scalar_get_num(&negnum2, &neg);
629  /* Negating a scalar should be equal to (order - n) mod order on the number. */
630  CHECK(secp256k1_num_eq(&negnum, &negnum2));
631  secp256k1_scalar_add(&neg, &neg, &s);
632  /* Adding a number to its negation should result in zero. */
633  CHECK(secp256k1_scalar_is_zero(&neg));
634  secp256k1_scalar_negate(&neg, &neg);
635  /* Negating zero should still result in zero. */
636  CHECK(secp256k1_scalar_is_zero(&neg));
637  }
638 
639  {
640  /* Test secp256k1_scalar_mul_shift_var. */
641  secp256k1_scalar r;
642  secp256k1_num one;
643  secp256k1_num rnum;
644  secp256k1_num rnum2;
645  unsigned char cone[1] = {0x01};
646  unsigned int shift = 256 + secp256k1_rand_int(257);
647  secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
648  secp256k1_num_mul(&rnum, &s1num, &s2num);
649  secp256k1_num_shift(&rnum, shift - 1);
650  secp256k1_num_set_bin(&one, cone, 1);
651  secp256k1_num_add(&rnum, &rnum, &one);
652  secp256k1_num_shift(&rnum, 1);
653  secp256k1_scalar_get_num(&rnum2, &r);
654  CHECK(secp256k1_num_eq(&rnum, &rnum2));
655  }
656 
657  {
658  /* test secp256k1_scalar_shr_int */
659  secp256k1_scalar r;
660  int i;
661  random_scalar_order_test(&r);
662  for (i = 0; i < 100; ++i) {
663  int low;
664  int shift = 1 + secp256k1_rand_int(15);
665  int expected = r.d[0] % (1 << shift);
666  low = secp256k1_scalar_shr_int(&r, shift);
667  CHECK(expected == low);
668  }
669  }
670 #endif
671 
672  {
673  /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
674  if (!secp256k1_scalar_is_zero(&s)) {
675  secp256k1_scalar inv;
676 #ifndef USE_NUM_NONE
677  secp256k1_num invnum;
678  secp256k1_num invnum2;
679 #endif
680  secp256k1_scalar_inverse(&inv, &s);
681 #ifndef USE_NUM_NONE
682  secp256k1_num_mod_inverse(&invnum, &snum, &order);
683  secp256k1_scalar_get_num(&invnum2, &inv);
684  CHECK(secp256k1_num_eq(&invnum, &invnum2));
685 #endif
686  secp256k1_scalar_mul(&inv, &inv, &s);
687  /* Multiplying a scalar with its inverse must result in one. */
688  CHECK(secp256k1_scalar_is_one(&inv));
689  secp256k1_scalar_inverse(&inv, &inv);
690  /* Inverting one must result in one. */
691  CHECK(secp256k1_scalar_is_one(&inv));
692  }
693  }
694 
695  {
696  /* Test commutativity of add. */
697  secp256k1_scalar r1, r2;
698  secp256k1_scalar_add(&r1, &s1, &s2);
699  secp256k1_scalar_add(&r2, &s2, &s1);
700  CHECK(secp256k1_scalar_eq(&r1, &r2));
701  }
702 
703  {
704  secp256k1_scalar r1, r2;
705  secp256k1_scalar b;
706  int i;
707  /* Test add_bit. */
708  int bit = secp256k1_rand_bits(8);
709  secp256k1_scalar_set_int(&b, 1);
710  CHECK(secp256k1_scalar_is_one(&b));
711  for (i = 0; i < bit; i++) {
712  secp256k1_scalar_add(&b, &b, &b);
713  }
714  r1 = s1;
715  r2 = s1;
716  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
717  /* No overflow happened. */
718  secp256k1_scalar_cadd_bit(&r2, bit, 1);
719  CHECK(secp256k1_scalar_eq(&r1, &r2));
720  /* cadd is a noop when flag is zero */
721  secp256k1_scalar_cadd_bit(&r2, bit, 0);
722  CHECK(secp256k1_scalar_eq(&r1, &r2));
723  }
724  }
725 
726  {
727  /* Test commutativity of mul. */
728  secp256k1_scalar r1, r2;
729  secp256k1_scalar_mul(&r1, &s1, &s2);
730  secp256k1_scalar_mul(&r2, &s2, &s1);
731  CHECK(secp256k1_scalar_eq(&r1, &r2));
732  }
733 
734  {
735  /* Test associativity of add. */
736  secp256k1_scalar r1, r2;
737  secp256k1_scalar_add(&r1, &s1, &s2);
738  secp256k1_scalar_add(&r1, &r1, &s);
739  secp256k1_scalar_add(&r2, &s2, &s);
740  secp256k1_scalar_add(&r2, &s1, &r2);
741  CHECK(secp256k1_scalar_eq(&r1, &r2));
742  }
743 
744  {
745  /* Test associativity of mul. */
746  secp256k1_scalar r1, r2;
747  secp256k1_scalar_mul(&r1, &s1, &s2);
748  secp256k1_scalar_mul(&r1, &r1, &s);
749  secp256k1_scalar_mul(&r2, &s2, &s);
750  secp256k1_scalar_mul(&r2, &s1, &r2);
751  CHECK(secp256k1_scalar_eq(&r1, &r2));
752  }
753 
754  {
755  /* Test distributitivity of mul over add. */
756  secp256k1_scalar r1, r2, t;
757  secp256k1_scalar_add(&r1, &s1, &s2);
758  secp256k1_scalar_mul(&r1, &r1, &s);
759  secp256k1_scalar_mul(&r2, &s1, &s);
760  secp256k1_scalar_mul(&t, &s2, &s);
761  secp256k1_scalar_add(&r2, &r2, &t);
762  CHECK(secp256k1_scalar_eq(&r1, &r2));
763  }
764 
765  {
766  /* Test square. */
767  secp256k1_scalar r1, r2;
768  secp256k1_scalar_sqr(&r1, &s1);
769  secp256k1_scalar_mul(&r2, &s1, &s1);
770  CHECK(secp256k1_scalar_eq(&r1, &r2));
771  }
772 
773  {
774  /* Test multiplicative identity. */
775  secp256k1_scalar r1, v1;
776  secp256k1_scalar_set_int(&v1,1);
777  secp256k1_scalar_mul(&r1, &s1, &v1);
778  CHECK(secp256k1_scalar_eq(&r1, &s1));
779  }
780 
781  {
782  /* Test additive identity. */
783  secp256k1_scalar r1, v0;
784  secp256k1_scalar_set_int(&v0,0);
785  secp256k1_scalar_add(&r1, &s1, &v0);
786  CHECK(secp256k1_scalar_eq(&r1, &s1));
787  }
788 
789  {
790  /* Test zero product property. */
791  secp256k1_scalar r1, v0;
792  secp256k1_scalar_set_int(&v0,0);
793  secp256k1_scalar_mul(&r1, &s1, &v0);
794  CHECK(secp256k1_scalar_eq(&r1, &v0));
795  }
796 
797 }
798 
799 void run_scalar_tests(void) {
800  int i;
801  for (i = 0; i < 128 * count; i++) {
802  scalar_test();
803  }
804 
805  {
806  /* (-1)+1 should be zero. */
807  secp256k1_scalar s, o;
808  secp256k1_scalar_set_int(&s, 1);
809  CHECK(secp256k1_scalar_is_one(&s));
810  secp256k1_scalar_negate(&o, &s);
811  secp256k1_scalar_add(&o, &o, &s);
812  CHECK(secp256k1_scalar_is_zero(&o));
813  secp256k1_scalar_negate(&o, &o);
814  CHECK(secp256k1_scalar_is_zero(&o));
815  }
816 
817 #ifndef USE_NUM_NONE
818  {
819  /* A scalar with value of the curve order should be 0. */
820  secp256k1_num order;
821  secp256k1_scalar zero;
822  unsigned char bin[32];
823  int overflow = 0;
824  secp256k1_scalar_order_get_num(&order);
825  secp256k1_num_get_bin(bin, 32, &order);
826  secp256k1_scalar_set_b32(&zero, bin, &overflow);
827  CHECK(overflow == 1);
828  CHECK(secp256k1_scalar_is_zero(&zero));
829  }
830 #endif
831 
832  {
833  /* Does check_overflow check catch all ones? */
834  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
835  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
836  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
837  );
838  CHECK(secp256k1_scalar_check_overflow(&overflowed));
839  }
840 
841  {
842  /* Static test vectors.
843  * These were reduced from ~10^12 random vectors based on comparison-decision
844  * and edge-case coverage on 32-bit and 64-bit implementations.
845  * The responses were generated with Sage 5.9.
846  */
847  secp256k1_scalar x;
848  secp256k1_scalar y;
849  secp256k1_scalar z;
850  secp256k1_scalar zz;
851  secp256k1_scalar one;
852  secp256k1_scalar r1;
853  secp256k1_scalar r2;
854 #if defined(USE_SCALAR_INV_NUM)
855  secp256k1_scalar zzv;
856 #endif
857  int overflow;
858  unsigned char chal[32][2][32] = {
859  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
860  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
861  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
862  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
863  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
864  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
865  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
866  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
867  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
868  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
869  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
870  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
871  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
872  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
873  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
874  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
875  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
876  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
877  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
878  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
879  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
880  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
881  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
882  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
883  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
884  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
885  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
886  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
887  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
888  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
889  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
890  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
891  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
892  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
893  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
894  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
895  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
896  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
897  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
898  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
899  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
900  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
901  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
902  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
903  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
904  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
905  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
906  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
907  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
908  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
909  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
910  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
911  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
912  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
913  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
914  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
915  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
916  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
917  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
918  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
919  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
920  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
921  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
922  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
923  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
924  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
925  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
926  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
927  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
928  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
929  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
930  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
931  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
932  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
933  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
934  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
935  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
936  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
937  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
938  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
939  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
940  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
941  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
942  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
943  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
944  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
945  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
946  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
947  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
948  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
949  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
950  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
951  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
952  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
953  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
954  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
955  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
956  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
957  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
958  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
959  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
960  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
961  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
962  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
963  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
964  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
965  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
966  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
967  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
968  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
969  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
970  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
971  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
972  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
973  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
974  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
975  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
976  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
977  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
978  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
979  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
980  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
981  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
982  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
983  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
984  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
985  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
986  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
987  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
988  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
989  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
990  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
991  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
992  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
993  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
994  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
995  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
996  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
997  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
998  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
999  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1000  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1001  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1002  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1003  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1004  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1005  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1006  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1007  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1008  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1009  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1010  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1011  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1012  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1013  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1014  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1015  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1016  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1017  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1018  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1019  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1020  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1021  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1022  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1023  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1024  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1025  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1026  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1027  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1028  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1029  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1030  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1031  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1032  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1033  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1034  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1035  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1036  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1037  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1038  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1039  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1040  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1041  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1042  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1043  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1044  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1045  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1046  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1047  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1048  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1049  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1050  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1051  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1052  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1053  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1054  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1055  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1056  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1057  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1058  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1059  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1060  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1061  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1062  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1063  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1064  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1065  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1066  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1067  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1068  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1069  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1070  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1071  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1072  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1073  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1074  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1075  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1076  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1077  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1078  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1079  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1080  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1081  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1082  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1083  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1084  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1085  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1086  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1087  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1088  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1089  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1090  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1091  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1092  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1093  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1094  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1095  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1096  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1097  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1098  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1099  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1100  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1101  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1102  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1103  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1104  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1105  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1106  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1107  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1108  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1109  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1110  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1111  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1112  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1113  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1114  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}}
1115  };
1116  unsigned char res[32][2][32] = {
1117  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1118  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1119  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1120  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1121  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1122  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1123  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1124  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1125  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1126  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1127  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1128  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1129  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1130  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1131  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1132  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1133  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1134  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1135  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1136  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1137  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1138  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1139  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1140  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1141  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1142  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1143  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1144  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1145  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1146  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1147  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1148  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1149  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1150  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1151  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1152  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1153  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1154  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1155  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1156  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1157  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1158  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1159  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1160  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1161  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1162  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1163  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1164  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1165  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1166  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1167  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1168  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1169  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1170  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1171  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1172  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1173  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1174  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1175  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1176  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1177  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1178  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1179  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1180  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1181  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1182  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1183  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1184  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1185  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1186  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1187  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1188  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1189  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1190  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1191  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1192  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1193  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1194  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1195  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1196  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1197  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1198  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1199  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1200  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1201  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1202  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1203  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1204  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1205  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1206  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1207  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1208  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1209  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1210  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1211  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1212  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1213  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1214  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1215  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1216  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1217  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1218  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1219  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1220  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1221  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1222  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1223  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1224  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1225  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1226  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1227  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1228  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1229  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1230  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1231  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1232  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1233  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1234  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1235  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1236  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1237  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1238  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1239  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1240  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1241  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1242  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1243  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1244  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1245  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1246  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1247  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1248  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1249  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1250  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1251  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1252  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1253  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1254  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1255  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1256  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1257  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1258  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1259  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1260  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1261  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1262  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1263  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1264  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1265  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1266  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1267  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1268  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1269  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1270  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1271  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1272  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1273  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1274  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1275  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1276  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1277  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1278  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1279  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1280  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1281  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1282  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1283  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1284  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1285  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1286  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1287  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1288  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1289  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1290  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1291  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1292  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1293  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1294  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1295  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1296  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1297  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1298  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1299  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1300  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1301  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1302  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1303  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1304  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1305  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1306  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1307  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1308  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1309  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1310  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1311  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1312  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1313  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1314  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1315  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1316  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1317  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1318  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1319  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1320  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1321  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1322  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1323  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1324  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1325  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1326  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1327  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1328  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1329  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1330  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1331  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1332  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1333  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1334  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1335  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1336  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1337  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1338  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1339  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1340  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1341  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1342  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1343  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1344  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1345  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1346  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1347  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1348  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1349  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1350  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1351  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1352  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1353  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1354  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1355  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1356  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1357  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1358  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1359  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1360  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1361  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1362  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1363  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1364  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1365  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1366  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1367  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1368  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1369  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1370  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1371  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1372  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}}
1373  };
1374  secp256k1_scalar_set_int(&one, 1);
1375  for (i = 0; i < 32; i++) {
1376  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1377  CHECK(!overflow);
1378  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1379  CHECK(!overflow);
1380  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1381  CHECK(!overflow);
1382  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1383  CHECK(!overflow);
1384  secp256k1_scalar_mul(&z, &x, &y);
1385  CHECK(!secp256k1_scalar_check_overflow(&z));
1386  CHECK(secp256k1_scalar_eq(&r1, &z));
1387  if (!secp256k1_scalar_is_zero(&y)) {
1388  secp256k1_scalar_inverse(&zz, &y);
1389  CHECK(!secp256k1_scalar_check_overflow(&zz));
1390 #if defined(USE_SCALAR_INV_NUM)
1391  secp256k1_scalar_inverse_var(&zzv, &y);
1392  CHECK(secp256k1_scalar_eq(&zzv, &zz));
1393 #endif
1394  secp256k1_scalar_mul(&z, &z, &zz);
1395  CHECK(!secp256k1_scalar_check_overflow(&z));
1396  CHECK(secp256k1_scalar_eq(&x, &z));
1397  secp256k1_scalar_mul(&zz, &zz, &y);
1398  CHECK(!secp256k1_scalar_check_overflow(&zz));
1399  CHECK(secp256k1_scalar_eq(&one, &zz));
1400  }
1401  secp256k1_scalar_mul(&z, &x, &x);
1402  CHECK(!secp256k1_scalar_check_overflow(&z));
1403  secp256k1_scalar_sqr(&zz, &x);
1404  CHECK(!secp256k1_scalar_check_overflow(&zz));
1405  CHECK(secp256k1_scalar_eq(&zz, &z));
1406  CHECK(secp256k1_scalar_eq(&r2, &zz));
1407  }
1408  }
1409 }
1410 
1411 /***** FIELD TESTS *****/
1412 
1413 void random_fe(secp256k1_fe *x) {
1414  unsigned char bin[32];
1415  do {
1416  secp256k1_rand256(bin);
1417  if (secp256k1_fe_set_b32(x, bin)) {
1418  return;
1419  }
1420  } while(1);
1421 }
1422 
1423 void random_fe_test(secp256k1_fe *x) {
1424  unsigned char bin[32];
1425  do {
1426  secp256k1_rand256_test(bin);
1427  if (secp256k1_fe_set_b32(x, bin)) {
1428  return;
1429  }
1430  } while(1);
1431 }
1432 
1433 void random_fe_non_zero(secp256k1_fe *nz) {
1434  int tries = 10;
1435  while (--tries >= 0) {
1436  random_fe(nz);
1437  secp256k1_fe_normalize(nz);
1438  if (!secp256k1_fe_is_zero(nz)) {
1439  break;
1440  }
1441  }
1442  /* Infinitesimal probability of spurious failure here */
1443  CHECK(tries >= 0);
1444 }
1445 
1446 void random_fe_non_square(secp256k1_fe *ns) {
1447  secp256k1_fe r;
1448  random_fe_non_zero(ns);
1449  if (secp256k1_fe_sqrt_var(&r, ns)) {
1450  secp256k1_fe_negate(ns, ns, 1);
1451  }
1452 }
1453 
1454 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1455  secp256k1_fe an = *a;
1456  secp256k1_fe bn = *b;
1457  secp256k1_fe_normalize_weak(&an);
1458  secp256k1_fe_normalize_var(&bn);
1459  return secp256k1_fe_equal_var(&an, &bn);
1460 }
1461 
1462 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1463  secp256k1_fe x;
1464  secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1465  secp256k1_fe_mul(&x, a, ai);
1466  return check_fe_equal(&x, &one);
1467 }
1468 
1469 void run_field_convert(void) {
1470  static const unsigned char b32[32] = {
1471  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1472  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1473  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1474  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1475  };
1476  static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1477  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1478  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1479  );
1480  static const secp256k1_fe fe = SECP256K1_FE_CONST(
1481  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1482  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1483  );
1484  secp256k1_fe fe2;
1485  unsigned char b322[32];
1486  secp256k1_fe_storage fes2;
1487  /* Check conversions to fe. */
1488  CHECK(secp256k1_fe_set_b32(&fe2, b32));
1489  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1490  secp256k1_fe_from_storage(&fe2, &fes);
1491  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1492  /* Check conversion from fe. */
1493  secp256k1_fe_get_b32(b322, &fe);
1494  CHECK(memcmp(b322, b32, 32) == 0);
1495  secp256k1_fe_to_storage(&fes2, &fe);
1496  CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1497 }
1498 
1499 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1500  secp256k1_fe t = *b;
1501 #ifdef VERIFY
1502  t.magnitude = a->magnitude;
1503  t.normalized = a->normalized;
1504 #endif
1505  return memcmp(a, &t, sizeof(secp256k1_fe));
1506 }
1507 
1508 void run_field_misc(void) {
1509  secp256k1_fe x;
1510  secp256k1_fe y;
1511  secp256k1_fe z;
1512  secp256k1_fe q;
1513  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1514  int i, j;
1515  for (i = 0; i < 5*count; i++) {
1516  secp256k1_fe_storage xs, ys, zs;
1517  random_fe(&x);
1518  random_fe_non_zero(&y);
1519  /* Test the fe equality and comparison operations. */
1520  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1521  CHECK(secp256k1_fe_equal_var(&x, &x));
1522  z = x;
1523  secp256k1_fe_add(&z,&y);
1524  /* Test fe conditional move; z is not normalized here. */
1525  q = x;
1526  secp256k1_fe_cmov(&x, &z, 0);
1527  VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
1528  secp256k1_fe_cmov(&x, &x, 1);
1529  CHECK(fe_memcmp(&x, &z) != 0);
1530  CHECK(fe_memcmp(&x, &q) == 0);
1531  secp256k1_fe_cmov(&q, &z, 1);
1532  VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
1533  CHECK(fe_memcmp(&q, &z) == 0);
1534  secp256k1_fe_normalize_var(&x);
1535  secp256k1_fe_normalize_var(&z);
1536  CHECK(!secp256k1_fe_equal_var(&x, &z));
1537  secp256k1_fe_normalize_var(&q);
1538  secp256k1_fe_cmov(&q, &z, (i&1));
1539  VERIFY_CHECK(q.normalized && q.magnitude == 1);
1540  for (j = 0; j < 6; j++) {
1541  secp256k1_fe_negate(&z, &z, j+1);
1542  secp256k1_fe_normalize_var(&q);
1543  secp256k1_fe_cmov(&q, &z, (j&1));
1544  VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1545  }
1546  secp256k1_fe_normalize_var(&z);
1547  /* Test storage conversion and conditional moves. */
1548  secp256k1_fe_to_storage(&xs, &x);
1549  secp256k1_fe_to_storage(&ys, &y);
1550  secp256k1_fe_to_storage(&zs, &z);
1551  secp256k1_fe_storage_cmov(&zs, &xs, 0);
1552  secp256k1_fe_storage_cmov(&zs, &zs, 1);
1553  CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1554  secp256k1_fe_storage_cmov(&ys, &xs, 1);
1555  CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1556  secp256k1_fe_from_storage(&x, &xs);
1557  secp256k1_fe_from_storage(&y, &ys);
1558  secp256k1_fe_from_storage(&z, &zs);
1559  /* Test that mul_int, mul, and add agree. */
1560  secp256k1_fe_add(&y, &x);
1561  secp256k1_fe_add(&y, &x);
1562  z = x;
1563  secp256k1_fe_mul_int(&z, 3);
1564  CHECK(check_fe_equal(&y, &z));
1565  secp256k1_fe_add(&y, &x);
1566  secp256k1_fe_add(&z, &x);
1567  CHECK(check_fe_equal(&z, &y));
1568  z = x;
1569  secp256k1_fe_mul_int(&z, 5);
1570  secp256k1_fe_mul(&q, &x, &fe5);
1571  CHECK(check_fe_equal(&z, &q));
1572  secp256k1_fe_negate(&x, &x, 1);
1573  secp256k1_fe_add(&z, &x);
1574  secp256k1_fe_add(&q, &x);
1575  CHECK(check_fe_equal(&y, &z));
1576  CHECK(check_fe_equal(&q, &y));
1577  }
1578 }
1579 
1580 void run_field_inv(void) {
1581  secp256k1_fe x, xi, xii;
1582  int i;
1583  for (i = 0; i < 10*count; i++) {
1584  random_fe_non_zero(&x);
1585  secp256k1_fe_inv(&xi, &x);
1586  CHECK(check_fe_inverse(&x, &xi));
1587  secp256k1_fe_inv(&xii, &xi);
1588  CHECK(check_fe_equal(&x, &xii));
1589  }
1590 }
1591 
1592 void run_field_inv_var(void) {
1593  secp256k1_fe x, xi, xii;
1594  int i;
1595  for (i = 0; i < 10*count; i++) {
1596  random_fe_non_zero(&x);
1597  secp256k1_fe_inv_var(&xi, &x);
1598  CHECK(check_fe_inverse(&x, &xi));
1599  secp256k1_fe_inv_var(&xii, &xi);
1600  CHECK(check_fe_equal(&x, &xii));
1601  }
1602 }
1603 
1604 void run_field_inv_all_var(void) {
1605  secp256k1_fe x[16], xi[16], xii[16];
1606  int i;
1607  /* Check it's safe to call for 0 elements */
1608  secp256k1_fe_inv_all_var(0, xi, x);
1609  for (i = 0; i < count; i++) {
1610  size_t j;
1611  size_t len = secp256k1_rand_int(15) + 1;
1612  for (j = 0; j < len; j++) {
1613  random_fe_non_zero(&x[j]);
1614  }
1615  secp256k1_fe_inv_all_var(len, xi, x);
1616  for (j = 0; j < len; j++) {
1617  CHECK(check_fe_inverse(&x[j], &xi[j]));
1618  }
1619  secp256k1_fe_inv_all_var(len, xii, xi);
1620  for (j = 0; j < len; j++) {
1621  CHECK(check_fe_equal(&x[j], &xii[j]));
1622  }
1623  }
1624 }
1625 
1626 void run_sqr(void) {
1627  secp256k1_fe x, s;
1628 
1629  {
1630  int i;
1631  secp256k1_fe_set_int(&x, 1);
1632  secp256k1_fe_negate(&x, &x, 1);
1633 
1634  for (i = 1; i <= 512; ++i) {
1635  secp256k1_fe_mul_int(&x, 2);
1636  secp256k1_fe_normalize(&x);
1637  secp256k1_fe_sqr(&s, &x);
1638  }
1639  }
1640 }
1641 
1642 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1643  secp256k1_fe r1, r2;
1644  int v = secp256k1_fe_sqrt_var(&r1, a);
1645  CHECK((v == 0) == (k == NULL));
1646 
1647  if (k != NULL) {
1648  /* Check that the returned root is +/- the given known answer */
1649  secp256k1_fe_negate(&r2, &r1, 1);
1650  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1651  secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1652  CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1653  }
1654 }
1655 
1656 void run_sqrt(void) {
1657  secp256k1_fe ns, x, s, t;
1658  int i;
1659 
1660  /* Check sqrt(0) is 0 */
1661  secp256k1_fe_set_int(&x, 0);
1662  secp256k1_fe_sqr(&s, &x);
1663  test_sqrt(&s, &x);
1664 
1665  /* Check sqrt of small squares (and their negatives) */
1666  for (i = 1; i <= 100; i++) {
1667  secp256k1_fe_set_int(&x, i);
1668  secp256k1_fe_sqr(&s, &x);
1669  test_sqrt(&s, &x);
1670  secp256k1_fe_negate(&t, &s, 1);
1671  test_sqrt(&t, NULL);
1672  }
1673 
1674  /* Consistency checks for large random values */
1675  for (i = 0; i < 10; i++) {
1676  int j;
1677  random_fe_non_square(&ns);
1678  for (j = 0; j < count; j++) {
1679  random_fe(&x);
1680  secp256k1_fe_sqr(&s, &x);
1681  test_sqrt(&s, &x);
1682  secp256k1_fe_negate(&t, &s, 1);
1683  test_sqrt(&t, NULL);
1684  secp256k1_fe_mul(&t, &s, &ns);
1685  test_sqrt(&t, NULL);
1686  }
1687  }
1688 }
1689 
1690 /***** GROUP TESTS *****/
1691 
1692 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1693  CHECK(a->infinity == b->infinity);
1694  if (a->infinity) {
1695  return;
1696  }
1697  CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
1698  CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
1699 }
1700 
1701 /* This compares jacobian points including their Z, not just their geometric meaning. */
1702 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1703  secp256k1_gej a2;
1704  secp256k1_gej b2;
1705  int ret = 1;
1706  ret &= a->infinity == b->infinity;
1707  if (ret && !a->infinity) {
1708  a2 = *a;
1709  b2 = *b;
1710  secp256k1_fe_normalize(&a2.x);
1711  secp256k1_fe_normalize(&a2.y);
1712  secp256k1_fe_normalize(&a2.z);
1713  secp256k1_fe_normalize(&b2.x);
1714  secp256k1_fe_normalize(&b2.y);
1715  secp256k1_fe_normalize(&b2.z);
1716  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1717  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1718  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1719  }
1720  return ret;
1721 }
1722 
1723 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1724  secp256k1_fe z2s;
1725  secp256k1_fe u1, u2, s1, s2;
1726  CHECK(a->infinity == b->infinity);
1727  if (a->infinity) {
1728  return;
1729  }
1730  /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
1731  secp256k1_fe_sqr(&z2s, &b->z);
1732  secp256k1_fe_mul(&u1, &a->x, &z2s);
1733  u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1734  secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1735  s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1736  CHECK(secp256k1_fe_equal_var(&u1, &u2));
1737  CHECK(secp256k1_fe_equal_var(&s1, &s2));
1738 }
1739 
1740 void test_ge(void) {
1741  int i, i1;
1742 #ifdef USE_ENDOMORPHISM
1743  int runs = 6;
1744 #else
1745  int runs = 4;
1746 #endif
1747  /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1748  * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1749  * All magnitudes are randomized.
1750  * All 17*17 combinations of points are added to each other, using all applicable methods.
1751  *
1752  * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
1753  */
1754  secp256k1_ge *ge = (secp256k1_ge *)malloc(sizeof(secp256k1_ge) * (1 + 4 * runs));
1755  secp256k1_gej *gej = (secp256k1_gej *)malloc(sizeof(secp256k1_gej) * (1 + 4 * runs));
1756  secp256k1_fe *zinv = (secp256k1_fe *)malloc(sizeof(secp256k1_fe) * (1 + 4 * runs));
1757  secp256k1_fe zf;
1758  secp256k1_fe zfi2, zfi3;
1759 
1760  secp256k1_gej_set_infinity(&gej[0]);
1761  secp256k1_ge_clear(&ge[0]);
1762  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
1763  for (i = 0; i < runs; i++) {
1764  int j;
1765  secp256k1_ge g;
1766  random_group_element_test(&g);
1767 #ifdef USE_ENDOMORPHISM
1768  if (i >= runs - 2) {
1769  secp256k1_ge_mul_lambda(&g, &ge[1]);
1770  }
1771  if (i >= runs - 1) {
1772  secp256k1_ge_mul_lambda(&g, &g);
1773  }
1774 #endif
1775  ge[1 + 4 * i] = g;
1776  ge[2 + 4 * i] = g;
1777  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1778  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1779  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1780  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1781  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1782  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
1783  for (j = 0; j < 4; j++) {
1784  random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1785  random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1786  random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1787  random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1788  random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1789  }
1790  }
1791 
1792  /* Compute z inverses. */
1793  {
1794  secp256k1_fe *zs = malloc(sizeof(secp256k1_fe) * (1 + 4 * runs));
1795  for (i = 0; i < 4 * runs + 1; i++) {
1796  if (i == 0) {
1797  /* The point at infinity does not have a meaningful z inverse. Any should do. */
1798  do {
1799  random_field_element_test(&zs[i]);
1800  } while(secp256k1_fe_is_zero(&zs[i]));
1801  } else {
1802  zs[i] = gej[i].z;
1803  }
1804  }
1805  secp256k1_fe_inv_all_var(4 * runs + 1, zinv, zs);
1806  free(zs);
1807  }
1808 
1809  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1810  do {
1811  random_field_element_test(&zf);
1812  } while(secp256k1_fe_is_zero(&zf));
1813  random_field_element_magnitude(&zf);
1814  secp256k1_fe_inv_var(&zfi3, &zf);
1815  secp256k1_fe_sqr(&zfi2, &zfi3);
1816  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
1817 
1818  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
1819  int i2;
1820  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
1821  /* Compute reference result using gej + gej (var). */
1822  secp256k1_gej refj, resj;
1823  secp256k1_ge ref;
1824  secp256k1_fe zr;
1825  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
1826  /* Check Z ratio. */
1827  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
1828  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
1829  CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
1830  }
1831  secp256k1_ge_set_gej_var(&ref, &refj);
1832 
1833  /* Test gej + ge with Z ratio result (var). */
1834  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
1835  ge_equals_gej(&ref, &resj);
1836  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
1837  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
1838  CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
1839  }
1840 
1841  /* Test gej + ge (var, with additional Z factor). */
1842  {
1843  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
1844  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
1845  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
1846  random_field_element_magnitude(&ge2_zfi.x);
1847  random_field_element_magnitude(&ge2_zfi.y);
1848  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
1849  ge_equals_gej(&ref, &resj);
1850  }
1851 
1852  /* Test gej + ge (const). */
1853  if (i2 != 0) {
1854  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
1855  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
1856  ge_equals_gej(&ref, &resj);
1857  }
1858 
1859  /* Test doubling (var). */
1860  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
1861  secp256k1_fe zr2;
1862  /* Normal doubling with Z ratio result. */
1863  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
1864  ge_equals_gej(&ref, &resj);
1865  /* Check Z ratio. */
1866  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
1867  CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
1868  /* Normal doubling. */
1869  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
1870  ge_equals_gej(&ref, &resj);
1871  }
1872 
1873  /* Test adding opposites. */
1874  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
1875  CHECK(secp256k1_ge_is_infinity(&ref));
1876  }
1877 
1878  /* Test adding infinity. */
1879  if (i1 == 0) {
1880  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
1881  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
1882  ge_equals_gej(&ref, &gej[i2]);
1883  }
1884  if (i2 == 0) {
1885  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
1886  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
1887  ge_equals_gej(&ref, &gej[i1]);
1888  }
1889  }
1890  }
1891 
1892  /* Test adding all points together in random order equals infinity. */
1893  {
1894  secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
1895  secp256k1_gej *gej_shuffled = (secp256k1_gej *)malloc((4 * runs + 1) * sizeof(secp256k1_gej));
1896  for (i = 0; i < 4 * runs + 1; i++) {
1897  gej_shuffled[i] = gej[i];
1898  }
1899  for (i = 0; i < 4 * runs + 1; i++) {
1900  int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
1901  if (swap != i) {
1902  secp256k1_gej t = gej_shuffled[i];
1903  gej_shuffled[i] = gej_shuffled[swap];
1904  gej_shuffled[swap] = t;
1905  }
1906  }
1907  for (i = 0; i < 4 * runs + 1; i++) {
1908  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
1909  }
1910  CHECK(secp256k1_gej_is_infinity(&sum));
1911  free(gej_shuffled);
1912  }
1913 
1914  /* Test batch gej -> ge conversion with and without known z ratios. */
1915  {
1916  secp256k1_fe *zr = (secp256k1_fe *)malloc((4 * runs + 1) * sizeof(secp256k1_fe));
1917  secp256k1_ge *ge_set_table = (secp256k1_ge *)malloc((4 * runs + 1) * sizeof(secp256k1_ge));
1918  secp256k1_ge *ge_set_all = (secp256k1_ge *)malloc((4 * runs + 1) * sizeof(secp256k1_ge));
1919  for (i = 0; i < 4 * runs + 1; i++) {
1920  /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
1921  if (i < 4 * runs) {
1922  secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
1923  }
1924  }
1925  secp256k1_ge_set_table_gej_var(4 * runs + 1, ge_set_table, gej, zr);
1926  secp256k1_ge_set_all_gej_var(4 * runs + 1, ge_set_all, gej, &ctx->error_callback);
1927  for (i = 0; i < 4 * runs + 1; i++) {
1928  secp256k1_fe s;
1929  random_fe_non_zero(&s);
1930  secp256k1_gej_rescale(&gej[i], &s);
1931  ge_equals_gej(&ge_set_table[i], &gej[i]);
1932  ge_equals_gej(&ge_set_all[i], &gej[i]);
1933  }
1934  free(ge_set_table);
1935  free(ge_set_all);
1936  free(zr);
1937  }
1938 
1939  free(ge);
1940  free(gej);
1941  free(zinv);
1942 }
1943 
1944 void test_add_neg_y_diff_x(void) {
1945  /* The point of this test is to check that we can add two points
1946  * whose y-coordinates are negatives of each other but whose x
1947  * coordinates differ. If the x-coordinates were the same, these
1948  * points would be negatives of each other and their sum is
1949  * infinity. This is cool because it "covers up" any degeneracy
1950  * in the addition algorithm that would cause the xy coordinates
1951  * of the sum to be wrong (since infinity has no xy coordinates).
1952  * HOWEVER, if the x-coordinates are different, infinity is the
1953  * wrong answer, and such degeneracies are exposed. This is the
1954  * root of https://github.com/bitcoin/secp256k1/issues/257 which
1955  * this test is a regression test for.
1956  *
1957  * These points were generated in sage as
1958  * # secp256k1 params
1959  * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
1960  * C = EllipticCurve ([F (0), F (7)])
1961  * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
1962  * N = FiniteField(G.order())
1963  *
1964  * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
1965  * x = polygen(N)
1966  * lam = (1 - x^3).roots()[1][0]
1967  *
1968  * # random "bad pair"
1969  * P = C.random_element()
1970  * Q = -int(lam) * P
1971  * print " P: %x %x" % P.xy()
1972  * print " Q: %x %x" % Q.xy()
1973  * print "P + Q: %x %x" % (P + Q).xy()
1974  */
1975  secp256k1_gej aj = SECP256K1_GEJ_CONST(
1976  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
1977  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
1978  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
1979  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
1980  );
1981  secp256k1_gej bj = SECP256K1_GEJ_CONST(
1982  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
1983  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
1984  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
1985  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
1986  );
1987  secp256k1_gej sumj = SECP256K1_GEJ_CONST(
1988  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
1989  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
1990  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
1991  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
1992  );
1993  secp256k1_ge b;
1994  secp256k1_gej resj;
1995  secp256k1_ge res;
1996  secp256k1_ge_set_gej(&b, &bj);
1997 
1998  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
1999  secp256k1_ge_set_gej(&res, &resj);
2000  ge_equals_gej(&res, &sumj);
2001 
2002  secp256k1_gej_add_ge(&resj, &aj, &b);
2003  secp256k1_ge_set_gej(&res, &resj);
2004  ge_equals_gej(&res, &sumj);
2005 
2006  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2007  secp256k1_ge_set_gej(&res, &resj);
2008  ge_equals_gej(&res, &sumj);
2009 }
2010 
2011 void run_ge(void) {
2012  int i;
2013  for (i = 0; i < count * 32; i++) {
2014  test_ge();
2015  }
2016  test_add_neg_y_diff_x();
2017 }
2018 
2019 void test_ec_combine(void) {
2020  secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2021  secp256k1_pubkey data[6];
2022  const secp256k1_pubkey* d[6];
2023  secp256k1_pubkey sd;
2024  secp256k1_pubkey sd2;
2025  secp256k1_gej Qj;
2026  secp256k1_ge Q;
2027  int i;
2028  for (i = 1; i <= 6; i++) {
2029  secp256k1_scalar s;
2030  random_scalar_order_test(&s);
2031  secp256k1_scalar_add(&sum, &sum, &s);
2032  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2033  secp256k1_ge_set_gej(&Q, &Qj);
2034  secp256k1_pubkey_save(&data[i - 1], &Q);
2035  d[i - 1] = &data[i - 1];
2036  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2037  secp256k1_ge_set_gej(&Q, &Qj);
2038  secp256k1_pubkey_save(&sd, &Q);
2039  CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2040  CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2041  }
2042 }
2043 
2044 void run_ec_combine(void) {
2045  int i;
2046  for (i = 0; i < count * 8; i++) {
2047  test_ec_combine();
2048  }
2049 }
2050 
2051 void test_group_decompress(const secp256k1_fe* x) {
2052  /* The input itself, normalized. */
2053  secp256k1_fe fex = *x;
2054  secp256k1_fe tmp;
2055  /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2056  secp256k1_ge ge_quad, ge_even, ge_odd;
2057  /* Return values of the above calls. */
2058  int res_quad, res_even, res_odd;
2059 
2060  secp256k1_fe_normalize_var(&fex);
2061 
2062  res_quad = secp256k1_ge_set_xquad_var(&ge_quad, &fex);
2063  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2064  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2065 
2066  CHECK(res_quad == res_even);
2067  CHECK(res_quad == res_odd);
2068 
2069  if (res_quad) {
2070  secp256k1_fe_normalize_var(&ge_quad.x);
2071  secp256k1_fe_normalize_var(&ge_odd.x);
2072  secp256k1_fe_normalize_var(&ge_even.x);
2073  secp256k1_fe_normalize_var(&ge_quad.y);
2074  secp256k1_fe_normalize_var(&ge_odd.y);
2075  secp256k1_fe_normalize_var(&ge_even.y);
2076 
2077  /* No infinity allowed. */
2078  CHECK(!ge_quad.infinity);
2079  CHECK(!ge_even.infinity);
2080  CHECK(!ge_odd.infinity);
2081 
2082  /* Check that the x coordinates check out. */
2083  CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2084  CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2085  CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2086 
2087  /* Check that the Y coordinate result in ge_quad is a square. */
2088  CHECK(secp256k1_fe_sqrt_var(&tmp, &ge_quad.y));
2089  secp256k1_fe_sqr(&tmp, &tmp);
2090  CHECK(secp256k1_fe_equal_var(&tmp, &ge_quad.y));
2091 
2092  /* Check odd/even Y in ge_odd, ge_even. */
2093  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2094  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2095  }
2096 }
2097 
2098 void run_group_decompress(void) {
2099  int i;
2100  for (i = 0; i < count * 4; i++) {
2101  secp256k1_fe fe;
2102  random_fe_test(&fe);
2103  test_group_decompress(&fe);
2104  }
2105 }
2106 
2107 /***** ECMULT TESTS *****/
2108 
2109 void run_ecmult_chain(void) {
2110  /* random starting point A (on the curve) */
2111  secp256k1_gej a = SECP256K1_GEJ_CONST(
2112  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2113  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2114  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2115  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2116  );
2117  /* two random initial factors xn and gn */
2118  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2119  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2120  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2121  );
2122  secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2123  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2124  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2125  );
2126  /* two small multipliers to be applied to xn and gn in every iteration: */
2127  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2128  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2129  /* accumulators with the resulting coefficients to A and G */
2130  secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2131  secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2132  /* actual points */
2133  secp256k1_gej x;
2134  secp256k1_gej x2;
2135  int i;
2136 
2137  /* the point being computed */
2138  x = a;
2139  for (i = 0; i < 200*count; i++) {
2140  /* in each iteration, compute X = xn*X + gn*G; */
2141  secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2142  /* also compute ae and ge: the actual accumulated factors for A and G */
2143  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2144  secp256k1_scalar_mul(&ae, &ae, &xn);
2145  secp256k1_scalar_mul(&ge, &ge, &xn);
2146  secp256k1_scalar_add(&ge, &ge, &gn);
2147  /* modify xn and gn */
2148  secp256k1_scalar_mul(&xn, &xn, &xf);
2149  secp256k1_scalar_mul(&gn, &gn, &gf);
2150 
2151  /* verify */
2152  if (i == 19999) {
2153  /* expected result after 19999 iterations */
2154  secp256k1_gej rp = SECP256K1_GEJ_CONST(
2155  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2156  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2157  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2158  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2159  );
2160 
2161  secp256k1_gej_neg(&rp, &rp);
2162  secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2163  CHECK(secp256k1_gej_is_infinity(&rp));
2164  }
2165  }
2166  /* redo the computation, but directly with the resulting ae and ge coefficients: */
2167  secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2168  secp256k1_gej_neg(&x2, &x2);
2169  secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2170  CHECK(secp256k1_gej_is_infinity(&x2));
2171 }
2172 
2173 void test_point_times_order(const secp256k1_gej *point) {
2174  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2175  secp256k1_scalar x;
2176  secp256k1_scalar nx;
2177  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2178  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2179  secp256k1_gej res1, res2;
2180  secp256k1_ge res3;
2181  unsigned char pub[65];
2182  size_t psize = 65;
2183  random_scalar_order_test(&x);
2184  secp256k1_scalar_negate(&nx, &x);
2185  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2186  secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2187  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2188  CHECK(secp256k1_gej_is_infinity(&res1));
2189  CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2190  secp256k1_ge_set_gej(&res3, &res1);
2191  CHECK(secp256k1_ge_is_infinity(&res3));
2192  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2193  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2194  psize = 65;
2195  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2196  /* check zero/one edge cases */
2197  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2198  secp256k1_ge_set_gej(&res3, &res1);
2199  CHECK(secp256k1_ge_is_infinity(&res3));
2200  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2201  secp256k1_ge_set_gej(&res3, &res1);
2202  ge_equals_gej(&res3, point);
2203  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2204  secp256k1_ge_set_gej(&res3, &res1);
2205  ge_equals_ge(&res3, &secp256k1_ge_const_g);
2206 }
2207 
2208 void run_point_times_order(void) {
2209  int i;
2210  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2211  static const secp256k1_fe xr = SECP256K1_FE_CONST(
2212  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2213  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2214  );
2215  for (i = 0; i < 500; i++) {
2216  secp256k1_ge p;
2217  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2218  secp256k1_gej j;
2219  CHECK(secp256k1_ge_is_valid_var(&p));
2220  secp256k1_gej_set_ge(&j, &p);
2221  CHECK(secp256k1_gej_is_valid_var(&j));
2222  test_point_times_order(&j);
2223  }
2224  secp256k1_fe_sqr(&x, &x);
2225  }
2226  secp256k1_fe_normalize_var(&x);
2227  CHECK(secp256k1_fe_equal_var(&x, &xr));
2228 }
2229 
2230 void ecmult_const_random_mult(void) {
2231  /* random starting point A (on the curve) */
2232  secp256k1_ge a = SECP256K1_GE_CONST(
2233  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2234  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2235  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2236  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2237  );
2238  /* random initial factor xn */
2239  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2240  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2241  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2242  );
2243  /* expected xn * A (from sage) */
2244  secp256k1_ge expected_b = SECP256K1_GE_CONST(
2245  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2246  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2247  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2248  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2249  );
2250  secp256k1_gej b;
2251  secp256k1_ecmult_const(&b, &a, &xn);
2252 
2253  CHECK(secp256k1_ge_is_valid_var(&a));
2254  ge_equals_gej(&expected_b, &b);
2255 }
2256 
2257 void ecmult_const_commutativity(void) {
2258  secp256k1_scalar a;
2259  secp256k1_scalar b;
2260  secp256k1_gej res1;
2261  secp256k1_gej res2;
2262  secp256k1_ge mid1;
2263  secp256k1_ge mid2;
2264  random_scalar_order_test(&a);
2265  random_scalar_order_test(&b);
2266 
2267  secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a);
2268  secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b);
2269  secp256k1_ge_set_gej(&mid1, &res1);
2270  secp256k1_ge_set_gej(&mid2, &res2);
2271  secp256k1_ecmult_const(&res1, &mid1, &b);
2272  secp256k1_ecmult_const(&res2, &mid2, &a);
2273  secp256k1_ge_set_gej(&mid1, &res1);
2274  secp256k1_ge_set_gej(&mid2, &res2);
2275  ge_equals_ge(&mid1, &mid2);
2276 }
2277 
2278 void ecmult_const_mult_zero_one(void) {
2279  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2280  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2281  secp256k1_scalar negone;
2282  secp256k1_gej res1;
2283  secp256k1_ge res2;
2284  secp256k1_ge point;
2285  secp256k1_scalar_negate(&negone, &one);
2286 
2287  random_group_element_test(&point);
2288  secp256k1_ecmult_const(&res1, &point, &zero);
2289  secp256k1_ge_set_gej(&res2, &res1);
2290  CHECK(secp256k1_ge_is_infinity(&res2));
2291  secp256k1_ecmult_const(&res1, &point, &one);
2292  secp256k1_ge_set_gej(&res2, &res1);
2293  ge_equals_ge(&res2, &point);
2294  secp256k1_ecmult_const(&res1, &point, &negone);
2295  secp256k1_gej_neg(&res1, &res1);
2296  secp256k1_ge_set_gej(&res2, &res1);
2297  ge_equals_ge(&res2, &point);
2298 }
2299 
2300 void ecmult_const_chain_multiply(void) {
2301  /* Check known result (randomly generated test problem from sage) */
2302  const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2303  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2304  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2305  );
2306  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2307  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2308  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2309  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2310  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2311  );
2312  secp256k1_gej point;
2313  secp256k1_ge res;
2314  int i;
2315 
2316  secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2317  for (i = 0; i < 100; ++i) {
2318  secp256k1_ge tmp;
2319  secp256k1_ge_set_gej(&tmp, &point);
2320  secp256k1_ecmult_const(&point, &tmp, &scalar);
2321  }
2322  secp256k1_ge_set_gej(&res, &point);
2323  ge_equals_gej(&res, &expected_point);
2324 }
2325 
2326 void run_ecmult_const_tests(void) {
2327  ecmult_const_mult_zero_one();
2328  ecmult_const_random_mult();
2329  ecmult_const_commutativity();
2330  ecmult_const_chain_multiply();
2331 }
2332 
2333 void test_wnaf(const secp256k1_scalar *number, int w) {
2334  secp256k1_scalar x, two, t;
2335  int wnaf[256];
2336  int zeroes = -1;
2337  int i;
2338  int bits;
2339  secp256k1_scalar_set_int(&x, 0);
2340  secp256k1_scalar_set_int(&two, 2);
2341  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
2342  CHECK(bits <= 256);
2343  for (i = bits-1; i >= 0; i--) {
2344  int v = wnaf[i];
2345  secp256k1_scalar_mul(&x, &x, &two);
2346  if (v) {
2347  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
2348  zeroes=0;
2349  CHECK((v & 1) == 1); /* check non-zero elements are odd */
2350  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
2351  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
2352  } else {
2353  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
2354  zeroes++;
2355  }
2356  if (v >= 0) {
2357  secp256k1_scalar_set_int(&t, v);
2358  } else {
2359  secp256k1_scalar_set_int(&t, -v);
2360  secp256k1_scalar_negate(&t, &t);
2361  }
2362  secp256k1_scalar_add(&x, &x, &t);
2363  }
2364  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
2365 }
2366 
2367 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
2368  secp256k1_scalar neg1 = *number;
2369  secp256k1_scalar neg2 = *number;
2370  int sign1 = 1;
2371  int sign2 = 1;
2372 
2373  if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
2374  secp256k1_scalar_negate(&neg1, &neg1);
2375  sign1 = -1;
2376  }
2377  sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
2378  CHECK(sign1 == sign2);
2379  CHECK(secp256k1_scalar_eq(&neg1, &neg2));
2380 }
2381 
2382 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
2383  secp256k1_scalar x, shift;
2384  int wnaf[256] = {0};
2385  int i;
2386 #ifdef USE_ENDOMORPHISM
2387  int skew;
2388 #endif
2389  secp256k1_scalar num = *number;
2390 
2391  secp256k1_scalar_set_int(&x, 0);
2392  secp256k1_scalar_set_int(&shift, 1 << w);
2393  /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
2394 #ifdef USE_ENDOMORPHISM
2395  for (i = 0; i < 16; ++i) {
2396  secp256k1_scalar_shr_int(&num, 8);
2397  }
2398  skew = secp256k1_wnaf_const(wnaf, num, w);
2399 #else
2400  secp256k1_wnaf_const(wnaf, num, w);
2401 #endif
2402 
2403  for (i = WNAF_SIZE(w); i >= 0; --i) {
2404  secp256k1_scalar t;
2405  int v = wnaf[i];
2406  CHECK(v != 0); /* check nonzero */
2407  CHECK(v & 1); /* check parity */
2408  CHECK(v > -(1 << w)); /* check range above */
2409  CHECK(v < (1 << w)); /* check range below */
2410 
2411  secp256k1_scalar_mul(&x, &x, &shift);
2412  if (v >= 0) {
2413  secp256k1_scalar_set_int(&t, v);
2414  } else {
2415  secp256k1_scalar_set_int(&t, -v);
2416  secp256k1_scalar_negate(&t, &t);
2417  }
2418  secp256k1_scalar_add(&x, &x, &t);
2419  }
2420 #ifdef USE_ENDOMORPHISM
2421  /* Skew num because when encoding 128-bit numbers as odd we use an offset */
2422  secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
2423 #endif
2424  CHECK(secp256k1_scalar_eq(&x, &num));
2425 }
2426 
2427 void run_wnaf(void) {
2428  int i;
2429  secp256k1_scalar n = {{0}};
2430 
2431  /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
2432  * have easier-to-diagnose failure modes */
2433  n.d[0] = 1;
2434  test_constant_wnaf(&n, 4);
2435  n.d[0] = 2;
2436  test_constant_wnaf(&n, 4);
2437  /* Random tests */
2438  for (i = 0; i < count; i++) {
2439  random_scalar_order(&n);
2440  test_wnaf(&n, 4+(i%10));
2441  test_constant_wnaf_negate(&n);
2442  test_constant_wnaf(&n, 4 + (i % 10));
2443  }
2444  secp256k1_scalar_set_int(&n, 0);
2445  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
2446  CHECK(secp256k1_scalar_is_zero(&n));
2447  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
2448  CHECK(secp256k1_scalar_is_zero(&n));
2449 }
2450 
2451 void test_ecmult_constants(void) {
2452  /* Test ecmult_gen() for [0..36) and [order-36..0). */
2453  secp256k1_scalar x;
2454  secp256k1_gej r;
2455  secp256k1_ge ng;
2456  int i;
2457  int j;
2458  secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
2459  for (i = 0; i < 36; i++ ) {
2460  secp256k1_scalar_set_int(&x, i);
2461  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
2462  for (j = 0; j < i; j++) {
2463  if (j == i - 1) {
2464  ge_equals_gej(&secp256k1_ge_const_g, &r);
2465  }
2466  secp256k1_gej_add_ge(&r, &r, &ng);
2467  }
2468  CHECK(secp256k1_gej_is_infinity(&r));
2469  }
2470  for (i = 1; i <= 36; i++ ) {
2471  secp256k1_scalar_set_int(&x, i);
2472  secp256k1_scalar_negate(&x, &x);
2473  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
2474  for (j = 0; j < i; j++) {
2475  if (j == i - 1) {
2476  ge_equals_gej(&ng, &r);
2477  }
2478  secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
2479  }
2480  CHECK(secp256k1_gej_is_infinity(&r));
2481  }
2482 }
2483 
2484 void run_ecmult_constants(void) {
2485  test_ecmult_constants();
2486 }
2487 
2488 void test_ecmult_gen_blind(void) {
2489  /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
2490  secp256k1_scalar key;
2491  secp256k1_scalar b;
2492  unsigned char seed32[32];
2493  secp256k1_gej pgej;
2494  secp256k1_gej pgej2;
2495  secp256k1_gej i;
2496  secp256k1_ge pge;
2497  random_scalar_order_test(&key);
2498  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
2499  secp256k1_rand256(seed32);
2500  b = ctx->ecmult_gen_ctx.blind;
2501  i = ctx->ecmult_gen_ctx.initial;
2502  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
2503  CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
2504  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
2505  CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
2506  CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
2507  secp256k1_ge_set_gej(&pge, &pgej);
2508  ge_equals_gej(&pge, &pgej2);
2509 }
2510 
2511 void test_ecmult_gen_blind_reset(void) {
2512  /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
2513  secp256k1_scalar b;
2514  secp256k1_gej initial;
2515  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
2516  b = ctx->ecmult_gen_ctx.blind;
2517  initial = ctx->ecmult_gen_ctx.initial;
2518  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
2519  CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
2520  CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
2521 }
2522 
2523 void run_ecmult_gen_blind(void) {
2524  int i;
2525  test_ecmult_gen_blind_reset();
2526  for (i = 0; i < 10; i++) {
2527  test_ecmult_gen_blind();
2528  }
2529 }
2530 
2531 #ifdef USE_ENDOMORPHISM
2532 /***** ENDOMORPHISH TESTS *****/
2533 void test_scalar_split(void) {
2534  secp256k1_scalar full;
2535  secp256k1_scalar s1, slam;
2536  const unsigned char zero[32] = {0};
2537  unsigned char tmp[32];
2538 
2539  random_scalar_order_test(&full);
2540  secp256k1_scalar_split_lambda(&s1, &slam, &full);
2541 
2542  /* check that both are <= 128 bits in size */
2543  if (secp256k1_scalar_is_high(&s1)) {
2544  secp256k1_scalar_negate(&s1, &s1);
2545  }
2546  if (secp256k1_scalar_is_high(&slam)) {
2547  secp256k1_scalar_negate(&slam, &slam);
2548  }
2549 
2550  secp256k1_scalar_get_b32(tmp, &s1);
2551  CHECK(memcmp(zero, tmp, 16) == 0);
2552  secp256k1_scalar_get_b32(tmp, &slam);
2553  CHECK(memcmp(zero, tmp, 16) == 0);
2554 }
2555 
2556 void run_endomorphism_tests(void) {
2557  test_scalar_split();
2558 }
2559 #endif
2560 
2561 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
2562  unsigned char pubkeyc[65];
2563  secp256k1_pubkey pubkey;
2564  secp256k1_ge ge;
2565  size_t pubkeyclen;
2566  int32_t ecount;
2567  ecount = 0;
2568  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
2569  for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
2570  /* Smaller sizes are tested exhaustively elsewhere. */
2571  int32_t i;
2572  memcpy(&pubkeyc[1], input, 64);
2573  VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
2574  for (i = 0; i < 256; i++) {
2575  /* Try all type bytes. */
2576  int xpass;
2577  int ypass;
2578  int ysign;
2579  pubkeyc[0] = i;
2580  /* What sign does this point have? */
2581  ysign = (input[63] & 1) + 2;
2582  /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
2583  xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
2584  /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
2585  ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
2586  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
2587  if (xpass || ypass) {
2588  /* These cases must parse. */
2589  unsigned char pubkeyo[65];
2590  size_t outl;
2591  memset(&pubkey, 0, sizeof(pubkey));
2592  VG_UNDEF(&pubkey, sizeof(pubkey));
2593  ecount = 0;
2594  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
2595  VG_CHECK(&pubkey, sizeof(pubkey));
2596  outl = 65;
2597  VG_UNDEF(pubkeyo, 65);
2598  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
2599  VG_CHECK(pubkeyo, outl);
2600  CHECK(outl == 33);
2601  CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
2602  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
2603  if (ypass) {
2604  /* This test isn't always done because we decode with alternative signs, so the y won't match. */
2605  CHECK(pubkeyo[0] == ysign);
2606  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
2607  memset(&pubkey, 0, sizeof(pubkey));
2608  VG_UNDEF(&pubkey, sizeof(pubkey));
2609  secp256k1_pubkey_save(&pubkey, &ge);
2610  VG_CHECK(&pubkey, sizeof(pubkey));
2611  outl = 65;
2612  VG_UNDEF(pubkeyo, 65);
2613  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
2614  VG_CHECK(pubkeyo, outl);
2615  CHECK(outl == 65);
2616  CHECK(pubkeyo[0] == 4);
2617  CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
2618  }
2619  CHECK(ecount == 0);
2620  } else {
2621  /* These cases must fail to parse. */
2622  memset(&pubkey, 0xfe, sizeof(pubkey));
2623  ecount = 0;
2624  VG_UNDEF(&pubkey, sizeof(pubkey));
2625  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
2626  VG_CHECK(&pubkey, sizeof(pubkey));
2627  CHECK(ecount == 0);
2628  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2629  CHECK(ecount == 1);
2630  }
2631  }
2632  }
2633  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
2634 }
2635 
2636 void run_ec_pubkey_parse_test(void) {
2637 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
2638  const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
2639  {
2640  /* Point with leading and trailing zeros in x and y serialization. */
2641  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
2642  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2643  0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
2644  0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
2645  },
2646  {
2647  /* Point with x equal to a 3rd root of unity.*/
2648  0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
2649  0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
2650  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2651  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2652  },
2653  {
2654  /* Point with largest x. (1/2) */
2655  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2656  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
2657  0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
2658  0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
2659  },
2660  {
2661  /* Point with largest x. (2/2) */
2662  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2663  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
2664  0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
2665  0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
2666  },
2667  {
2668  /* Point with smallest x. (1/2) */
2669  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2670  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2671  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2672  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2673  },
2674  {
2675  /* Point with smallest x. (2/2) */
2676  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2677  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2678  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
2679  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
2680  },
2681  {
2682  /* Point with largest y. (1/3) */
2683  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2684  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2685  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2686  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2687  },
2688  {
2689  /* Point with largest y. (2/3) */
2690  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2691  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2692  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2693  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2694  },
2695  {
2696  /* Point with largest y. (3/3) */
2697  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2698  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2699  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2700  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2701  },
2702  {
2703  /* Point with smallest y. (1/3) */
2704  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2705  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2706  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2707  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2708  },
2709  {
2710  /* Point with smallest y. (2/3) */
2711  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2712  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2713  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2714  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2715  },
2716  {
2717  /* Point with smallest y. (3/3) */
2718  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2719  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2720  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2721  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
2722  }
2723  };
2724 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
2725  const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
2726  {
2727  /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
2728  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2729  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2730  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2731  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2732  },
2733  {
2734  /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
2735  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2736  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2737  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2738  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2739  },
2740  {
2741  /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
2742  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2743  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2744  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2745  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2746  },
2747  {
2748  /* x on curve, y is from y^2 = x^3 + 8. */
2749  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2750  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2751  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2752  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
2753  }
2754  };
2755 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
2756  const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
2757  {
2758  /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
2759  0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
2760  0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
2761  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2762  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2763  },
2764  {
2765  /* Valid if x overflow ignored (x = 1 mod p). */
2766  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2767  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2768  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2769  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2770  },
2771  {
2772  /* Valid if x overflow ignored (x = 1 mod p). */
2773  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2774  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2775  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
2776  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
2777  },
2778  {
2779  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
2780  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2781  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2782  0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
2783  0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
2784  },
2785  {
2786  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
2787  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2788  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2789  0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
2790  0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
2791  },
2792  {
2793  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
2794  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2795  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2796  0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
2797  0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
2798  },
2799  {
2800  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
2801  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2802  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2803  0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
2804  0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
2805  }
2806  };
2807  const unsigned char pubkeyc[66] = {
2808  /* Serialization of G. */
2809  0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
2810  0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
2811  0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
2812  0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
2813  0xB8, 0x00
2814  };
2815  unsigned char sout[65];
2816  unsigned char shortkey[2];
2817  secp256k1_ge ge;
2818  secp256k1_pubkey pubkey;
2819  size_t len;
2820  int32_t i;
2821  int32_t ecount;
2822  int32_t ecount2;
2823  ecount = 0;
2824  /* Nothing should be reading this far into pubkeyc. */
2825  VG_UNDEF(&pubkeyc[65], 1);
2826  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
2827  /* Zero length claimed, fail, zeroize, no illegal arg error. */
2828  memset(&pubkey, 0xfe, sizeof(pubkey));
2829  ecount = 0;
2830  VG_UNDEF(shortkey, 2);
2831  VG_UNDEF(&pubkey, sizeof(pubkey));
2832  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
2833  VG_CHECK(&pubkey, sizeof(pubkey));
2834  CHECK(ecount == 0);
2835  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2836  CHECK(ecount == 1);
2837  /* Length one claimed, fail, zeroize, no illegal arg error. */
2838  for (i = 0; i < 256 ; i++) {
2839  memset(&pubkey, 0xfe, sizeof(pubkey));
2840  ecount = 0;
2841  shortkey[0] = i;
2842  VG_UNDEF(&shortkey[1], 1);
2843  VG_UNDEF(&pubkey, sizeof(pubkey));
2844  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
2845  VG_CHECK(&pubkey, sizeof(pubkey));
2846  CHECK(ecount == 0);
2847  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2848  CHECK(ecount == 1);
2849  }
2850  /* Length two claimed, fail, zeroize, no illegal arg error. */
2851  for (i = 0; i < 65536 ; i++) {
2852  memset(&pubkey, 0xfe, sizeof(pubkey));
2853  ecount = 0;
2854  shortkey[0] = i & 255;
2855  shortkey[1] = i >> 8;
2856  VG_UNDEF(&pubkey, sizeof(pubkey));
2857  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
2858  VG_CHECK(&pubkey, sizeof(pubkey));
2859  CHECK(ecount == 0);
2860  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2861  CHECK(ecount == 1);
2862  }
2863  memset(&pubkey, 0xfe, sizeof(pubkey));
2864  ecount = 0;
2865  VG_UNDEF(&pubkey, sizeof(pubkey));
2866  /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
2867  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
2868  VG_CHECK(&pubkey, sizeof(pubkey));
2869  CHECK(ecount == 0);
2870  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2871  CHECK(ecount == 1);
2872  /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
2873  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
2874  CHECK(ecount == 2);
2875  /* NULL input string. Illegal arg and zeroize output. */
2876  memset(&pubkey, 0xfe, sizeof(pubkey));
2877  ecount = 0;
2878  VG_UNDEF(&pubkey, sizeof(pubkey));
2879  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
2880  VG_CHECK(&pubkey, sizeof(pubkey));
2881  CHECK(ecount == 1);
2882  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2883  CHECK(ecount == 2);
2884  /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
2885  memset(&pubkey, 0xfe, sizeof(pubkey));
2886  ecount = 0;
2887  VG_UNDEF(&pubkey, sizeof(pubkey));
2888  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
2889  VG_CHECK(&pubkey, sizeof(pubkey));
2890  CHECK(ecount == 0);
2891  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2892  CHECK(ecount == 1);
2893  /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
2894  memset(&pubkey, 0xfe, sizeof(pubkey));
2895  ecount = 0;
2896  VG_UNDEF(&pubkey, sizeof(pubkey));
2897  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
2898  VG_CHECK(&pubkey, sizeof(pubkey));
2899  CHECK(ecount == 0);
2900  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2901  CHECK(ecount == 1);
2902  /* Valid parse. */
2903  memset(&pubkey, 0, sizeof(pubkey));
2904  ecount = 0;
2905  VG_UNDEF(&pubkey, sizeof(pubkey));
2906  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
2907  VG_CHECK(&pubkey, sizeof(pubkey));
2908  CHECK(ecount == 0);
2909  VG_UNDEF(&ge, sizeof(ge));
2910  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
2911  VG_CHECK(&ge.x, sizeof(ge.x));
2912  VG_CHECK(&ge.y, sizeof(ge.y));
2913  VG_CHECK(&ge.infinity, sizeof(ge.infinity));
2914  ge_equals_ge(&secp256k1_ge_const_g, &ge);
2915  CHECK(ecount == 0);
2916  /* secp256k1_ec_pubkey_serialize illegal args. */
2917  ecount = 0;
2918  len = 65;
2919  CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
2920  CHECK(ecount == 1);
2921  CHECK(len == 0);
2922  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
2923  CHECK(ecount == 2);
2924  len = 65;
2925  VG_UNDEF(sout, 65);
2926  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
2927  VG_CHECK(sout, 65);
2928  CHECK(ecount == 3);
2929  CHECK(len == 0);
2930  len = 65;
2931  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
2932  CHECK(ecount == 4);
2933  CHECK(len == 0);
2934  len = 65;
2935  VG_UNDEF(sout, 65);
2936  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
2937  VG_CHECK(sout, 65);
2938  CHECK(ecount == 4);
2939  CHECK(len == 65);
2940  /* Multiple illegal args. Should still set arg error only once. */
2941  ecount = 0;
2942  ecount2 = 11;
2943  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
2944  CHECK(ecount == 1);
2945  /* Does the illegal arg callback actually change the behavior? */
2946  secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
2947  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
2948  CHECK(ecount == 1);
2949  CHECK(ecount2 == 10);
2950  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
2951  /* Try a bunch of prefabbed points with all possible encodings. */
2952  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
2953  ec_pubkey_parse_pointtest(valid[i], 1, 1);
2954  }
2955  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
2956  ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
2957  }
2958  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
2959  ec_pubkey_parse_pointtest(invalid[i], 0, 0);
2960  }
2961 }
2962 
2963 void run_eckey_edge_case_test(void) {
2964  const unsigned char orderc[32] = {
2965  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2966  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2967  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2968  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
2969  };
2970  const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
2971  unsigned char ctmp[33];
2972  unsigned char ctmp2[33];
2973  secp256k1_pubkey pubkey;
2974  secp256k1_pubkey pubkey2;
2975  secp256k1_pubkey pubkey_one;
2976  secp256k1_pubkey pubkey_negone;
2977  const secp256k1_pubkey *pubkeys[3];
2978  size_t len;
2979  int32_t ecount;
2980  /* Group order is too large, reject. */
2981  CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
2982  VG_UNDEF(&pubkey, sizeof(pubkey));
2983  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
2984  VG_CHECK(&pubkey, sizeof(pubkey));
2985  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
2986  /* Maximum value is too large, reject. */
2987  memset(ctmp, 255, 32);
2988  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
2989  memset(&pubkey, 1, sizeof(pubkey));
2990  VG_UNDEF(&pubkey, sizeof(pubkey));
2991  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
2992  VG_CHECK(&pubkey, sizeof(pubkey));
2993  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
2994  /* Zero is too small, reject. */
2995  memset(ctmp, 0, 32);
2996  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
2997  memset(&pubkey, 1, sizeof(pubkey));
2998  VG_UNDEF(&pubkey, sizeof(pubkey));
2999  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3000  VG_CHECK(&pubkey, sizeof(pubkey));
3001  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3002  /* One must be accepted. */
3003  ctmp[31] = 0x01;
3004  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3005  memset(&pubkey, 0, sizeof(pubkey));
3006  VG_UNDEF(&pubkey, sizeof(pubkey));
3007  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3008  VG_CHECK(&pubkey, sizeof(pubkey));
3009  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3010  pubkey_one = pubkey;
3011  /* Group order + 1 is too large, reject. */
3012  memcpy(ctmp, orderc, 32);
3013  ctmp[31] = 0x42;
3014  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3015  memset(&pubkey, 1, sizeof(pubkey));
3016  VG_UNDEF(&pubkey, sizeof(pubkey));
3017  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3018  VG_CHECK(&pubkey, sizeof(pubkey));
3019  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3020  /* -1 must be accepted. */
3021  ctmp[31] = 0x40;
3022  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3023  memset(&pubkey, 0, sizeof(pubkey));
3024  VG_UNDEF(&pubkey, sizeof(pubkey));
3025  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3026  VG_CHECK(&pubkey, sizeof(pubkey));
3027  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3028  pubkey_negone = pubkey;
3029  /* Tweak of zero leaves the value changed. */
3030  memset(ctmp2, 0, 32);
3031  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3032  CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3033  memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3034  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3035  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3036  /* Multiply tweak of zero zeroizes the output. */
3037  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3038  CHECK(memcmp(zeros, ctmp, 32) == 0);
3039  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3040  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3041  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3042  /* Overflowing key tweak zeroizes. */
3043  memcpy(ctmp, orderc, 32);
3044  ctmp[31] = 0x40;
3045  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3046  CHECK(memcmp(zeros, ctmp, 32) == 0);
3047  memcpy(ctmp, orderc, 32);
3048  ctmp[31] = 0x40;
3049  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3050  CHECK(memcmp(zeros, ctmp, 32) == 0);
3051  memcpy(ctmp, orderc, 32);
3052  ctmp[31] = 0x40;
3053  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3054  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3055  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3056  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3057  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3058  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3059  /* Private key tweaks results in a key of zero. */
3060  ctmp2[31] = 1;
3061  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3062  CHECK(memcmp(zeros, ctmp2, 32) == 0);
3063  ctmp2[31] = 1;
3064  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3065  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3066  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3067  /* Tweak computation wraps and results in a key of 1. */
3068  ctmp2[31] = 2;
3069  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3070  CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3071  ctmp2[31] = 2;
3072  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3073  ctmp2[31] = 1;
3074  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3075  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3076  /* Tweak mul * 2 = 1+1. */
3077  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3078  ctmp2[31] = 2;
3079  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3080  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3081  /* Test argument errors. */
3082  ecount = 0;
3083  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3084  CHECK(ecount == 0);
3085  /* Zeroize pubkey on parse error. */
3086  memset(&pubkey, 0, 32);
3087  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3088  CHECK(ecount == 1);
3089  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3090  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3091  memset(&pubkey2, 0, 32);
3092  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3093  CHECK(ecount == 2);
3094  CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3095  /* Plain argument errors. */
3096  ecount = 0;
3097  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3098  CHECK(ecount == 0);
3099  CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3100  CHECK(ecount == 1);
3101  ecount = 0;
3102  memset(ctmp2, 0, 32);
3103  ctmp2[31] = 4;
3104  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3105  CHECK(ecount == 1);
3106  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3107  CHECK(ecount == 2);
3108  ecount = 0;
3109  memset(ctmp2, 0, 32);
3110  ctmp2[31] = 4;
3111  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3112  CHECK(ecount == 1);
3113  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3114  CHECK(ecount == 2);
3115  ecount = 0;
3116  memset(ctmp2, 0, 32);
3117  CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3118  CHECK(ecount == 1);
3119  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3120  CHECK(ecount == 2);
3121  ecount = 0;
3122  memset(ctmp2, 0, 32);
3123  ctmp2[31] = 1;
3124  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3125  CHECK(ecount == 1);
3126  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3127  CHECK(ecount == 2);
3128  ecount = 0;
3129  CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3130  CHECK(ecount == 1);
3131  memset(&pubkey, 1, sizeof(pubkey));
3132  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3133  CHECK(ecount == 2);
3134  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3135  /* secp256k1_ec_pubkey_combine tests. */
3136  ecount = 0;
3137  pubkeys[0] = &pubkey_one;
3138  VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3139  VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3140  VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3141  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3142  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3143  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3144  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3145  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3146  CHECK(ecount == 1);
3147  CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3148  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3149  CHECK(ecount == 2);
3150  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3151  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3152  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3153  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3154  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3155  CHECK(ecount == 3);
3156  pubkeys[0] = &pubkey_negone;
3157  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3158  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3159  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3160  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3161  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3162  CHECK(ecount == 3);
3163  len = 33;
3164  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3165  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
3166  CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3167  /* Result is infinity. */
3168  pubkeys[0] = &pubkey_one;
3169  pubkeys[1] = &pubkey_negone;
3170  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3171  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3172  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
3173  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3174  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3175  CHECK(ecount == 3);
3176  /* Passes through infinity but comes out one. */
3177  pubkeys[2] = &pubkey_one;
3178  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3179  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3180  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
3181  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3182  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3183  CHECK(ecount == 3);
3184  len = 33;
3185  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3186  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
3187  CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3188  /* Adds to two. */
3189  pubkeys[1] = &pubkey_one;
3190  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3191  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3192  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
3193  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3194  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3195  CHECK(ecount == 3);
3196  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3197 }
3198 
3199 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
3200  secp256k1_scalar nonce;
3201  do {
3202  random_scalar_order_test(&nonce);
3203  } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
3204 }
3205 
3206 void test_ecdsa_sign_verify(void) {
3207  secp256k1_gej pubj;
3208  secp256k1_ge pub;
3209  secp256k1_scalar one;
3210  secp256k1_scalar msg, key;
3211  secp256k1_scalar sigr, sigs;
3212  int recid;
3213  int getrec;
3214  random_scalar_order_test(&msg);
3215  random_scalar_order_test(&key);
3216  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
3217  secp256k1_ge_set_gej(&pub, &pubj);
3218  getrec = secp256k1_rand_bits(1);
3219  random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
3220  if (getrec) {
3221  CHECK(recid >= 0 && recid < 4);
3222  }
3223  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3224  secp256k1_scalar_set_int(&one, 1);
3225  secp256k1_scalar_add(&msg, &msg, &one);
3226  CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3227 }
3228 
3229 void run_ecdsa_sign_verify(void) {
3230  int i;
3231  for (i = 0; i < 10*count; i++) {
3232  test_ecdsa_sign_verify();
3233  }
3234 }
3235 
3237 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3238  (void)msg32;
3239  (void)key32;
3240  (void)algo16;
3241  memcpy(nonce32, data, 32);
3242  return (counter == 0);
3243 }
3244 
3245 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3246  /* Dummy nonce generator that has a fatal error on the first counter value. */
3247  if (counter == 0) {
3248  return 0;
3249  }
3250  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
3251 }
3252 
3253 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3254  /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
3255  if (counter < 3) {
3256  memset(nonce32, counter==0 ? 0 : 255, 32);
3257  if (counter == 2) {
3258  nonce32[31]--;
3259  }
3260  return 1;
3261  }
3262  if (counter < 5) {
3263  static const unsigned char order[] = {
3264  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
3265  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
3266  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
3267  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
3268  };
3269  memcpy(nonce32, order, 32);
3270  if (counter == 4) {
3271  nonce32[31]++;
3272  }
3273  return 1;
3274  }
3275  /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
3276  /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
3277  if (counter > 5) {
3278  return 0;
3279  }
3280  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
3281 }
3282 
3283 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
3284  static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
3285  return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
3286 }
3287 
3288 void test_ecdsa_end_to_end(void) {
3289  unsigned char extra[32] = {0x00};
3290  unsigned char privkey[32];
3291  unsigned char message[32];
3292  unsigned char privkey2[32];
3293  secp256k1_ecdsa_signature signature[6];
3294  secp256k1_scalar r, s;
3295  unsigned char sig[74];
3296  size_t siglen = 74;
3297  unsigned char pubkeyc[65];
3298  size_t pubkeyclen = 65;
3299  secp256k1_pubkey pubkey;
3300  unsigned char seckey[300];
3301  size_t seckeylen = 300;
3302 
3303  /* Generate a random key and message. */
3304  {
3305  secp256k1_scalar msg, key;
3306  random_scalar_order_test(&msg);
3307  random_scalar_order_test(&key);
3308  secp256k1_scalar_get_b32(privkey, &key);
3309  secp256k1_scalar_get_b32(message, &msg);
3310  }
3311 
3312  /* Construct and verify corresponding public key. */
3313  CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
3314  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
3315 
3316  /* Verify exporting and importing public key. */
3317  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
3318  memset(&pubkey, 0, sizeof(pubkey));
3319  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3320 
3321  /* Verify private key import and export. */
3322  CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
3323  CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
3324  CHECK(memcmp(privkey, privkey2, 32) == 0);
3325 
3326  /* Optionally tweak the keys using addition. */
3327  if (secp256k1_rand_int(3) == 0) {
3328  int ret1;
3329  int ret2;
3330  unsigned char rnd[32];
3331  secp256k1_pubkey pubkey2;
3332  secp256k1_rand256_test(rnd);
3333  ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
3334  ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
3335  CHECK(ret1 == ret2);
3336  if (ret1 == 0) {
3337  return;
3338  }
3339  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
3340  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3341  }
3342 
3343  /* Optionally tweak the keys using multiplication. */
3344  if (secp256k1_rand_int(3) == 0) {
3345  int ret1;
3346  int ret2;
3347  unsigned char rnd[32];
3348  secp256k1_pubkey pubkey2;
3349  secp256k1_rand256_test(rnd);
3350  ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
3351  ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
3352  CHECK(ret1 == ret2);
3353  if (ret1 == 0) {
3354  return;
3355  }
3356  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
3357  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3358  }
3359 
3360  /* Sign. */
3361  CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
3362  CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
3363  CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
3364  extra[31] = 1;
3365  CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
3366  extra[31] = 0;
3367  extra[0] = 1;
3368  CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
3369  CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
3370  CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
3371  CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
3372  CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
3373  CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
3374  CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
3375  CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
3376  /* Verify. */
3377  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
3378  CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
3379  CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
3380  CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
3381  /* Test lower-S form, malleate, verify and fail, test again, malleate again */
3382  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
3383  secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
3384  secp256k1_scalar_negate(&s, &s);
3385  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
3386  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
3387  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
3388  CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
3389  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
3390  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
3391  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
3392  secp256k1_scalar_negate(&s, &s);
3393  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
3394  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
3395  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
3396  CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
3397 
3398  /* Serialize/parse DER and verify again */
3399  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
3400  memset(&signature[0], 0, sizeof(signature[0]));
3401  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
3402  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
3403  /* Serialize/destroy/parse DER and verify again. */
3404  siglen = 74;
3405  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
3406  sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
3407  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
3408  secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
3409 }
3410 
3411 void test_random_pubkeys(void) {
3412  secp256k1_ge elem;
3413  secp256k1_ge elem2;
3414  unsigned char in[65];
3415  /* Generate some randomly sized pubkeys. */
3416  size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
3417  if (secp256k1_rand_bits(2) == 0) {
3418  len = secp256k1_rand_bits(6);
3419  }
3420  if (len == 65) {
3421  in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
3422  } else {
3423  in[0] = secp256k1_rand_bits(1) ? 2 : 3;
3424  }
3425  if (secp256k1_rand_bits(3) == 0) {
3426  in[0] = secp256k1_rand_bits(8);
3427  }
3428  if (len > 1) {
3429  secp256k1_rand256(&in[1]);
3430  }
3431  if (len > 33) {
3432  secp256k1_rand256(&in[33]);
3433  }
3434  if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
3435  unsigned char out[65];
3436  unsigned char firstb;
3437  int res;
3438  size_t size = len;
3439  firstb = in[0];
3440  /* If the pubkey can be parsed, it should round-trip... */
3441  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
3442  CHECK(size == len);
3443  CHECK(memcmp(&in[1], &out[1], len-1) == 0);
3444  /* ... except for the type of hybrid inputs. */
3445  if ((in[0] != 6) && (in[0] != 7)) {
3446  CHECK(in[0] == out[0]);
3447  }
3448  size = 65;
3449  CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
3450  CHECK(size == 65);
3451  CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
3452  ge_equals_ge(&elem,&elem2);
3453  /* Check that the X9.62 hybrid type is checked. */
3454  in[0] = secp256k1_rand_bits(1) ? 6 : 7;
3455  res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
3456  if (firstb == 2 || firstb == 3) {
3457  if (in[0] == firstb + 4) {
3458  CHECK(res);
3459  } else {
3460  CHECK(!res);
3461  }
3462  }
3463  if (res) {
3464  ge_equals_ge(&elem,&elem2);
3465  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
3466  CHECK(memcmp(&in[1], &out[1], 64) == 0);
3467  }
3468  }
3469 }
3470 
3471 void run_random_pubkeys(void) {
3472  int i;
3473  for (i = 0; i < 10*count; i++) {
3474  test_random_pubkeys();
3475  }
3476 }
3477 
3478 void run_ecdsa_end_to_end(void) {
3479  int i;
3480  for (i = 0; i < 64*count; i++) {
3481  test_ecdsa_end_to_end();
3482  }
3483 }
3484 
3485 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
3486  static const unsigned char zeroes[32] = {0};
3487  static const unsigned char max_scalar[32] = {
3488  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3489  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3490  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3491  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
3492  };
3493 
3494  int ret = 0;
3495 
3496  secp256k1_ecdsa_signature sig_der;
3497  unsigned char roundtrip_der[2048];
3498  unsigned char compact_der[64];
3499  size_t len_der = 2048;
3500  int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
3501 
3502  secp256k1_ecdsa_signature sig_der_lax;
3503  unsigned char roundtrip_der_lax[2048];
3504  unsigned char compact_der_lax[64];
3505  size_t len_der_lax = 2048;
3506  int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
3507 
3508 #ifdef ENABLE_OPENSSL_TESTS
3509  ECDSA_SIG *sig_openssl;
3510  const unsigned char *sigptr;
3511  unsigned char roundtrip_openssl[2048];
3512  int len_openssl = 2048;
3513  int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
3514 #endif
3515 
3516  parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
3517  if (parsed_der) {
3518  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
3519  valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
3520  }
3521  if (valid_der) {
3522  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
3523  roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
3524  }
3525 
3526  parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
3527  if (parsed_der_lax) {
3528  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
3529  valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
3530  }
3531  if (valid_der_lax) {
3532  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
3533  roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
3534  }
3535 
3536  if (certainly_der) {
3537  ret |= (!parsed_der) << 2;
3538  }
3539  if (certainly_not_der) {
3540  ret |= (parsed_der) << 17;
3541  }
3542  if (valid_der) {
3543  ret |= (!roundtrips_der) << 3;
3544  }
3545 
3546  if (valid_der) {
3547  ret |= (!roundtrips_der_lax) << 12;
3548  ret |= (len_der != len_der_lax) << 13;
3549  ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
3550  }
3551  ret |= (roundtrips_der != roundtrips_der_lax) << 15;
3552  if (parsed_der) {
3553  ret |= (!parsed_der_lax) << 16;
3554  }
3555 
3556 #ifdef ENABLE_OPENSSL_TESTS
3557  sig_openssl = ECDSA_SIG_new();
3558  sigptr = sig;
3559  parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
3560  if (parsed_openssl) {
3561  valid_openssl = !BN_is_negative(sig_openssl->r) && !BN_is_negative(sig_openssl->s) && BN_num_bits(sig_openssl->r) > 0 && BN_num_bits(sig_openssl->r) <= 256 && BN_num_bits(sig_openssl->s) > 0 && BN_num_bits(sig_openssl->s) <= 256;
3562  if (valid_openssl) {
3563  unsigned char tmp[32] = {0};
3564  BN_bn2bin(sig_openssl->r, tmp + 32 - BN_num_bytes(sig_openssl->r));
3565  valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
3566  }
3567  if (valid_openssl) {
3568  unsigned char tmp[32] = {0};
3569  BN_bn2bin(sig_openssl->s, tmp + 32 - BN_num_bytes(sig_openssl->s));
3570  valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
3571  }
3572  }
3573  len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
3574  if (len_openssl <= 2048) {
3575  unsigned char *ptr = roundtrip_openssl;
3576  CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
3577  roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
3578  } else {
3579  len_openssl = 0;
3580  }
3581  ECDSA_SIG_free(sig_openssl);
3582 
3583  ret |= (parsed_der && !parsed_openssl) << 4;
3584  ret |= (valid_der && !valid_openssl) << 5;
3585  ret |= (roundtrips_openssl && !parsed_der) << 6;
3586  ret |= (roundtrips_der != roundtrips_openssl) << 7;
3587  if (roundtrips_openssl) {
3588  ret |= (len_der != (size_t)len_openssl) << 8;
3589  ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
3590  }
3591 #endif
3592  return ret;
3593 }
3594 
3595 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
3596  size_t i;
3597  for (i = 0; i < ptrlen; i++) {
3598  int shift = ptrlen - 1 - i;
3599  if (shift >= 4) {
3600  ptr[i] = 0;
3601  } else {
3602  ptr[i] = (val >> shift) & 0xFF;
3603  }
3604  }
3605 }
3606 
3607 static void damage_array(unsigned char *sig, size_t *len) {
3608  int pos;
3609  int action = secp256k1_rand_bits(3);
3610  if (action < 1) {
3611  /* Delete a byte. */
3612  pos = secp256k1_rand_int(*len);
3613  memmove(sig + pos, sig + pos + 1, *len - pos - 1);
3614  (*len)--;
3615  return;
3616  } else if (action < 2) {
3617  /* Insert a byte. */
3618  pos = secp256k1_rand_int(1 + *len);
3619  memmove(sig + pos + 1, sig + pos, *len - pos);
3620  sig[pos] = secp256k1_rand_bits(8);
3621  (*len)++;
3622  return;
3623  } else if (action < 4) {
3624  /* Modify a byte. */
3625  sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
3626  return;
3627  } else { /* action < 8 */
3628  /* Modify a bit. */
3629  sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
3630  return;
3631  }
3632 }
3633 
3634 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
3635  int der;
3636  int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
3637  size_t tlen, elen, glen;
3638  int indet;
3639  int n;
3640 
3641  *len = 0;
3642  der = secp256k1_rand_bits(2) == 0;
3643  *certainly_der = der;
3644  *certainly_not_der = 0;
3645  indet = der ? 0 : secp256k1_rand_int(10) == 0;
3646 
3647  for (n = 0; n < 2; n++) {
3648  /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
3649  nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
3650  /* The length of the number in bytes (the first byte of which will always be nonzero) */
3651  nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
3652  CHECK(nlen[n] <= 232);
3653  /* The top bit of the number. */
3654  nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
3655  /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
3656  nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
3657  /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
3658  nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
3659  if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
3660  *certainly_not_der = 1;
3661  }
3662  CHECK(nlen[n] + nzlen[n] <= 300);
3663  /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
3664  nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
3665  if (!der) {
3666  /* nlenlen[n] max 127 bytes */
3667  int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
3668  nlenlen[n] += add;
3669  if (add != 0) {
3670  *certainly_not_der = 1;
3671  }
3672  }
3673  CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
3674  }
3675 
3676  /* The total length of the data to go, so far */
3677  tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
3678  CHECK(tlen <= 856);
3679 
3680  /* The length of the garbage inside the tuple. */
3681  elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
3682  if (elen != 0) {
3683  *certainly_not_der = 1;
3684  }
3685  tlen += elen;
3686  CHECK(tlen <= 980);
3687 
3688  /* The length of the garbage after the end of the tuple. */
3689  glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
3690  if (glen != 0) {
3691  *certainly_not_der = 1;
3692  }
3693  CHECK(tlen + glen <= 990);
3694 
3695  /* Write the tuple header. */
3696  sig[(*len)++] = 0x30;
3697  if (indet) {
3698  /* Indeterminate length */
3699  sig[(*len)++] = 0x80;
3700  *certainly_not_der = 1;
3701  } else {
3702  int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
3703  if (!der) {
3704  int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
3705  tlenlen += add;
3706  if (add != 0) {
3707  *certainly_not_der = 1;
3708  }
3709  }
3710  if (tlenlen == 0) {
3711  /* Short length notation */
3712  sig[(*len)++] = tlen;
3713  } else {
3714  /* Long length notation */
3715  sig[(*len)++] = 128 + tlenlen;
3716  assign_big_endian(sig + *len, tlenlen, tlen);
3717  *len += tlenlen;
3718  }
3719  tlen += tlenlen;
3720  }
3721  tlen += 2;
3722  CHECK(tlen + glen <= 1119);
3723 
3724  for (n = 0; n < 2; n++) {
3725  /* Write the integer header. */
3726  sig[(*len)++] = 0x02;
3727  if (nlenlen[n] == 0) {
3728  /* Short length notation */
3729  sig[(*len)++] = nlen[n] + nzlen[n];
3730  } else {
3731  /* Long length notation. */
3732  sig[(*len)++] = 128 + nlenlen[n];
3733  assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
3734  *len += nlenlen[n];
3735  }
3736  /* Write zero padding */
3737  while (nzlen[n] > 0) {
3738  sig[(*len)++] = 0x00;
3739  nzlen[n]--;
3740  }
3741  if (nlen[n] == 32 && !nlow[n]) {
3742  /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
3743  int i;
3744  for (i = 0; i < 16; i++) {
3745  sig[(*len)++] = 0xFF;
3746  }
3747  nlen[n] -= 16;
3748  }
3749  /* Write first byte of number */
3750  if (nlen[n] > 0) {
3751  sig[(*len)++] = nhbyte[n];
3752  nlen[n]--;
3753  }
3754  /* Generate remaining random bytes of number */
3755  secp256k1_rand_bytes_test(sig + *len, nlen[n]);
3756  *len += nlen[n];
3757  nlen[n] = 0;
3758  }
3759 
3760  /* Generate random garbage inside tuple. */
3761  secp256k1_rand_bytes_test(sig + *len, elen);
3762  *len += elen;
3763 
3764  /* Generate end-of-contents bytes. */
3765  if (indet) {
3766  sig[(*len)++] = 0;
3767  sig[(*len)++] = 0;
3768  tlen += 2;
3769  }
3770  CHECK(tlen + glen <= 1121);
3771 
3772  /* Generate random garbage outside tuple. */
3773  secp256k1_rand_bytes_test(sig + *len, glen);
3774  *len += glen;
3775  tlen += glen;
3776  CHECK(tlen <= 1121);
3777  CHECK(tlen == *len);
3778 }
3779 
3780 void run_ecdsa_der_parse(void) {
3781  int i,j;
3782  for (i = 0; i < 200 * count; i++) {
3783  unsigned char buffer[2048];
3784  size_t buflen = 0;
3785  int certainly_der = 0;
3786  int certainly_not_der = 0;
3787  random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
3788  for (j = 0; j < 16; j++) {
3789  int ret = 0;
3790  if (j > 0) {
3791  damage_array(buffer, &buflen);
3792  /* We don't know anything anymore about the DERness of the result */
3793  certainly_der = 0;
3794  certainly_not_der = 0;
3795  }
3796  ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
3797  if (ret != 0) {
3798  size_t k;
3799  fprintf(stderr, "Failure %x on ", ret);
3800  for (k = 0; k < buflen; k++) {
3801  fprintf(stderr, "%02x ", buffer[k]);
3802  }
3803  fprintf(stderr, "\n");
3804  }
3805  CHECK(ret == 0);
3806  }
3807  }
3808 }
3809 
3810 /* Tests several edge cases. */
3811 void test_ecdsa_edge_cases(void) {
3812  int t;
3813  secp256k1_ecdsa_signature sig;
3814 
3815  /* Test the case where ECDSA recomputes a point that is infinity. */
3816  {
3817  secp256k1_gej keyj;
3818  secp256k1_ge key;
3819  secp256k1_scalar msg;
3820  secp256k1_scalar sr, ss;
3821  secp256k1_scalar_set_int(&ss, 1);
3822  secp256k1_scalar_negate(&ss, &ss);
3823  secp256k1_scalar_inverse(&ss, &ss);
3824  secp256k1_scalar_set_int(&sr, 1);
3825  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
3826  secp256k1_ge_set_gej(&key, &keyj);
3827  msg = ss;
3828  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
3829  }
3830 
3831  /* Verify signature with r of zero fails. */
3832  {
3833  const unsigned char pubkey_mods_zero[33] = {
3834  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3835  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3836  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
3837  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
3838  0x41
3839  };
3840  secp256k1_ge key;
3841  secp256k1_scalar msg;
3842  secp256k1_scalar sr, ss;
3843  secp256k1_scalar_set_int(&ss, 1);
3844  secp256k1_scalar_set_int(&msg, 0);
3845  secp256k1_scalar_set_int(&sr, 0);
3846  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
3847  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
3848  }
3849 
3850  /* Verify signature with s of zero fails. */
3851  {
3852  const unsigned char pubkey[33] = {
3853  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3854  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3855  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3856  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3857  0x01
3858  };
3859  secp256k1_ge key;
3860  secp256k1_scalar msg;
3861  secp256k1_scalar sr, ss;
3862  secp256k1_scalar_set_int(&ss, 0);
3863  secp256k1_scalar_set_int(&msg, 0);
3864  secp256k1_scalar_set_int(&sr, 1);
3865  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
3866  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
3867  }
3868 
3869  /* Verify signature with message 0 passes. */
3870  {
3871  const unsigned char pubkey[33] = {
3872  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3873  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3874  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3875  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3876  0x02
3877  };
3878  const unsigned char pubkey2[33] = {
3879  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3880  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3881  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
3882  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
3883  0x43
3884  };
3885  secp256k1_ge key;
3886  secp256k1_ge key2;
3887  secp256k1_scalar msg;
3888  secp256k1_scalar sr, ss;
3889  secp256k1_scalar_set_int(&ss, 2);
3890  secp256k1_scalar_set_int(&msg, 0);
3891  secp256k1_scalar_set_int(&sr, 2);
3892  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
3893  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
3894  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
3895  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
3896  secp256k1_scalar_negate(&ss, &ss);
3897  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
3898  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
3899  secp256k1_scalar_set_int(&ss, 1);
3900  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
3901  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
3902  }
3903 
3904  /* Verify signature with message 1 passes. */
3905  {
3906  const unsigned char pubkey[33] = {
3907  0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
3908  0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
3909  0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
3910  0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
3911  0x25
3912  };
3913  const unsigned char pubkey2[33] = {
3914  0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
3915  0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
3916  0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
3917  0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
3918  0x62
3919  };
3920  const unsigned char csr[32] = {
3921  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3922  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3923  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
3924  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
3925  };
3926  secp256k1_ge key;
3927  secp256k1_ge key2;
3928  secp256k1_scalar msg;
3929  secp256k1_scalar sr, ss;
3930  secp256k1_scalar_set_int(&ss, 1);
3931  secp256k1_scalar_set_int(&msg, 1);
3932  secp256k1_scalar_set_b32(&sr, csr, NULL);
3933  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
3934  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
3935  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
3936  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
3937  secp256k1_scalar_negate(&ss, &ss);
3938  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
3939  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
3940  secp256k1_scalar_set_int(&ss, 2);
3941  secp256k1_scalar_inverse_var(&ss, &ss);
3942  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
3943  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
3944  }
3945 
3946  /* Verify signature with message -1 passes. */
3947  {
3948  const unsigned char pubkey[33] = {
3949  0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
3950  0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
3951  0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
3952  0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
3953  0xf1
3954  };
3955  const unsigned char csr[32] = {
3956  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3957  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3958  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
3959  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
3960  };
3961  secp256k1_ge key;
3962  secp256k1_scalar msg;
3963  secp256k1_scalar sr, ss;
3964  secp256k1_scalar_set_int(&ss, 1);
3965  secp256k1_scalar_set_int(&msg, 1);
3966  secp256k1_scalar_negate(&msg, &msg);
3967  secp256k1_scalar_set_b32(&sr, csr, NULL);
3968  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
3969  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
3970  secp256k1_scalar_negate(&ss, &ss);
3971  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
3972  secp256k1_scalar_set_int(&ss, 3);
3973  secp256k1_scalar_inverse_var(&ss, &ss);
3974  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
3975  }
3976 
3977  /* Signature where s would be zero. */
3978  {
3979  secp256k1_pubkey pubkey;
3980  size_t siglen;
3981  int32_t ecount;
3982  unsigned char signature[72];
3983  static const unsigned char nonce[32] = {
3984  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3985  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3986  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3987  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3988  };
3989  static const unsigned char nonce2[32] = {
3990  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
3991  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
3992  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
3993  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
3994  };
3995  const unsigned char key[32] = {
3996  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3997  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3998  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3999  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4000  };
4001  unsigned char msg[32] = {
4002  0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4003  0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4004  0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4005  0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4006  };
4007  ecount = 0;
4008  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4009  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4010  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4011  msg[31] = 0xaa;
4012  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4013  CHECK(ecount == 0);
4014  CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4015  CHECK(ecount == 1);
4016  CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4017  CHECK(ecount == 2);
4018  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4019  CHECK(ecount == 3);
4020  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4021  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4022  CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4023  CHECK(ecount == 4);
4024  CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4025  CHECK(ecount == 5);
4026  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4027  CHECK(ecount == 6);
4028  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4029  CHECK(ecount == 6);
4030  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4031  CHECK(ecount == 7);
4032  /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4033  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4034  CHECK(ecount == 8);
4035  siglen = 72;
4036  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4037  CHECK(ecount == 9);
4038  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4039  CHECK(ecount == 10);
4040  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4041  CHECK(ecount == 11);
4042  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4043  CHECK(ecount == 11);
4044  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4045  CHECK(ecount == 12);
4046  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4047  CHECK(ecount == 13);
4048  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4049  CHECK(ecount == 13);
4050  siglen = 10;
4051  /* Too little room for a signature does not fail via ARGCHECK. */
4052  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4053  CHECK(ecount == 13);
4054  ecount = 0;
4055  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4056  CHECK(ecount == 1);
4057  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4058  CHECK(ecount == 2);
4059  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4060  CHECK(ecount == 3);
4061  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4062  CHECK(ecount == 3);
4063  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4064  CHECK(ecount == 4);
4065  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4066  CHECK(ecount == 5);
4067  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4068  CHECK(ecount == 5);
4069  memset(signature, 255, 64);
4070  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4071  CHECK(ecount == 5);
4072  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4073  }
4074 
4075  /* Nonce function corner cases. */
4076  for (t = 0; t < 2; t++) {
4077  static const unsigned char zero[32] = {0x00};
4078  int i;
4079  unsigned char key[32];
4080  unsigned char msg[32];
4081  secp256k1_ecdsa_signature sig2;
4082  secp256k1_scalar sr[512], ss;
4083  const unsigned char *extra;
4084  extra = t == 0 ? NULL : zero;
4085  memset(msg, 0, 32);
4086  msg[31] = 1;
4087  /* High key results in signature failure. */
4088  memset(key, 0xFF, 32);
4089  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4090  CHECK(is_empty_signature(&sig));
4091  /* Zero key results in signature failure. */
4092  memset(key, 0, 32);
4093  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4094  CHECK(is_empty_signature(&sig));
4095  /* Nonce function failure results in signature failure. */
4096  key[31] = 1;
4097  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
4098  CHECK(is_empty_signature(&sig));
4099  /* The retry loop successfully makes its way to the first good value. */
4100  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
4101  CHECK(!is_empty_signature(&sig));
4102  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
4103  CHECK(!is_empty_signature(&sig2));
4104  CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4105  /* The default nonce function is deterministic. */
4106  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4107  CHECK(!is_empty_signature(&sig2));
4108  CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4109  /* The default nonce function changes output with different messages. */
4110  for(i = 0; i < 256; i++) {
4111  int j;
4112  msg[0] = i;
4113  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4114  CHECK(!is_empty_signature(&sig2));
4115  secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4116  for (j = 0; j < i; j++) {
4117  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4118  }
4119  }
4120  msg[0] = 0;
4121  msg[31] = 2;
4122  /* The default nonce function changes output with different keys. */
4123  for(i = 256; i < 512; i++) {
4124  int j;
4125  key[0] = i - 256;
4126  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4127  CHECK(!is_empty_signature(&sig2));
4128  secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4129  for (j = 0; j < i; j++) {
4130  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4131  }
4132  }
4133  key[0] = 0;
4134  }
4135 
4136  {
4137  /* Check that optional nonce arguments do not have equivalent effect. */
4138  const unsigned char zeros[32] = {0};
4139  unsigned char nonce[32];
4140  unsigned char nonce2[32];
4141  unsigned char nonce3[32];
4142  unsigned char nonce4[32];
4143  VG_UNDEF(nonce,32);
4144  VG_UNDEF(nonce2,32);
4145  VG_UNDEF(nonce3,32);
4146  VG_UNDEF(nonce4,32);
4147  CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4148  VG_CHECK(nonce,32);
4149  CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4150  VG_CHECK(nonce2,32);
4151  CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4152  VG_CHECK(nonce3,32);
4153  CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
4154  VG_CHECK(nonce4,32);
4155  CHECK(memcmp(nonce, nonce2, 32) != 0);
4156  CHECK(memcmp(nonce, nonce3, 32) != 0);
4157  CHECK(memcmp(nonce, nonce4, 32) != 0);
4158  CHECK(memcmp(nonce2, nonce3, 32) != 0);
4159  CHECK(memcmp(nonce2, nonce4, 32) != 0);
4160  CHECK(memcmp(nonce3, nonce4, 32) != 0);
4161  }
4162 
4163 
4164  /* Privkey export where pubkey is the point at infinity. */
4165  {
4166  unsigned char privkey[300];
4167  unsigned char seckey[32] = {
4168  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4169  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4170  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4171  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4172  };
4173  size_t outlen = 300;
4174  CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
4175  outlen = 300;
4176  CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
4177  }
4178 }
4179 
4180 void run_ecdsa_edge_cases(void) {
4181  test_ecdsa_edge_cases();
4182 }
4183 
4184 #ifdef ENABLE_OPENSSL_TESTS
4185 EC_KEY *get_openssl_key(const unsigned char *key32) {
4186  unsigned char privkey[300];
4187  size_t privkeylen;
4188  const unsigned char* pbegin = privkey;
4189  int compr = secp256k1_rand_bits(1);
4190  EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
4191  CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
4192  CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
4193  CHECK(EC_KEY_check_key(ec_key));
4194  return ec_key;
4195 }
4196 
4197 void test_ecdsa_openssl(void) {
4198  secp256k1_gej qj;
4199  secp256k1_ge q;
4200  secp256k1_scalar sigr, sigs;
4201  secp256k1_scalar one;
4202  secp256k1_scalar msg2;
4203  secp256k1_scalar key, msg;
4204  EC_KEY *ec_key;
4205  unsigned int sigsize = 80;
4206  size_t secp_sigsize = 80;
4207  unsigned char message[32];
4208  unsigned char signature[80];
4209  unsigned char key32[32];
4210  secp256k1_rand256_test(message);
4211  secp256k1_scalar_set_b32(&msg, message, NULL);
4212  random_scalar_order_test(&key);
4213  secp256k1_scalar_get_b32(key32, &key);
4214  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
4215  secp256k1_ge_set_gej(&q, &qj);
4216  ec_key = get_openssl_key(key32);
4217  CHECK(ec_key != NULL);
4218  CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
4219  CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
4220  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
4221  secp256k1_scalar_set_int(&one, 1);
4222  secp256k1_scalar_add(&msg2, &msg, &one);
4223  CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
4224 
4225  random_sign(&sigr, &sigs, &key, &msg, NULL);
4226  CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
4227  CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
4228 
4229  EC_KEY_free(ec_key);
4230 }
4231 
4232 void run_ecdsa_openssl(void) {
4233  int i;
4234  for (i = 0; i < 10*count; i++) {
4235  test_ecdsa_openssl();
4236  }
4237 }
4238 #endif
4239 
4240 #ifdef ENABLE_MODULE_ECDH
4241 # include "modules/ecdh/tests_impl.h"
4242 #endif
4243 
4244 #ifdef ENABLE_MODULE_SCHNORR
4245 # include "modules/schnorr/tests_impl.h"
4246 #endif
4247 
4248 #ifdef ENABLE_MODULE_RECOVERY
4249 # include "modules/recovery/tests_impl.h"
4250 #endif
4251 
4252 int main(int argc, char **argv) {
4253  unsigned char seed16[16] = {0};
4254  unsigned char run32[32] = {0};
4255  /* find iteration count */
4256  if (argc > 1) {
4257  count = strtol(argv[1], NULL, 0);
4258  }
4259 
4260  /* find random seed */
4261  if (argc > 2) {
4262  int pos = 0;
4263  const char* ch = argv[2];
4264  while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
4265  unsigned short sh;
4266  if (sscanf(ch, "%2hx", &sh)) {
4267  seed16[pos] = sh;
4268  } else {
4269  break;
4270  }
4271  ch += 2;
4272  pos++;
4273  }
4274  } else {
4275  FILE *frand = fopen("/dev/urandom", "r");
4276  if ((frand == NULL) || !fread(&seed16, sizeof(seed16), 1, frand)) {
4277  uint64_t t = time(NULL) * (uint64_t)1337;
4278  seed16[0] ^= t;
4279  seed16[1] ^= t >> 8;
4280  seed16[2] ^= t >> 16;
4281  seed16[3] ^= t >> 24;
4282  seed16[4] ^= t >> 32;
4283  seed16[5] ^= t >> 40;
4284  seed16[6] ^= t >> 48;
4285  seed16[7] ^= t >> 56;
4286  }
4287  fclose(frand);
4288  }
4289  secp256k1_rand_seed(seed16);
4290 
4291  printf("test count = %i\n", count);
4292  printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
4293 
4294  /* initialize */
4295  run_context_tests();
4296  ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
4297  if (secp256k1_rand_bits(1)) {
4298  secp256k1_rand256(run32);
4299  CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
4300  }
4301 
4302  run_rand_bits();
4303  run_rand_int();
4304 
4305  run_sha256_tests();
4306  run_hmac_sha256_tests();
4307  run_rfc6979_hmac_sha256_tests();
4308 
4309 #ifndef USE_NUM_NONE
4310  /* num tests */
4311  run_num_smalltests();
4312 #endif
4313 
4314  /* scalar tests */
4315  run_scalar_tests();
4316 
4317  /* field tests */
4318  run_field_inv();
4319  run_field_inv_var();
4320  run_field_inv_all_var();
4321  run_field_misc();
4322  run_field_convert();
4323  run_sqr();
4324  run_sqrt();
4325 
4326  /* group tests */
4327  run_ge();
4328  run_group_decompress();
4329 
4330  /* ecmult tests */
4331  run_wnaf();
4332  run_point_times_order();
4333  run_ecmult_chain();
4334  run_ecmult_constants();
4335  run_ecmult_gen_blind();
4336  run_ecmult_const_tests();
4337  run_ec_combine();
4338 
4339  /* endomorphism tests */
4340 #ifdef USE_ENDOMORPHISM
4341  run_endomorphism_tests();
4342 #endif
4343 
4344  /* EC point parser test */
4345  run_ec_pubkey_parse_test();
4346 
4347  /* EC key edge cases */
4348  run_eckey_edge_case_test();
4349 
4350 #ifdef ENABLE_MODULE_ECDH
4351  /* ecdh tests */
4352  run_ecdh_tests();
4353 #endif
4354 
4355  /* ecdsa tests */
4356  run_random_pubkeys();
4357  run_ecdsa_der_parse();
4358  run_ecdsa_sign_verify();
4359  run_ecdsa_end_to_end();
4360  run_ecdsa_edge_cases();
4361 #ifdef ENABLE_OPENSSL_TESTS
4362  run_ecdsa_openssl();
4363 #endif
4364 
4365 #ifdef ENABLE_MODULE_SCHNORR
4366  /* Schnorr tests */
4367  run_schnorr_tests();
4368 #endif
4369 
4370 #ifdef ENABLE_MODULE_RECOVERY
4371  /* ECDSA pubkey recovery tests */
4372  run_recovery_tests();
4373 #endif
4374 
4375  secp256k1_rand256(run32);
4376  printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
4377 
4378  /* shutdown */
4379  secp256k1_context_destroy(ctx);
4380 
4381  printf("no problems found\n");
4382  return 0;
4383 }
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:64
secp256k1_scalar_check_overflow
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
Definition: scalar_4x64_impl.h:57
run_hmac_sha256_tests
void run_hmac_sha256_tests(void)
Definition: tests.c:277
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
check_fe_equal
int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:1454
secp256k1_num_eq
static int secp256k1_num_eq(const secp256k1_num *a, const secp256k1_num *b)
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition: secp256k1.c:456
secp256k1_fe
Definition: field_10x26.h:12
secp256k1_fe_clear
static SECP256K1_INLINE void secp256k1_fe_clear(secp256k1_fe *a)
Definition: field_10x26_impl.h:299
secp256k1_ec_privkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition: secp256k1.c:480
secp256k1_rand_bytes_test
static void secp256k1_rand_bytes_test(unsigned char *bytes, size_t len)
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
secp256k1_fe_is_zero
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
random_fe
void random_fe(secp256k1_fe *x)
Definition: tests.c:1413
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Definition: secp256k1.c:103
test_add_neg_y_diff_x
void test_add_neg_y_diff_x(void)
Definition: tests.c:1944
secp256k1_scalar_is_even
static int secp256k1_scalar_is_even(const secp256k1_scalar *a)
run_ecmult_const_tests
void run_ecmult_const_tests(void)
Definition: tests.c:2326
secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition: secp256k1.c:265
test_point_times_order
void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:2173
SECP256K1_GEJ_CONST
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:31
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Definition: secp256k1.c:278
run_group_decompress
void run_group_decompress(void)
Definition: tests.c:2098
secp256k1_fe_mul
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe *SECP256K1_RESTRICT b)
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
secp256k1_fe_normalize_var
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
tests_impl.h
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:25
tests_impl.h
secp256k1_num_set_bin
static void secp256k1_num_set_bin(secp256k1_num *r, const unsigned char *a, unsigned int alen)
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256_t *rng, const unsigned char *key, size_t keylen)
fe_memcmp
int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:1499
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
run_scalar_tests
void run_scalar_tests(void)
Definition: tests.c:799
lax_der_parsing.c
test_sqrt
void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:1642
test_framework.key.NID_secp256k1
int NID_secp256k1
Definition: key.py:76
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Definition: secp256k1.c:527
nonce_function_test_fail
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:3245
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:314
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Definition: group_impl.h:65
test_random_pubkeys
void test_random_pubkeys(void)
Definition: tests.c:3411
secp256k1_fe_negate
static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m)
secp256k1_scalar_get_num
static void secp256k1_scalar_get_num(secp256k1_num *r, const secp256k1_scalar *a)
nonce_function_test_retry
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:3253
assign_big_endian
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:3595
secp256k1_fe_from_storage
static void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a)
test_ecmult_constants
void test_ecmult_constants(void)
Definition: tests.c:2451
secp256k1_num_copy
static void secp256k1_num_copy(secp256k1_num *r, const secp256k1_num *a)
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:162
secp256k1_scalar_get_bits
static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
run_field_misc
void run_field_misc(void)
Definition: tests.c:1508
secp256k1_ecdsa_sig_parse
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *r, secp256k1_scalar *s, const unsigned char *sig, size_t size)
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
secp256k1_fe_storage_cmov
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
secp256k1_rand_int
static uint32_t secp256k1_rand_int(uint32_t range)
ec_privkey_export_der
static int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Definition: key.cpp:63
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
run_ge
void run_ge(void)
Definition: tests.c:2011
run_sqrt
void run_sqrt(void)
Definition: tests.c:1656
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
run_random_pubkeys
void run_random_pubkeys(void)
Definition: tests.c:3471
run_rand_int
void run_rand_int(void)
Definition: tests.c:423
secp256k1_scalar_shr_int
static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n)
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:138
secp256k1_fe_cmov
static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag)
test_wnaf
void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:2333
secp256k1_rfc6979_hmac_sha256_t
Definition: hash.h:31
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
random_scalar_order
void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:123
SECP256K1_GEJ_CONST_INFINITY
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:32
random_fe_non_zero
void random_fe_non_zero(secp256k1_fe *nz)
Definition: tests.c:1433
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Definition: secp256k1.c:168
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256_t *rng, unsigned char *out, size_t outlen)
secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
testrand_impl.h
run_ecmult_constants
void run_ecmult_constants(void)
Definition: tests.c:2484
secp256k1_ecmult
static void secp256k1_ecmult(const secp256k1_ecmult_context *ctx, secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:19
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
secp256k1_gej
Definition: group.h:24
secp256k1_fe_set_int
static void secp256k1_fe_set_int(secp256k1_fe *r, int a)
sum
volatile double sum
Definition: Examples.cpp:23
secp256k1_context_struct
Definition: secp256k1.c:53
run_rand_bits
void run_rand_bits(void)
Definition: tests.c:415
secp256k1_fe_to_storage
static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a)
ge_equals_ge
void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
Definition: tests.c:1692
secp256k1_ecmult_gen_context_build
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx, const secp256k1_callback *cb)
secp256k1_num_mod_inverse
static void secp256k1_num_mod_inverse(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *m)
secp256k1_hmac_sha256_initialize
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256_t *hash, const unsigned char *key, size_t size)
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:161
test_num_add_sub
void test_num_add_sub(void)
Definition: tests.c:475
run_ecdsa_sign_verify
void run_ecdsa_sign_verify(void)
Definition: tests.c:3229
random_field_element_test
void random_field_element_test(secp256k1_fe *fe)
Definition: tests.c:60
secp256k1_ec_privkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition: secp256k1.c:432
test_ec_combine
void test_ec_combine(void)
Definition: tests.c:2019
test_num_negate
void test_num_negate(void)
Definition: tests.c:455
random_sign
void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:3199
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:206
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:38
test_ecmult_gen_blind_reset
void test_ecmult_gen_blind_reset(void)
Definition: tests.c:2511
secp256k1_gej_is_valid_var
static int secp256k1_gej_is_valid_var(const secp256k1_gej *a)
Definition: group_impl.h:219
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_fe_add
static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a)
damage_array
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:3607
secp256k1_fe_mul_int
static void secp256k1_fe_mul_int(secp256k1_fe *r, int a)
ge_equals_gej
void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: tests.c:1723
secp256k1_fe_is_odd
static int secp256k1_fe_is_odd(const secp256k1_fe *a)
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
gen_base58_test_vectors.data
data
Definition: gen_base58_test_vectors.py:123
run_eckey_edge_case_test
void run_eckey_edge_case_test(void)
Definition: tests.c:2963
run_context_tests
void run_context_tests(void)
Definition: tests.c:136
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Definition: secp256k1.c:94
test_ecdsa_der_parse
int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:3485
run_ecdh_tests
void run_ecdh_tests(void)
Definition: tests_impl.h:70
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:19
run_field_inv_all_var
void run_field_inv_all_var(void)
Definition: tests.c:1604
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition: secp256k1.c:409
test_rand_int
void test_rand_int(uint32_t range, uint32_t subrange)
Definition: tests.c:399
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:166
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Definition: secp256k1.h:165
WNAF_SIZE
#define WNAF_SIZE(w)
Definition: ecmult_const_impl.h:20
secp256k1_scalar_mul_shift_var
static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b, unsigned int shift)
run_rfc6979_hmac_sha256_tests
void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:321
run_field_inv_var
void run_field_inv_var(void)
Definition: tests.c:1592
random_num_order
void random_num_order(secp256k1_num *num)
Definition: tests.c:449
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256_t *rng)
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256_t *hash, unsigned char *out32)
run_ec_pubkey_parse_test
void run_ec_pubkey_parse_test(void)
Definition: tests.c:2636
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
run_field_inv
void run_field_inv(void)
Definition: tests.c:1580
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Definition: secp256k1.c:395
run_ecmult_gen_blind
void run_ecmult_gen_blind(void)
Definition: tests.c:2523
secp256k1_num
Definition: num_gmp.h:14
run_ecdsa_der_parse
void run_ecdsa_der_parse(void)
Definition: tests.c:3780
secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256_t *hash, const unsigned char *data, size_t size)
secp256k1_ecmult_gen_context::blind
secp256k1_scalar blind
Definition: ecmult_gen.h:27
secp256k1_num_sub
static void secp256k1_num_sub(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *b)
secp256k1_ge_set_table_gej_var
static void secp256k1_ge_set_table_gej_var(size_t len, secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_fe *zr)
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:55
run_field_convert
void run_field_convert(void)
Definition: tests.c:1469
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
run_num_smalltests
void run_num_smalltests(void)
Definition: tests.c:503
ecmult_const_mult_zero_one
void ecmult_const_mult_zero_one(void)
Definition: tests.c:2278
secp256k1_ge_set_xquad_var
static int secp256k1_ge_set_xquad_var(secp256k1_ge *r, const secp256k1_fe *x)
ctx
static secp256k1_context * ctx
Definition: tests.c:42
run_ecmult_chain
void run_ecmult_chain(void)
Definition: tests.c:2109
is_empty_signature
int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:3283
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Definition: secp256k1.c:349
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
secp256k1_gej::infinity
int infinity
Definition: group.h:28
VG_UNDEF
#define VG_UNDEF(x, y)
Definition: tests.c:36
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
secp256k1_num_add
static void secp256k1_num_add(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *b)
secp256k1_hmac_sha256_write
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256_t *hash, const unsigned char *data, size_t size)
secp256k1_ec_pubkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition: secp256k1.c:503
secp256k1_num_shift
static void secp256k1_num_shift(secp256k1_num *r, int bits)
secp256k1_scalar_sqr
static void secp256k1_scalar_sqr(secp256k1_scalar *r, const secp256k1_scalar *a)
secp256k1_hmac_sha256_finalize
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256_t *hash, unsigned char *out32)
secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256_t *hash)
test_group_decompress
void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:2051
run_ecdsa_end_to_end
void run_ecdsa_end_to_end(void)
Definition: tests.c:3478
secp256k1_num_mul
static void secp256k1_num_mul(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *b)
test_constant_wnaf_negate
void test_constant_wnaf_negate(const secp256k1_scalar *number)
Definition: tests.c:2367
secp256k1_fe_sqrt_var
static int secp256k1_fe_sqrt_var(secp256k1_fe *r, const secp256k1_fe *a)
ec_pubkey_parse_pointtest
void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:2561
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition: secp256k1.c:152
secp256k1_scalar_cadd_bit
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
secp256k1_context_struct::ecmult_ctx
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:54
secp256k1_ge
Definition: group.h:14
secp256k1_ecdsa_signature
Definition: secp256k1.h:72
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:15
secp256k1_fe_inv_all_var
static void secp256k1_fe_inv_all_var(size_t len, secp256k1_fe *r, const secp256k1_fe *a)
run_sqr
void run_sqr(void)
Definition: tests.c:1626
secp256k1_fe_normalize_weak
static void secp256k1_fe_normalize_weak(secp256k1_fe *r)
secp256k1_rand32
static uint32_t secp256k1_rand32(void)
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
VG_CHECK
#define VG_CHECK(x, y)
Definition: tests.c:37
ec_privkey_import_der
static int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Definition: key.cpp:19
tests_impl.h
SECP256K1_EC_PARSE_TEST_NINVALID
#define SECP256K1_EC_PARSE_TEST_NINVALID
secp256k1_num_negate
static void secp256k1_num_negate(secp256k1_num *r)
CHECK
#define CHECK(cond)
Definition: util.h:52
secp256k1_scalar
Definition: scalar_4x64.h:13
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Definition: secp256k1.c:111
secp256k1_ge::infinity
int infinity
Definition: group.h:17
secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
main
int main(int argc, char **argv)
Definition: tests.c:4252
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:192
secp256k1_sha256_t
Definition: hash.h:13
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition: secp256k1.c:216
run_sha256_tests
void run_sha256_tests(void)
Definition: tests.c:241
zmq_sub.msg
msg
Definition: zmq_sub.py:22
lax_der_privatekey_parsing.c
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
test_ecdsa_edge_cases
void test_ecdsa_edge_cases(void)
Definition: tests.c:3811
secp256k1_fe_sqr
static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a)
SECP256K1_GE_CONST
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:20
secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
secp256k1_fe_cmp_var
static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Definition: secp256k1.h:160
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Definition: secp256k1.c:85
secp256k1_fe_equal_var
static int secp256k1_fe_equal_var(const secp256k1_fe *a, const secp256k1_fe *b)
random_group_element_jacobian_test
void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:95
run_schnorr_tests
void run_schnorr_tests(void)
Definition: tests_impl.h:159
secp256k1_scalar::d
uint64_t d[4]
Definition: scalar_4x64.h:14
secp256k1_num_cmp
static int secp256k1_num_cmp(const secp256k1_num *a, const secp256k1_num *b)
secp256k1_ecdsa_signature_serialize_der
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Definition: secp256k1.c:253
random_scalar_order_test
void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:110
secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
secp256k1_rand_bits
static uint32_t secp256k1_rand_bits(int bits)
random_group_element_test
void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:84
secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition: secp256k1.c:232
secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
run_wnaf
void run_wnaf(void)
Definition: tests.c:2427
ecmult_const_random_mult
void ecmult_const_random_mult(void)
Definition: tests.c:2230
random_ber_signature
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:3634
secp256k1_gej::z
secp256k1_fe z
Definition: group.h:27
SECP256K1_EC_PARSE_TEST_NVALID
#define SECP256K1_EC_PARSE_TEST_NVALID
secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(size_t len, secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_callback *cb)
memcpy
void * memcpy(void *a, const void *b, size_t c)
Definition: glibc_compat.cpp:17
random_fe_test
void random_fe_test(secp256k1_fe *x)
Definition: tests.c:1423
secp256k1_fe_normalize
static void secp256k1_fe_normalize(secp256k1_fe *r)
SECP256K1_FE_STORAGE_CONST
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:45
secp256k1_hmac_sha256_t
Definition: hash.h:23
test_ecdsa_sign_verify
void test_ecdsa_sign_verify(void)
Definition: tests.c:3206
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
secp256k1_num_is_zero
static int secp256k1_num_is_zero(const secp256k1_num *a)
precomputed_nonce_function
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:3237
secp256k1_rand256
static void secp256k1_rand256(unsigned char *b32)
low
sph_u32 low
Definition: keccak.c:370
secp256k1_scalar_get_bits_var
static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
test_ecdsa_end_to_end
void test_ecdsa_end_to_end(void)
Definition: tests.c:3288
secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
count
static int count
Definition: tests.c:41
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:119
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:57
secp256k1_ec_pubkey_combine
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition: secp256k1.c:534
test_constant_wnaf
void test_constant_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:2382
secp256k1_num_mod
static void secp256k1_num_mod(secp256k1_num *r, const secp256k1_num *m)
random_num_negate
void random_num_negate(secp256k1_num *num)
Definition: tests.c:437
random_field_element_magnitude
void random_field_element_magnitude(secp256k1_fe *fe)
Definition: tests.c:70
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
ecmult_const_commutativity
void ecmult_const_commutativity(void)
Definition: tests.c:2257
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:44
random_num_order_test
void random_num_order_test(secp256k1_num *num)
Definition: tests.c:443
ecmult_const_chain_multiply
void ecmult_const_chain_multiply(void)
Definition: tests.c:2300
secp256k1_gej::y
secp256k1_fe y
Definition: group.h:26
secp256k1_ecmult_wnaf
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Definition: ecmult_impl.h:218
secp256k1_scalar_order_get_num
static void secp256k1_scalar_order_get_num(secp256k1_num *r)
secp256k1_fe_storage
Definition: field_10x26.h:41
test_ecmult_gen_blind
void test_ecmult_gen_blind(void)
Definition: tests.c:2488
gej_xyz_equals_gej
int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:1702
test_ge
void test_ge(void)
Definition: tests.c:1740
extract_strings_qt.out
out
Definition: extract_strings_qt.py:56
secp256k1_ge_is_valid_var
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:16
secp256k1_ecmult_gen_context::initial
secp256k1_gej initial
Definition: ecmult_gen.h:28
secp256k1_ecmult_context_build
static void secp256k1_ecmult_context_build(secp256k1_ecmult_context *ctx, const secp256k1_callback *cb)
secp256k1_rand_seed
static SECP256K1_INLINE void secp256k1_rand_seed(const unsigned char *seed16)
random_fe_non_square
void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:1446
memmove
void * memmove(void *a, const void *b, size_t c)
secp256k1_fe_inv_var
static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *a)
secp256k1_num_get_bin
static void secp256k1_num_get_bin(unsigned char *r, unsigned int rlen, const secp256k1_num *a)
secp256k1_fe_inv
static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *a)
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Definition: secp256k1.c:60
run_ec_combine
void run_ec_combine(void)
Definition: tests.c:2044
secp256k1_wnaf_const
static int secp256k1_wnaf_const(int *wnaf, secp256k1_scalar s, int w)
Definition: ecmult_const_impl.h:57
uncounting_illegal_callback_fn
static void uncounting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:52
run_ecdsa_edge_cases
void run_ecdsa_edge_cases(void)
Definition: tests.c:4180
secp256k1_scalar_is_one
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
test_rand_bits
void test_rand_bits(int rand32, int bits)
Definition: tests.c:364
run_recovery_tests
void run_recovery_tests(void)
Definition: tests_impl.h:242
secp256k1_num_is_neg
static int secp256k1_num_is_neg(const secp256k1_num *a)
check_fe_inverse
int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai)
Definition: tests.c:1462
SECP256K1_EC_PARSE_TEST_NXVALID
#define SECP256K1_EC_PARSE_TEST_NXVALID
extract_strings_qt.key
key
Definition: extract_strings_qt.py:73
ecdsa_signature_parse_der_lax
static int ecdsa_signature_parse_der_lax(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
Definition: pubkey.cpp:26
secp256k1_ecdsa_sig_serialize
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar *r, const secp256k1_scalar *s)
run_point_times_order
void run_point_times_order(void)
Definition: tests.c:2208
scalar_test
void scalar_test(void)
Definition: tests.c:514
secp256k1_pubkey
Definition: secp256k1.h:56
secp256k1_rand256_test
static void secp256k1_rand256_test(unsigned char *b32)
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Definition: secp256k1.c:297