Bitcoin ABC  0.22.12
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10 
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 
15 #include <time.h>
16 
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
21 
22 #ifdef ENABLE_OPENSSL_TESTS
23 #include "openssl/bn.h"
24 #include "openssl/ec.h"
25 #include "openssl/ecdsa.h"
26 #include "openssl/obj_mac.h"
27 # if OPENSSL_VERSION_NUMBER < 0x10100000L
28 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
29 # endif
30 #endif
31 
32 #include "contrib/lax_der_parsing.c"
33 #include "contrib/lax_der_privatekey_parsing.c"
34 
35 static int count = 64;
36 static secp256k1_context *ctx = NULL;
37 
38 static void counting_illegal_callback_fn(const char* str, void* data) {
39  /* Dummy callback function that just counts. */
40  int32_t *p;
41  (void)str;
42  p = data;
43  (*p)++;
44 }
45 
46 static void uncounting_illegal_callback_fn(const char* str, void* data) {
47  /* Dummy callback function that just counts (backwards). */
48  int32_t *p;
49  (void)str;
50  p = data;
51  (*p)--;
52 }
53 
54 void random_field_element_test(secp256k1_fe *fe) {
55  do {
56  unsigned char b32[32];
57  secp256k1_testrand256_test(b32);
58  if (secp256k1_fe_set_b32(fe, b32)) {
59  break;
60  }
61  } while(1);
62 }
63 
64 void random_field_element_magnitude(secp256k1_fe *fe) {
65  secp256k1_fe zero;
66  int n = secp256k1_testrand_int(9);
67  secp256k1_fe_normalize(fe);
68  if (n == 0) {
69  return;
70  }
71  secp256k1_fe_clear(&zero);
72  secp256k1_fe_negate(&zero, &zero, 0);
73  secp256k1_fe_mul_int(&zero, n - 1);
74  secp256k1_fe_add(fe, &zero);
75 #ifdef VERIFY
76  CHECK(fe->magnitude == n);
77 #endif
78 }
79 
80 void random_group_element_test(secp256k1_ge *ge) {
81  secp256k1_fe fe;
82  do {
83  random_field_element_test(&fe);
84  if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
85  secp256k1_fe_normalize(&ge->y);
86  break;
87  }
88  } while(1);
89  ge->infinity = 0;
90 }
91 
92 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
93  secp256k1_fe z2, z3;
94  do {
95  random_field_element_test(&gej->z);
96  if (!secp256k1_fe_is_zero(&gej->z)) {
97  break;
98  }
99  } while(1);
100  secp256k1_fe_sqr(&z2, &gej->z);
101  secp256k1_fe_mul(&z3, &z2, &gej->z);
102  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
103  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
104  gej->infinity = ge->infinity;
105 }
106 
107 void random_scalar_order_test(secp256k1_scalar *num) {
108  do {
109  unsigned char b32[32];
110  int overflow = 0;
111  secp256k1_testrand256_test(b32);
112  secp256k1_scalar_set_b32(num, b32, &overflow);
113  if (overflow || secp256k1_scalar_is_zero(num)) {
114  continue;
115  }
116  break;
117  } while(1);
118 }
119 
120 void random_scalar_order(secp256k1_scalar *num) {
121  do {
122  unsigned char b32[32];
123  int overflow = 0;
124  secp256k1_testrand256(b32);
125  secp256k1_scalar_set_b32(num, b32, &overflow);
126  if (overflow || secp256k1_scalar_is_zero(num)) {
127  continue;
128  }
129  break;
130  } while(1);
131 }
132 
133 void random_scalar_order_b32(unsigned char *b32) {
134  secp256k1_scalar num;
135  random_scalar_order(&num);
136  secp256k1_scalar_get_b32(b32, &num);
137 }
138 
139 void run_context_tests(int use_prealloc) {
140  secp256k1_pubkey pubkey;
141  secp256k1_pubkey zero_pubkey;
142  secp256k1_ecdsa_signature sig;
143  unsigned char ctmp[32];
144  int32_t ecount;
145  int32_t ecount2;
146  secp256k1_context *none;
147  secp256k1_context *sign;
148  secp256k1_context *vrfy;
149  secp256k1_context *both;
150  void *none_prealloc = NULL;
151  void *sign_prealloc = NULL;
152  void *vrfy_prealloc = NULL;
153  void *both_prealloc = NULL;
154 
155  secp256k1_gej pubj;
156  secp256k1_ge pub;
157  secp256k1_scalar msg, key, nonce;
158  secp256k1_scalar sigr, sigs;
159 
160  if (use_prealloc) {
161  none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
162  sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
163  vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
164  both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
165  CHECK(none_prealloc != NULL);
166  CHECK(sign_prealloc != NULL);
167  CHECK(vrfy_prealloc != NULL);
168  CHECK(both_prealloc != NULL);
169  none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
170  sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
171  vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
172  both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
173  } else {
174  none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
175  sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
176  vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
177  both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
178  }
179 
180  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
181 
182  ecount = 0;
183  ecount2 = 10;
184  secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
185  secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
186  /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
187  secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL);
188  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
189  CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
190 
191  /* check if sizes for cloning are consistent */
192  CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
193  CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
194  CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
195  CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
196 
197  /*** clone and destroy all of them to make sure cloning was complete ***/
198  {
199  secp256k1_context *ctx_tmp;
200 
201  if (use_prealloc) {
202  /* clone into a non-preallocated context and then again into a new preallocated one. */
203  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
204  free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
205  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
206 
207  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
208  free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
209  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
210 
211  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
212  free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
213  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
214 
215  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
216  free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
217  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
218  } else {
219  /* clone into a preallocated context and then again into a new non-preallocated one. */
220  void *prealloc_tmp;
221 
222  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
223  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
224  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
225  free(prealloc_tmp);
226 
227  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
228  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
229  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
230  free(prealloc_tmp);
231 
232  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
233  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
234  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
235  free(prealloc_tmp);
236 
237  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
238  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
239  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
240  free(prealloc_tmp);
241  }
242  }
243 
244  /* Verify that the error callback makes it across the clone. */
245  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
246  CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
247  /* And that it resets back to default. */
248  secp256k1_context_set_error_callback(sign, NULL, NULL);
249  CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
250 
251  /*** attempt to use them ***/
252  random_scalar_order_test(&msg);
253  random_scalar_order_test(&key);
254  secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
255  secp256k1_ge_set_gej(&pub, &pubj);
256 
257  /* Verify context-type checking illegal-argument errors. */
258  memset(ctmp, 1, 32);
259  CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
260  CHECK(ecount == 1);
261  VG_UNDEF(&pubkey, sizeof(pubkey));
262  CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
263  VG_CHECK(&pubkey, sizeof(pubkey));
264  CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
265  CHECK(ecount == 2);
266  VG_UNDEF(&sig, sizeof(sig));
267  CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
268  VG_CHECK(&sig, sizeof(sig));
269  CHECK(ecount2 == 10);
270  CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
271  CHECK(ecount2 == 11);
272  CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
273  CHECK(ecount == 2);
274  CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
275  CHECK(ecount2 == 12);
276  CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
277  CHECK(ecount == 2);
278  CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
279  CHECK(ecount2 == 13);
280  CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
281  CHECK(ecount == 2);
282  CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
283  CHECK(ecount == 2);
284  CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
285  CHECK(ecount2 == 14);
286  CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
287  CHECK(ecount == 3);
288  CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
289  CHECK(ecount == 3);
290  CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
291  CHECK(ecount == 3);
292  CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
293  CHECK(ecount == 3);
294  CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
295  CHECK(ecount2 == 14);
296  CHECK(secp256k1_context_randomize(sign, NULL) == 1);
297  CHECK(ecount2 == 14);
298  secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
299  secp256k1_context_set_illegal_callback(sign, NULL, NULL);
300 
301  /* obtain a working nonce */
302  do {
303  random_scalar_order_test(&nonce);
304  } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
305 
306  /* try signing */
307  CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
308  CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
309 
310  /* try verifying */
311  CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
312  CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
313 
314  /* cleanup */
315  if (use_prealloc) {
316  secp256k1_context_preallocated_destroy(none);
317  secp256k1_context_preallocated_destroy(sign);
318  secp256k1_context_preallocated_destroy(vrfy);
319  secp256k1_context_preallocated_destroy(both);
320  free(none_prealloc);
321  free(sign_prealloc);
322  free(vrfy_prealloc);
323  free(both_prealloc);
324  } else {
325  secp256k1_context_destroy(none);
326  secp256k1_context_destroy(sign);
327  secp256k1_context_destroy(vrfy);
328  secp256k1_context_destroy(both);
329  }
330  /* Defined as no-op. */
331  secp256k1_context_destroy(NULL);
332  secp256k1_context_preallocated_destroy(NULL);
333 
334 }
335 
336 void run_scratch_tests(void) {
337  const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
338 
339  int32_t ecount = 0;
340  size_t checkpoint;
341  size_t checkpoint_2;
342  secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
343  secp256k1_scratch_space *scratch;
344  secp256k1_scratch_space local_scratch;
345 
346  /* Test public API */
347  secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
348  secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
349 
350  scratch = secp256k1_scratch_space_create(none, 1000);
351  CHECK(scratch != NULL);
352  CHECK(ecount == 0);
353 
354  /* Test internal API */
355  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
356  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
357  CHECK(scratch->alloc_size == 0);
358  CHECK(scratch->alloc_size % ALIGNMENT == 0);
359 
360  /* Allocating 500 bytes succeeds */
361  checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
362  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
363  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
364  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
365  CHECK(scratch->alloc_size != 0);
366  CHECK(scratch->alloc_size % ALIGNMENT == 0);
367 
368  /* Allocating another 501 bytes fails */
369  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
370  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
371  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
372  CHECK(scratch->alloc_size != 0);
373  CHECK(scratch->alloc_size % ALIGNMENT == 0);
374 
375  /* ...but it succeeds once we apply the checkpoint to undo it */
376  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
377  CHECK(scratch->alloc_size == 0);
378  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
379  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
380  CHECK(scratch->alloc_size != 0);
381 
382  /* try to apply a bad checkpoint */
383  checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
384  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
385  CHECK(ecount == 0);
386  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
387  CHECK(ecount == 1);
388  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
389  CHECK(ecount == 2);
390 
391  /* try to use badly initialized scratch space */
392  secp256k1_scratch_space_destroy(none, scratch);
393  memset(&local_scratch, 0, sizeof(local_scratch));
394  scratch = &local_scratch;
395  CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
396  CHECK(ecount == 3);
397  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
398  CHECK(ecount == 4);
399  secp256k1_scratch_space_destroy(none, scratch);
400  CHECK(ecount == 5);
401 
402  /* Test that large integers do not wrap around in a bad way */
403  scratch = secp256k1_scratch_space_create(none, 1000);
404  /* Try max allocation with a large number of objects. Only makes sense if
405  * ALIGNMENT is greater than 1 because otherwise the objects take no extra
406  * space. */
407  CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
408  /* Try allocating SIZE_MAX to test wrap around which only happens if
409  * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
410  * space is too small. */
411  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
412  secp256k1_scratch_space_destroy(none, scratch);
413 
414  /* cleanup */
415  secp256k1_scratch_space_destroy(none, NULL); /* no-op */
416  secp256k1_context_destroy(none);
417 }
418 
419 /***** HASH TESTS *****/
420 
421 void run_sha256_tests(void) {
422  static const char *inputs[8] = {
423  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
424  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
425  "For this sample, this 63-byte string will be used as input data",
426  "This is exactly 64 bytes long, not counting the terminating byte"
427  };
428  static const unsigned char outputs[8][32] = {
429  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
430  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
431  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
432  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
433  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
434  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
435  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
436  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
437  };
438  int i;
439  for (i = 0; i < 8; i++) {
440  unsigned char out[32];
441  secp256k1_sha256 hasher;
442  secp256k1_sha256_initialize(&hasher);
443  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
444  secp256k1_sha256_finalize(&hasher, out);
445  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
446  if (strlen(inputs[i]) > 0) {
447  int split = secp256k1_testrand_int(strlen(inputs[i]));
448  secp256k1_sha256_initialize(&hasher);
449  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
450  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
451  secp256k1_sha256_finalize(&hasher, out);
452  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
453  }
454  }
455 }
456 
457 void run_hmac_sha256_tests(void) {
458  static const char *keys[6] = {
459  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
460  "\x4a\x65\x66\x65",
461  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
462  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
463  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
464  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
465  };
466  static const char *inputs[6] = {
467  "\x48\x69\x20\x54\x68\x65\x72\x65",
468  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
469  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
470  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
471  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
472  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
473  };
474  static const unsigned char outputs[6][32] = {
475  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
476  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
477  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
478  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
479  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
480  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
481  };
482  int i;
483  for (i = 0; i < 6; i++) {
484  secp256k1_hmac_sha256 hasher;
485  unsigned char out[32];
486  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
487  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
488  secp256k1_hmac_sha256_finalize(&hasher, out);
489  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
490  if (strlen(inputs[i]) > 0) {
491  int split = secp256k1_testrand_int(strlen(inputs[i]));
492  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
493  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
494  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
495  secp256k1_hmac_sha256_finalize(&hasher, out);
496  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
497  }
498  }
499 }
500 
501 void run_rfc6979_hmac_sha256_tests(void) {
502  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
503  static const unsigned char out1[3][32] = {
504  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
505  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
506  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
507  };
508 
509  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
510  static const unsigned char out2[3][32] = {
511  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
512  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
513  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
514  };
515 
516  secp256k1_rfc6979_hmac_sha256 rng;
517  unsigned char out[32];
518  int i;
519 
520  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
521  for (i = 0; i < 3; i++) {
522  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
523  CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
524  }
525  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
526 
527  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
528  for (i = 0; i < 3; i++) {
529  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
530  CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
531  }
532  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
533 
534  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
535  for (i = 0; i < 3; i++) {
536  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
537  CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
538  }
539  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
540 }
541 
542 /***** RANDOM TESTS *****/
543 
544 void test_rand_bits(int rand32, int bits) {
545  /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
546  * get a false negative chance below once in a billion */
547  static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
548  /* We try multiplying the results with various odd numbers, which shouldn't
549  * influence the uniform distribution modulo a power of 2. */
550  static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
551  /* We only select up to 6 bits from the output to analyse */
552  unsigned int usebits = bits > 6 ? 6 : bits;
553  unsigned int maxshift = bits - usebits;
554  /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
555  number, track all observed outcomes, one per bit in a uint64_t. */
556  uint64_t x[6][27] = {{0}};
557  unsigned int i, shift, m;
558  /* Multiply the output of all rand calls with the odd number m, which
559  should not change the uniformity of its distribution. */
560  for (i = 0; i < rounds[usebits]; i++) {
561  uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
562  CHECK((((uint64_t)r) >> bits) == 0);
563  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
564  uint32_t rm = r * mults[m];
565  for (shift = 0; shift <= maxshift; shift++) {
566  x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
567  }
568  }
569  }
570  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
571  for (shift = 0; shift <= maxshift; shift++) {
572  /* Test that the lower usebits bits of x[shift] are 1 */
573  CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
574  }
575  }
576 }
577 
578 /* Subrange must be a whole divisor of range, and at most 64 */
579 void test_rand_int(uint32_t range, uint32_t subrange) {
580  /* (1-1/subrange)^rounds < 1/10^9 */
581  int rounds = (subrange * 2073) / 100;
582  int i;
583  uint64_t x = 0;
584  CHECK((range % subrange) == 0);
585  for (i = 0; i < rounds; i++) {
586  uint32_t r = secp256k1_testrand_int(range);
587  CHECK(r < range);
588  r = r % subrange;
589  x |= (((uint64_t)1) << r);
590  }
591  /* Test that the lower subrange bits of x are 1. */
592  CHECK(((~x) << (64 - subrange)) == 0);
593 }
594 
595 void run_rand_bits(void) {
596  size_t b;
597  test_rand_bits(1, 32);
598  for (b = 1; b <= 32; b++) {
599  test_rand_bits(0, b);
600  }
601 }
602 
603 void run_rand_int(void) {
604  static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
605  static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
606  unsigned int m, s;
607  for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
608  for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
609  test_rand_int(ms[m] * ss[s], ss[s]);
610  }
611  }
612 }
613 
614 /***** NUM TESTS *****/
615 
616 #ifndef USE_NUM_NONE
617 void random_num_negate(secp256k1_num *num) {
618  if (secp256k1_testrand_bits(1)) {
619  secp256k1_num_negate(num);
620  }
621 }
622 
623 void random_num_order_test(secp256k1_num *num) {
624  secp256k1_scalar sc;
625  random_scalar_order_test(&sc);
626  secp256k1_scalar_get_num(num, &sc);
627 }
628 
629 void random_num_order(secp256k1_num *num) {
630  secp256k1_scalar sc;
631  random_scalar_order(&sc);
632  secp256k1_scalar_get_num(num, &sc);
633 }
634 
635 void test_num_negate(void) {
636  secp256k1_num n1;
637  secp256k1_num n2;
638  random_num_order_test(&n1); /* n1 = R */
639  random_num_negate(&n1);
640  secp256k1_num_copy(&n2, &n1); /* n2 = R */
641  secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
642  CHECK(secp256k1_num_is_zero(&n1));
643  secp256k1_num_copy(&n1, &n2); /* n1 = R */
644  secp256k1_num_negate(&n1); /* n1 = -R */
645  CHECK(!secp256k1_num_is_zero(&n1));
646  secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
647  CHECK(secp256k1_num_is_zero(&n1));
648  secp256k1_num_copy(&n1, &n2); /* n1 = R */
649  secp256k1_num_negate(&n1); /* n1 = -R */
650  CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
651  secp256k1_num_negate(&n1); /* n1 = R */
652  CHECK(secp256k1_num_eq(&n1, &n2));
653 }
654 
655 void test_num_add_sub(void) {
656  int i;
657  secp256k1_scalar s;
658  secp256k1_num n1;
659  secp256k1_num n2;
660  secp256k1_num n1p2, n2p1, n1m2, n2m1;
661  random_num_order_test(&n1); /* n1 = R1 */
662  if (secp256k1_testrand_bits(1)) {
663  random_num_negate(&n1);
664  }
665  random_num_order_test(&n2); /* n2 = R2 */
666  if (secp256k1_testrand_bits(1)) {
667  random_num_negate(&n2);
668  }
669  secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
670  secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
671  secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
672  secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
673  CHECK(secp256k1_num_eq(&n1p2, &n2p1));
674  CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
675  secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
676  CHECK(secp256k1_num_eq(&n2m1, &n1m2));
677  CHECK(!secp256k1_num_eq(&n2m1, &n1));
678  secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
679  CHECK(secp256k1_num_eq(&n2m1, &n1));
680  CHECK(!secp256k1_num_eq(&n2p1, &n1));
681  secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
682  CHECK(secp256k1_num_eq(&n2p1, &n1));
683 
684  /* check is_one */
685  secp256k1_scalar_set_int(&s, 1);
686  secp256k1_scalar_get_num(&n1, &s);
687  CHECK(secp256k1_num_is_one(&n1));
688  /* check that 2^n + 1 is never 1 */
689  secp256k1_scalar_get_num(&n2, &s);
690  for (i = 0; i < 250; ++i) {
691  secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
692  secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
693  CHECK(!secp256k1_num_is_one(&n1p2));
694  }
695 }
696 
697 void test_num_mod(void) {
698  int i;
699  secp256k1_scalar s;
700  secp256k1_num order, n;
701 
702  /* check that 0 mod anything is 0 */
703  random_scalar_order_test(&s);
704  secp256k1_scalar_get_num(&order, &s);
705  secp256k1_scalar_set_int(&s, 0);
706  secp256k1_scalar_get_num(&n, &s);
707  secp256k1_num_mod(&n, &order);
708  CHECK(secp256k1_num_is_zero(&n));
709 
710  /* check that anything mod 1 is 0 */
711  secp256k1_scalar_set_int(&s, 1);
712  secp256k1_scalar_get_num(&order, &s);
713  secp256k1_scalar_get_num(&n, &s);
714  secp256k1_num_mod(&n, &order);
715  CHECK(secp256k1_num_is_zero(&n));
716 
717  /* check that increasing the number past 2^256 does not break this */
718  random_scalar_order_test(&s);
719  secp256k1_scalar_get_num(&n, &s);
720  /* multiply by 2^8, which'll test this case with high probability */
721  for (i = 0; i < 8; ++i) {
722  secp256k1_num_add(&n, &n, &n);
723  }
724  secp256k1_num_mod(&n, &order);
725  CHECK(secp256k1_num_is_zero(&n));
726 }
727 
728 void test_num_jacobi(void) {
729  secp256k1_scalar sqr;
730  secp256k1_scalar small;
731  secp256k1_scalar five; /* five is not a quadratic residue */
732  secp256k1_num order, n;
733  int i;
734  /* squares mod 5 are 1, 4 */
735  const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
736 
737  /* check some small values with 5 as the order */
738  secp256k1_scalar_set_int(&five, 5);
739  secp256k1_scalar_get_num(&order, &five);
740  for (i = 0; i < 10; ++i) {
741  secp256k1_scalar_set_int(&small, i);
742  secp256k1_scalar_get_num(&n, &small);
743  CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
744  }
745 
747  secp256k1_scalar_get_num(&order, &five);
748  /* we first need a scalar which is not a multiple of 5 */
749  do {
750  secp256k1_num fiven;
751  random_scalar_order_test(&sqr);
752  secp256k1_scalar_get_num(&fiven, &five);
753  secp256k1_scalar_get_num(&n, &sqr);
754  secp256k1_num_mod(&n, &fiven);
755  } while (secp256k1_num_is_zero(&n));
756  /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
757  * just multiply by two, i.e. add the number to itself */
758  if (secp256k1_num_jacobi(&n, &order) == -1) {
759  secp256k1_num_add(&n, &n, &n);
760  }
761 
762  /* test residue */
763  CHECK(secp256k1_num_jacobi(&n, &order) == 1);
764  /* test nonresidue */
765  secp256k1_num_add(&n, &n, &n);
766  CHECK(secp256k1_num_jacobi(&n, &order) == -1);
767 
769  secp256k1_scalar_order_get_num(&order);
770  random_scalar_order_test(&sqr);
771  secp256k1_scalar_sqr(&sqr, &sqr);
772  /* test residue */
773  secp256k1_scalar_get_num(&n, &sqr);
774  CHECK(secp256k1_num_jacobi(&n, &order) == 1);
775  /* test nonresidue */
776  secp256k1_scalar_mul(&sqr, &sqr, &five);
777  secp256k1_scalar_get_num(&n, &sqr);
778  CHECK(secp256k1_num_jacobi(&n, &order) == -1);
779  /* test multiple of the order*/
780  CHECK(secp256k1_num_jacobi(&order, &order) == 0);
781 
782  /* check one less than the order */
783  secp256k1_scalar_set_int(&small, 1);
784  secp256k1_scalar_get_num(&n, &small);
785  secp256k1_num_sub(&n, &order, &n);
786  CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
787 }
788 
789 void run_num_smalltests(void) {
790  int i;
791  for (i = 0; i < 100*count; i++) {
792  test_num_negate();
793  test_num_add_sub();
794  test_num_mod();
795  test_num_jacobi();
796  }
797 }
798 #endif
799 
800 /***** SCALAR TESTS *****/
801 
802 void scalar_test(void) {
803  secp256k1_scalar s;
804  secp256k1_scalar s1;
805  secp256k1_scalar s2;
806 #ifndef USE_NUM_NONE
807  secp256k1_num snum, s1num, s2num;
808  secp256k1_num order, half_order;
809 #endif
810  unsigned char c[32];
811 
812  /* Set 's' to a random scalar, with value 'snum'. */
813  random_scalar_order_test(&s);
814 
815  /* Set 's1' to a random scalar, with value 's1num'. */
816  random_scalar_order_test(&s1);
817 
818  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
819  random_scalar_order_test(&s2);
820  secp256k1_scalar_get_b32(c, &s2);
821 
822 #ifndef USE_NUM_NONE
823  secp256k1_scalar_get_num(&snum, &s);
824  secp256k1_scalar_get_num(&s1num, &s1);
825  secp256k1_scalar_get_num(&s2num, &s2);
826 
827  secp256k1_scalar_order_get_num(&order);
828  half_order = order;
829  secp256k1_num_shift(&half_order, 1);
830 #endif
831 
832  {
833  int i;
834  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
835  secp256k1_scalar n;
836  secp256k1_scalar_set_int(&n, 0);
837  for (i = 0; i < 256; i += 4) {
838  secp256k1_scalar t;
839  int j;
840  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
841  for (j = 0; j < 4; j++) {
842  secp256k1_scalar_add(&n, &n, &n);
843  }
844  secp256k1_scalar_add(&n, &n, &t);
845  }
846  CHECK(secp256k1_scalar_eq(&n, &s));
847  }
848 
849  {
850  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
851  secp256k1_scalar n;
852  int i = 0;
853  secp256k1_scalar_set_int(&n, 0);
854  while (i < 256) {
855  secp256k1_scalar t;
856  int j;
857  int now = secp256k1_testrand_int(15) + 1;
858  if (now + i > 256) {
859  now = 256 - i;
860  }
861  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
862  for (j = 0; j < now; j++) {
863  secp256k1_scalar_add(&n, &n, &n);
864  }
865  secp256k1_scalar_add(&n, &n, &t);
866  i += now;
867  }
868  CHECK(secp256k1_scalar_eq(&n, &s));
869  }
870 
871 #ifndef USE_NUM_NONE
872  {
873  /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
874  secp256k1_num rnum;
875  secp256k1_num r2num;
876  secp256k1_scalar r;
877  secp256k1_num_add(&rnum, &snum, &s2num);
878  secp256k1_num_mod(&rnum, &order);
879  secp256k1_scalar_add(&r, &s, &s2);
880  secp256k1_scalar_get_num(&r2num, &r);
881  CHECK(secp256k1_num_eq(&rnum, &r2num));
882  }
883 
884  {
885  /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
886  secp256k1_scalar r;
887  secp256k1_num r2num;
888  secp256k1_num rnum;
889  secp256k1_num_mul(&rnum, &snum, &s2num);
890  secp256k1_num_mod(&rnum, &order);
891  secp256k1_scalar_mul(&r, &s, &s2);
892  secp256k1_scalar_get_num(&r2num, &r);
893  CHECK(secp256k1_num_eq(&rnum, &r2num));
894  /* The result can only be zero if at least one of the factors was zero. */
895  CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
896  /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
897  CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
898  CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
899  }
900 
901  {
902  secp256k1_scalar neg;
903  secp256k1_num negnum;
904  secp256k1_num negnum2;
905  /* Check that comparison with zero matches comparison with zero on the number. */
906  CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
907  /* Check that comparison with the half order is equal to testing for high scalar. */
908  CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
909  secp256k1_scalar_negate(&neg, &s);
910  secp256k1_num_sub(&negnum, &order, &snum);
911  secp256k1_num_mod(&negnum, &order);
912  /* Check that comparison with the half order is equal to testing for high scalar after negation. */
913  CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
914  /* Negating should change the high property, unless the value was already zero. */
915  CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
916  secp256k1_scalar_get_num(&negnum2, &neg);
917  /* Negating a scalar should be equal to (order - n) mod order on the number. */
918  CHECK(secp256k1_num_eq(&negnum, &negnum2));
919  secp256k1_scalar_add(&neg, &neg, &s);
920  /* Adding a number to its negation should result in zero. */
921  CHECK(secp256k1_scalar_is_zero(&neg));
922  secp256k1_scalar_negate(&neg, &neg);
923  /* Negating zero should still result in zero. */
924  CHECK(secp256k1_scalar_is_zero(&neg));
925  }
926 
927  {
928  /* Test secp256k1_scalar_mul_shift_var. */
929  secp256k1_scalar r;
930  secp256k1_num one;
931  secp256k1_num rnum;
932  secp256k1_num rnum2;
933  unsigned char cone[1] = {0x01};
934  unsigned int shift = 256 + secp256k1_testrand_int(257);
935  secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
936  secp256k1_num_mul(&rnum, &s1num, &s2num);
937  secp256k1_num_shift(&rnum, shift - 1);
938  secp256k1_num_set_bin(&one, cone, 1);
939  secp256k1_num_add(&rnum, &rnum, &one);
940  secp256k1_num_shift(&rnum, 1);
941  secp256k1_scalar_get_num(&rnum2, &r);
942  CHECK(secp256k1_num_eq(&rnum, &rnum2));
943  }
944 
945  {
946  /* test secp256k1_scalar_shr_int */
947  secp256k1_scalar r;
948  int i;
949  random_scalar_order_test(&r);
950  for (i = 0; i < 100; ++i) {
951  int low;
952  int shift = 1 + secp256k1_testrand_int(15);
953  int expected = r.d[0] % (1 << shift);
954  low = secp256k1_scalar_shr_int(&r, shift);
955  CHECK(expected == low);
956  }
957  }
958 #endif
959 
960  {
961  /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
962  if (!secp256k1_scalar_is_zero(&s)) {
963  secp256k1_scalar inv;
964 #ifndef USE_NUM_NONE
965  secp256k1_num invnum;
966  secp256k1_num invnum2;
967 #endif
968  secp256k1_scalar_inverse(&inv, &s);
969 #ifndef USE_NUM_NONE
970  secp256k1_num_mod_inverse(&invnum, &snum, &order);
971  secp256k1_scalar_get_num(&invnum2, &inv);
972  CHECK(secp256k1_num_eq(&invnum, &invnum2));
973 #endif
974  secp256k1_scalar_mul(&inv, &inv, &s);
975  /* Multiplying a scalar with its inverse must result in one. */
976  CHECK(secp256k1_scalar_is_one(&inv));
977  secp256k1_scalar_inverse(&inv, &inv);
978  /* Inverting one must result in one. */
979  CHECK(secp256k1_scalar_is_one(&inv));
980 #ifndef USE_NUM_NONE
981  secp256k1_scalar_get_num(&invnum, &inv);
982  CHECK(secp256k1_num_is_one(&invnum));
983 #endif
984  }
985  }
986 
987  {
988  /* Test commutativity of add. */
989  secp256k1_scalar r1, r2;
990  secp256k1_scalar_add(&r1, &s1, &s2);
991  secp256k1_scalar_add(&r2, &s2, &s1);
992  CHECK(secp256k1_scalar_eq(&r1, &r2));
993  }
994 
995  {
996  secp256k1_scalar r1, r2;
997  secp256k1_scalar b;
998  int i;
999  /* Test add_bit. */
1000  int bit = secp256k1_testrand_bits(8);
1001  secp256k1_scalar_set_int(&b, 1);
1002  CHECK(secp256k1_scalar_is_one(&b));
1003  for (i = 0; i < bit; i++) {
1004  secp256k1_scalar_add(&b, &b, &b);
1005  }
1006  r1 = s1;
1007  r2 = s1;
1008  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1009  /* No overflow happened. */
1010  secp256k1_scalar_cadd_bit(&r2, bit, 1);
1011  CHECK(secp256k1_scalar_eq(&r1, &r2));
1012  /* cadd is a noop when flag is zero */
1013  secp256k1_scalar_cadd_bit(&r2, bit, 0);
1014  CHECK(secp256k1_scalar_eq(&r1, &r2));
1015  }
1016  }
1017 
1018  {
1019  /* Test commutativity of mul. */
1020  secp256k1_scalar r1, r2;
1021  secp256k1_scalar_mul(&r1, &s1, &s2);
1022  secp256k1_scalar_mul(&r2, &s2, &s1);
1023  CHECK(secp256k1_scalar_eq(&r1, &r2));
1024  }
1025 
1026  {
1027  /* Test associativity of add. */
1028  secp256k1_scalar r1, r2;
1029  secp256k1_scalar_add(&r1, &s1, &s2);
1030  secp256k1_scalar_add(&r1, &r1, &s);
1031  secp256k1_scalar_add(&r2, &s2, &s);
1032  secp256k1_scalar_add(&r2, &s1, &r2);
1033  CHECK(secp256k1_scalar_eq(&r1, &r2));
1034  }
1035 
1036  {
1037  /* Test associativity of mul. */
1038  secp256k1_scalar r1, r2;
1039  secp256k1_scalar_mul(&r1, &s1, &s2);
1040  secp256k1_scalar_mul(&r1, &r1, &s);
1041  secp256k1_scalar_mul(&r2, &s2, &s);
1042  secp256k1_scalar_mul(&r2, &s1, &r2);
1043  CHECK(secp256k1_scalar_eq(&r1, &r2));
1044  }
1045 
1046  {
1047  /* Test distributitivity of mul over add. */
1048  secp256k1_scalar r1, r2, t;
1049  secp256k1_scalar_add(&r1, &s1, &s2);
1050  secp256k1_scalar_mul(&r1, &r1, &s);
1051  secp256k1_scalar_mul(&r2, &s1, &s);
1052  secp256k1_scalar_mul(&t, &s2, &s);
1053  secp256k1_scalar_add(&r2, &r2, &t);
1054  CHECK(secp256k1_scalar_eq(&r1, &r2));
1055  }
1056 
1057  {
1058  /* Test square. */
1059  secp256k1_scalar r1, r2;
1060  secp256k1_scalar_sqr(&r1, &s1);
1061  secp256k1_scalar_mul(&r2, &s1, &s1);
1062  CHECK(secp256k1_scalar_eq(&r1, &r2));
1063  }
1064 
1065  {
1066  /* Test multiplicative identity. */
1067  secp256k1_scalar r1, v1;
1068  secp256k1_scalar_set_int(&v1,1);
1069  secp256k1_scalar_mul(&r1, &s1, &v1);
1070  CHECK(secp256k1_scalar_eq(&r1, &s1));
1071  }
1072 
1073  {
1074  /* Test additive identity. */
1075  secp256k1_scalar r1, v0;
1076  secp256k1_scalar_set_int(&v0,0);
1077  secp256k1_scalar_add(&r1, &s1, &v0);
1078  CHECK(secp256k1_scalar_eq(&r1, &s1));
1079  }
1080 
1081  {
1082  /* Test zero product property. */
1083  secp256k1_scalar r1, v0;
1084  secp256k1_scalar_set_int(&v0,0);
1085  secp256k1_scalar_mul(&r1, &s1, &v0);
1086  CHECK(secp256k1_scalar_eq(&r1, &v0));
1087  }
1088 
1089 }
1090 
1091 void run_scalar_set_b32_seckey_tests(void) {
1092  unsigned char b32[32];
1093  secp256k1_scalar s1;
1094  secp256k1_scalar s2;
1095 
1096  /* Usually set_b32 and set_b32_seckey give the same result */
1097  random_scalar_order_b32(b32);
1098  secp256k1_scalar_set_b32(&s1, b32, NULL);
1099  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1100  CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1101 
1102  memset(b32, 0, sizeof(b32));
1103  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1104  memset(b32, 0xFF, sizeof(b32));
1105  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1106 }
1107 
1108 void run_scalar_tests(void) {
1109  int i;
1110  for (i = 0; i < 128 * count; i++) {
1111  scalar_test();
1112  }
1113  for (i = 0; i < count; i++) {
1114  run_scalar_set_b32_seckey_tests();
1115  }
1116 
1117  {
1118  /* (-1)+1 should be zero. */
1119  secp256k1_scalar s, o;
1120  secp256k1_scalar_set_int(&s, 1);
1121  CHECK(secp256k1_scalar_is_one(&s));
1122  secp256k1_scalar_negate(&o, &s);
1123  secp256k1_scalar_add(&o, &o, &s);
1124  CHECK(secp256k1_scalar_is_zero(&o));
1125  secp256k1_scalar_negate(&o, &o);
1126  CHECK(secp256k1_scalar_is_zero(&o));
1127  }
1128 
1129 #ifndef USE_NUM_NONE
1130  {
1131  /* Test secp256k1_scalar_set_b32 boundary conditions */
1132  secp256k1_num order;
1133  secp256k1_scalar scalar;
1134  unsigned char bin[32];
1135  unsigned char bin_tmp[32];
1136  int overflow = 0;
1137  /* 2^256-1 - order */
1138  static const secp256k1_scalar all_ones_minus_order = SECP256K1_SCALAR_CONST(
1139  0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000001UL,
1140  0x45512319UL, 0x50B75FC4UL, 0x402DA173UL, 0x2FC9BEBEUL
1141  );
1142 
1143  /* A scalar set to 0s should be 0. */
1144  memset(bin, 0, 32);
1145  secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1146  CHECK(overflow == 0);
1147  CHECK(secp256k1_scalar_is_zero(&scalar));
1148 
1149  /* A scalar with value of the curve order should be 0. */
1150  secp256k1_scalar_order_get_num(&order);
1151  secp256k1_num_get_bin(bin, 32, &order);
1152  secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1153  CHECK(overflow == 1);
1154  CHECK(secp256k1_scalar_is_zero(&scalar));
1155 
1156  /* A scalar with value of the curve order minus one should not overflow. */
1157  bin[31] -= 1;
1158  secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1159  CHECK(overflow == 0);
1160  secp256k1_scalar_get_b32(bin_tmp, &scalar);
1161  CHECK(secp256k1_memcmp_var(bin, bin_tmp, 32) == 0);
1162 
1163  /* A scalar set to all 1s should overflow. */
1164  memset(bin, 0xFF, 32);
1165  secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1166  CHECK(overflow == 1);
1167  CHECK(secp256k1_scalar_eq(&scalar, &all_ones_minus_order));
1168  }
1169 #endif
1170 
1171  {
1172  /* Does check_overflow check catch all ones? */
1173  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1174  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1175  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1176  );
1177  CHECK(secp256k1_scalar_check_overflow(&overflowed));
1178  }
1179 
1180  {
1181  /* Static test vectors.
1182  * These were reduced from ~10^12 random vectors based on comparison-decision
1183  * and edge-case coverage on 32-bit and 64-bit implementations.
1184  * The responses were generated with Sage 5.9.
1185  */
1186  secp256k1_scalar x;
1187  secp256k1_scalar y;
1188  secp256k1_scalar z;
1189  secp256k1_scalar zz;
1190  secp256k1_scalar one;
1191  secp256k1_scalar r1;
1192  secp256k1_scalar r2;
1193 #if defined(USE_SCALAR_INV_NUM)
1194  secp256k1_scalar zzv;
1195 #endif
1196  int overflow;
1197  unsigned char chal[33][2][32] = {
1198  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1199  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1200  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1201  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1202  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1203  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1204  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1205  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1206  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1207  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1208  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1209  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1210  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1211  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1212  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1213  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1214  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1215  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1216  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1217  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1218  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1219  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1220  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1221  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1222  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1223  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1224  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1225  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1226  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1227  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1228  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1229  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1230  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1231  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1232  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1233  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1234  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1235  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1236  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1237  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1238  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1239  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1240  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1241  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1242  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1243  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1244  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1245  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1246  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1247  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1248  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1249  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1250  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1251  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1252  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1253  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1254  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1255  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1256  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1257  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1258  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1259  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1260  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1261  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1262  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1263  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1264  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1265  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1266  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1267  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1268  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1269  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1270  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1271  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1272  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1273  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1274  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1275  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1276  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1277  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1278  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1279  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1280  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1281  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1282  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1283  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1284  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1285  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1286  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1287  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1288  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1289  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1290  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1291  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1292  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1293  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1294  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1295  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1296  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1297  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1298  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1299  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1300  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1301  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1302  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1303  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1304  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1305  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1306  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1307  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1308  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1309  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1310  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1311  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1312  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1313  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1314  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1315  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1316  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1317  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1318  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1319  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1320  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1321  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1322  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1323  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1324  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1325  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1326  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1327  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1328  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1329  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1330  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1331  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1332  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1333  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1334  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1335  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1336  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1337  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1338  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1339  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1340  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1341  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1342  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1343  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1344  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1345  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1346  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1347  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1348  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1349  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1350  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1351  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1352  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1353  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1354  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1355  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1356  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1357  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1358  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1359  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1360  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1361  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1362  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1363  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1364  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1365  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1366  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1367  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1368  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1369  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1370  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1371  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1372  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1373  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1374  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1375  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1376  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1377  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1378  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1379  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1380  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1381  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1382  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1383  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1384  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1385  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1386  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1387  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1388  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1389  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1390  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1391  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1392  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1393  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1394  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1395  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1396  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1397  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1398  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1399  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1400  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1401  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1402  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1403  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1404  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1405  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1406  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1407  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1408  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1409  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1410  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1411  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1412  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1413  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1414  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1415  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1416  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1417  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1418  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1419  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1420  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1421  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1422  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1423  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1424  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1425  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1426  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1427  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1428  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1429  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1430  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1431  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1432  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1433  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1434  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1435  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1436  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1437  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1438  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1439  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1440  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1441  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1442  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1443  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1444  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1445  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1446  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1447  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1448  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1449  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1450  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1451  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1452  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1453  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1454  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1455  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1456  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1457  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1458  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1459  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1460  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1461  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1462  };
1463  unsigned char res[33][2][32] = {
1464  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1465  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1466  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1467  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1468  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1469  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1470  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1471  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1472  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1473  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1474  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1475  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1476  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1477  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1478  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1479  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1480  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1481  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1482  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1483  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1484  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1485  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1486  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1487  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1488  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1489  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1490  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1491  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1492  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1493  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1494  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1495  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1496  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1497  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1498  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1499  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1500  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1501  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1502  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1503  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1504  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1505  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1506  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1507  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1508  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1509  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1510  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1511  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1512  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1513  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1514  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1515  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1516  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1517  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1518  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1519  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1520  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1521  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1522  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1523  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1524  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1525  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1526  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1527  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1528  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1529  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1530  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1531  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1532  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1533  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1534  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1535  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1536  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1537  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1538  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1539  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1540  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1541  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1542  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1543  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1544  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1545  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1546  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1547  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1548  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1549  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1550  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1551  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1552  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1553  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1554  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1555  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1556  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1557  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1558  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1559  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1560  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1561  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1562  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1563  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1564  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1565  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1566  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1567  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1568  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1569  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1570  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1571  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1572  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1573  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1574  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1575  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1576  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1577  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1578  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1579  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1580  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1581  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1582  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1583  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1584  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1585  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1586  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1587  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1588  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1589  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1590  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1591  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1592  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1593  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1594  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1595  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1596  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1597  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1598  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1599  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1600  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1601  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1602  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1603  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1604  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1605  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1606  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1607  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1608  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1609  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1610  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1611  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1612  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1613  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1614  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1615  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1616  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1617  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1618  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1619  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1620  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1621  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1622  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1623  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1624  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1625  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1626  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1627  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1628  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1629  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1630  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1631  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1632  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1633  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1634  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1635  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1636  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1637  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1638  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1639  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1640  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1641  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1642  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1643  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1644  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1645  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1646  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1647  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1648  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1649  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1650  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1651  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1652  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1653  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1654  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1655  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1656  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1657  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1658  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1659  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1660  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1661  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1662  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1663  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1664  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1665  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1666  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1667  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1668  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1669  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1670  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1671  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1672  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1673  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1674  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1675  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1676  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1677  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1678  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1679  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1680  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1681  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1682  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1683  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1684  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1685  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1686  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1687  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1688  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1689  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1690  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1691  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1692  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1693  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1694  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1695  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1696  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1697  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1698  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1699  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1700  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1701  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1702  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1703  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1704  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1705  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1706  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1707  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1708  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1709  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1710  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1711  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1712  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1713  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1714  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1715  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1716  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1717  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1718  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1719  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1720  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1721  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1722  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1723  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1724  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1725  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1726  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1727  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1728  };
1729  secp256k1_scalar_set_int(&one, 1);
1730  for (i = 0; i < 33; i++) {
1731  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1732  CHECK(!overflow);
1733  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1734  CHECK(!overflow);
1735  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1736  CHECK(!overflow);
1737  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1738  CHECK(!overflow);
1739  secp256k1_scalar_mul(&z, &x, &y);
1740  CHECK(!secp256k1_scalar_check_overflow(&z));
1741  CHECK(secp256k1_scalar_eq(&r1, &z));
1742  if (!secp256k1_scalar_is_zero(&y)) {
1743  secp256k1_scalar_inverse(&zz, &y);
1744  CHECK(!secp256k1_scalar_check_overflow(&zz));
1745 #if defined(USE_SCALAR_INV_NUM)
1746  secp256k1_scalar_inverse_var(&zzv, &y);
1747  CHECK(secp256k1_scalar_eq(&zzv, &zz));
1748 #endif
1749  secp256k1_scalar_mul(&z, &z, &zz);
1750  CHECK(!secp256k1_scalar_check_overflow(&z));
1751  CHECK(secp256k1_scalar_eq(&x, &z));
1752  secp256k1_scalar_mul(&zz, &zz, &y);
1753  CHECK(!secp256k1_scalar_check_overflow(&zz));
1754  CHECK(secp256k1_scalar_eq(&one, &zz));
1755  }
1756  secp256k1_scalar_mul(&z, &x, &x);
1757  CHECK(!secp256k1_scalar_check_overflow(&z));
1758  secp256k1_scalar_sqr(&zz, &x);
1759  CHECK(!secp256k1_scalar_check_overflow(&zz));
1760  CHECK(secp256k1_scalar_eq(&zz, &z));
1761  CHECK(secp256k1_scalar_eq(&r2, &zz));
1762  }
1763  }
1764 }
1765 
1766 /***** FIELD TESTS *****/
1767 
1768 void random_fe(secp256k1_fe *x) {
1769  unsigned char bin[32];
1770  do {
1771  secp256k1_testrand256(bin);
1772  if (secp256k1_fe_set_b32(x, bin)) {
1773  return;
1774  }
1775  } while(1);
1776 }
1777 
1778 void random_fe_test(secp256k1_fe *x) {
1779  unsigned char bin[32];
1780  do {
1781  secp256k1_testrand256_test(bin);
1782  if (secp256k1_fe_set_b32(x, bin)) {
1783  return;
1784  }
1785  } while(1);
1786 }
1787 
1788 void random_fe_non_zero(secp256k1_fe *nz) {
1789  int tries = 10;
1790  while (--tries >= 0) {
1791  random_fe(nz);
1792  secp256k1_fe_normalize(nz);
1793  if (!secp256k1_fe_is_zero(nz)) {
1794  break;
1795  }
1796  }
1797  /* Infinitesimal probability of spurious failure here */
1798  CHECK(tries >= 0);
1799 }
1800 
1801 void random_fe_non_square(secp256k1_fe *ns) {
1802  secp256k1_fe r;
1803  random_fe_non_zero(ns);
1804  if (secp256k1_fe_sqrt(&r, ns)) {
1805  secp256k1_fe_negate(ns, ns, 1);
1806  }
1807 }
1808 
1809 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1810  secp256k1_fe an = *a;
1811  secp256k1_fe bn = *b;
1812  secp256k1_fe_normalize_weak(&an);
1813  secp256k1_fe_normalize_var(&bn);
1814  return secp256k1_fe_equal_var(&an, &bn);
1815 }
1816 
1817 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1818  secp256k1_fe x;
1819  secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1820  secp256k1_fe_mul(&x, a, ai);
1821  return check_fe_equal(&x, &one);
1822 }
1823 
1824 void run_field_convert(void) {
1825  static const unsigned char b32[32] = {
1826  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1827  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1828  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1829  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1830  };
1831  static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1832  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1833  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1834  );
1835  static const secp256k1_fe fe = SECP256K1_FE_CONST(
1836  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1837  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1838  );
1839  secp256k1_fe fe2;
1840  unsigned char b322[32];
1841  secp256k1_fe_storage fes2;
1842  /* Check conversions to fe. */
1843  CHECK(secp256k1_fe_set_b32(&fe2, b32));
1844  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1845  secp256k1_fe_from_storage(&fe2, &fes);
1846  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1847  /* Check conversion from fe. */
1848  secp256k1_fe_get_b32(b322, &fe);
1849  CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
1850  secp256k1_fe_to_storage(&fes2, &fe);
1851  CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
1852 }
1853 
1854 int fe_secp256k1_memcmp_var(const secp256k1_fe *a, const secp256k1_fe *b) {
1855  secp256k1_fe t = *b;
1856 #ifdef VERIFY
1857  t.magnitude = a->magnitude;
1858  t.normalized = a->normalized;
1859 #endif
1860  return secp256k1_memcmp_var(a, &t, sizeof(secp256k1_fe));
1861 }
1862 
1863 void run_field_misc(void) {
1864  secp256k1_fe x;
1865  secp256k1_fe y;
1866  secp256k1_fe z;
1867  secp256k1_fe q;
1868  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1869  int i, j;
1870  for (i = 0; i < 5*count; i++) {
1871  secp256k1_fe_storage xs, ys, zs;
1872  random_fe(&x);
1873  random_fe_non_zero(&y);
1874  /* Test the fe equality and comparison operations. */
1875  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1876  CHECK(secp256k1_fe_equal_var(&x, &x));
1877  z = x;
1878  secp256k1_fe_add(&z,&y);
1879  /* Test fe conditional move; z is not normalized here. */
1880  q = x;
1881  secp256k1_fe_cmov(&x, &z, 0);
1882 #ifdef VERIFY
1883  CHECK(x.normalized && x.magnitude == 1);
1884 #endif
1885  secp256k1_fe_cmov(&x, &x, 1);
1886  CHECK(fe_secp256k1_memcmp_var(&x, &z) != 0);
1887  CHECK(fe_secp256k1_memcmp_var(&x, &q) == 0);
1888  secp256k1_fe_cmov(&q, &z, 1);
1889 #ifdef VERIFY
1890  CHECK(!q.normalized && q.magnitude == z.magnitude);
1891 #endif
1892  CHECK(fe_secp256k1_memcmp_var(&q, &z) == 0);
1893  secp256k1_fe_normalize_var(&x);
1894  secp256k1_fe_normalize_var(&z);
1895  CHECK(!secp256k1_fe_equal_var(&x, &z));
1896  secp256k1_fe_normalize_var(&q);
1897  secp256k1_fe_cmov(&q, &z, (i&1));
1898 #ifdef VERIFY
1899  CHECK(q.normalized && q.magnitude == 1);
1900 #endif
1901  for (j = 0; j < 6; j++) {
1902  secp256k1_fe_negate(&z, &z, j+1);
1903  secp256k1_fe_normalize_var(&q);
1904  secp256k1_fe_cmov(&q, &z, (j&1));
1905 #ifdef VERIFY
1906  CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
1907 #endif
1908  }
1909  secp256k1_fe_normalize_var(&z);
1910  /* Test storage conversion and conditional moves. */
1911  secp256k1_fe_to_storage(&xs, &x);
1912  secp256k1_fe_to_storage(&ys, &y);
1913  secp256k1_fe_to_storage(&zs, &z);
1914  secp256k1_fe_storage_cmov(&zs, &xs, 0);
1915  secp256k1_fe_storage_cmov(&zs, &zs, 1);
1916  CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
1917  secp256k1_fe_storage_cmov(&ys, &xs, 1);
1918  CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
1919  secp256k1_fe_from_storage(&x, &xs);
1920  secp256k1_fe_from_storage(&y, &ys);
1921  secp256k1_fe_from_storage(&z, &zs);
1922  /* Test that mul_int, mul, and add agree. */
1923  secp256k1_fe_add(&y, &x);
1924  secp256k1_fe_add(&y, &x);
1925  z = x;
1926  secp256k1_fe_mul_int(&z, 3);
1927  CHECK(check_fe_equal(&y, &z));
1928  secp256k1_fe_add(&y, &x);
1929  secp256k1_fe_add(&z, &x);
1930  CHECK(check_fe_equal(&z, &y));
1931  z = x;
1932  secp256k1_fe_mul_int(&z, 5);
1933  secp256k1_fe_mul(&q, &x, &fe5);
1934  CHECK(check_fe_equal(&z, &q));
1935  secp256k1_fe_negate(&x, &x, 1);
1936  secp256k1_fe_add(&z, &x);
1937  secp256k1_fe_add(&q, &x);
1938  CHECK(check_fe_equal(&y, &z));
1939  CHECK(check_fe_equal(&q, &y));
1940  }
1941 }
1942 
1943 void run_field_inv(void) {
1944  secp256k1_fe x, xi, xii;
1945  int i;
1946  for (i = 0; i < 10*count; i++) {
1947  random_fe_non_zero(&x);
1948  secp256k1_fe_inv(&xi, &x);
1949  CHECK(check_fe_inverse(&x, &xi));
1950  secp256k1_fe_inv(&xii, &xi);
1951  CHECK(check_fe_equal(&x, &xii));
1952  }
1953 }
1954 
1955 void run_field_inv_var(void) {
1956  secp256k1_fe x, xi, xii;
1957  int i;
1958  for (i = 0; i < 10*count; i++) {
1959  random_fe_non_zero(&x);
1960  secp256k1_fe_inv_var(&xi, &x);
1961  CHECK(check_fe_inverse(&x, &xi));
1962  secp256k1_fe_inv_var(&xii, &xi);
1963  CHECK(check_fe_equal(&x, &xii));
1964  }
1965 }
1966 
1967 void run_field_inv_all_var(void) {
1968  secp256k1_fe x[16], xi[16], xii[16];
1969  int i;
1970  /* Check it's safe to call for 0 elements */
1971  secp256k1_fe_inv_all_var(xi, x, 0);
1972  for (i = 0; i < count; i++) {
1973  size_t j;
1974  size_t len = secp256k1_testrand_int(15) + 1;
1975  for (j = 0; j < len; j++) {
1976  random_fe_non_zero(&x[j]);
1977  }
1978  secp256k1_fe_inv_all_var(xi, x, len);
1979  for (j = 0; j < len; j++) {
1980  CHECK(check_fe_inverse(&x[j], &xi[j]));
1981  }
1982  secp256k1_fe_inv_all_var(xii, xi, len);
1983  for (j = 0; j < len; j++) {
1984  CHECK(check_fe_equal(&x[j], &xii[j]));
1985  }
1986  }
1987 }
1988 
1989 void run_sqr(void) {
1990  secp256k1_fe x, s;
1991 
1992  {
1993  int i;
1994  secp256k1_fe_set_int(&x, 1);
1995  secp256k1_fe_negate(&x, &x, 1);
1996 
1997  for (i = 1; i <= 512; ++i) {
1998  secp256k1_fe_mul_int(&x, 2);
1999  secp256k1_fe_normalize(&x);
2000  secp256k1_fe_sqr(&s, &x);
2001  }
2002  }
2003 }
2004 
2005 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2006  secp256k1_fe r1, r2;
2007  int v = secp256k1_fe_sqrt(&r1, a);
2008  CHECK((v == 0) == (k == NULL));
2009 
2010  if (k != NULL) {
2011  /* Check that the returned root is +/- the given known answer */
2012  secp256k1_fe_negate(&r2, &r1, 1);
2013  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2014  secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
2015  CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
2016  }
2017 }
2018 
2019 void run_sqrt(void) {
2020  secp256k1_fe ns, x, s, t;
2021  int i;
2022 
2023  /* Check sqrt(0) is 0 */
2024  secp256k1_fe_set_int(&x, 0);
2025  secp256k1_fe_sqr(&s, &x);
2026  test_sqrt(&s, &x);
2027 
2028  /* Check sqrt of small squares (and their negatives) */
2029  for (i = 1; i <= 100; i++) {
2030  secp256k1_fe_set_int(&x, i);
2031  secp256k1_fe_sqr(&s, &x);
2032  test_sqrt(&s, &x);
2033  secp256k1_fe_negate(&t, &s, 1);
2034  test_sqrt(&t, NULL);
2035  }
2036 
2037  /* Consistency checks for large random values */
2038  for (i = 0; i < 10; i++) {
2039  int j;
2040  random_fe_non_square(&ns);
2041  for (j = 0; j < count; j++) {
2042  random_fe(&x);
2043  secp256k1_fe_sqr(&s, &x);
2044  test_sqrt(&s, &x);
2045  secp256k1_fe_negate(&t, &s, 1);
2046  test_sqrt(&t, NULL);
2047  secp256k1_fe_mul(&t, &s, &ns);
2048  test_sqrt(&t, NULL);
2049  }
2050  }
2051 }
2052 
2053 /***** GROUP TESTS *****/
2054 
2055 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
2056  CHECK(a->infinity == b->infinity);
2057  if (a->infinity) {
2058  return;
2059  }
2060  CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2061  CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2062 }
2063 
2064 /* This compares jacobian points including their Z, not just their geometric meaning. */
2065 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2066  secp256k1_gej a2;
2067  secp256k1_gej b2;
2068  int ret = 1;
2069  ret &= a->infinity == b->infinity;
2070  if (ret && !a->infinity) {
2071  a2 = *a;
2072  b2 = *b;
2073  secp256k1_fe_normalize(&a2.x);
2074  secp256k1_fe_normalize(&a2.y);
2075  secp256k1_fe_normalize(&a2.z);
2076  secp256k1_fe_normalize(&b2.x);
2077  secp256k1_fe_normalize(&b2.y);
2078  secp256k1_fe_normalize(&b2.z);
2079  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2080  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2081  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2082  }
2083  return ret;
2084 }
2085 
2086 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2087  secp256k1_fe z2s;
2088  secp256k1_fe u1, u2, s1, s2;
2089  CHECK(a->infinity == b->infinity);
2090  if (a->infinity) {
2091  return;
2092  }
2093  /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
2094  secp256k1_fe_sqr(&z2s, &b->z);
2095  secp256k1_fe_mul(&u1, &a->x, &z2s);
2096  u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2097  secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2098  s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2099  CHECK(secp256k1_fe_equal_var(&u1, &u2));
2100  CHECK(secp256k1_fe_equal_var(&s1, &s2));
2101 }
2102 
2103 void test_ge(void) {
2104  int i, i1;
2105  int runs = 6;
2106  /* 25 points are used:
2107  * - infinity
2108  * - for each of four random points p1 p2 p3 p4, we add the point, its
2109  * negation, and then those two again but with randomized Z coordinate.
2110  * - The same is then done for lambda*p1 and lambda^2*p1.
2111  */
2112  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2113  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2114  secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2115  secp256k1_fe zf;
2116  secp256k1_fe zfi2, zfi3;
2117 
2118  secp256k1_gej_set_infinity(&gej[0]);
2119  secp256k1_ge_clear(&ge[0]);
2120  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2121  for (i = 0; i < runs; i++) {
2122  int j;
2123  secp256k1_ge g;
2124  random_group_element_test(&g);
2125  if (i >= runs - 2) {
2126  secp256k1_ge_mul_lambda(&g, &ge[1]);
2127  }
2128  if (i >= runs - 1) {
2129  secp256k1_ge_mul_lambda(&g, &g);
2130  }
2131  ge[1 + 4 * i] = g;
2132  ge[2 + 4 * i] = g;
2133  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2134  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2135  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2136  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2137  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2138  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2139  for (j = 0; j < 4; j++) {
2140  random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2141  random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2142  random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2143  random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2144  random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2145  }
2146  }
2147 
2148  /* Compute z inverses. */
2149  {
2150  secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2151  for (i = 0; i < 4 * runs + 1; i++) {
2152  if (i == 0) {
2153  /* The point at infinity does not have a meaningful z inverse. Any should do. */
2154  do {
2155  random_field_element_test(&zs[i]);
2156  } while(secp256k1_fe_is_zero(&zs[i]));
2157  } else {
2158  zs[i] = gej[i].z;
2159  }
2160  }
2161  secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
2162  free(zs);
2163  }
2164 
2165  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2166  do {
2167  random_field_element_test(&zf);
2168  } while(secp256k1_fe_is_zero(&zf));
2169  random_field_element_magnitude(&zf);
2170  secp256k1_fe_inv_var(&zfi3, &zf);
2171  secp256k1_fe_sqr(&zfi2, &zfi3);
2172  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2173 
2174  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2175  int i2;
2176  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2177  /* Compute reference result using gej + gej (var). */
2178  secp256k1_gej refj, resj;
2179  secp256k1_ge ref;
2180  secp256k1_fe zr;
2181  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2182  /* Check Z ratio. */
2183  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2184  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2185  CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2186  }
2187  secp256k1_ge_set_gej_var(&ref, &refj);
2188 
2189  /* Test gej + ge with Z ratio result (var). */
2190  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2191  ge_equals_gej(&ref, &resj);
2192  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2193  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2194  CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2195  }
2196 
2197  /* Test gej + ge (var, with additional Z factor). */
2198  {
2199  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2200  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2201  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2202  random_field_element_magnitude(&ge2_zfi.x);
2203  random_field_element_magnitude(&ge2_zfi.y);
2204  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2205  ge_equals_gej(&ref, &resj);
2206  }
2207 
2208  /* Test gej + ge (const). */
2209  if (i2 != 0) {
2210  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2211  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2212  ge_equals_gej(&ref, &resj);
2213  }
2214 
2215  /* Test doubling (var). */
2216  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2217  secp256k1_fe zr2;
2218  /* Normal doubling with Z ratio result. */
2219  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2220  ge_equals_gej(&ref, &resj);
2221  /* Check Z ratio. */
2222  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2223  CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2224  /* Normal doubling. */
2225  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2226  ge_equals_gej(&ref, &resj);
2227  /* Constant-time doubling. */
2228  secp256k1_gej_double(&resj, &gej[i2]);
2229  ge_equals_gej(&ref, &resj);
2230  }
2231 
2232  /* Test adding opposites. */
2233  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2234  CHECK(secp256k1_ge_is_infinity(&ref));
2235  }
2236 
2237  /* Test adding infinity. */
2238  if (i1 == 0) {
2239  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2240  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2241  ge_equals_gej(&ref, &gej[i2]);
2242  }
2243  if (i2 == 0) {
2244  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2245  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2246  ge_equals_gej(&ref, &gej[i1]);
2247  }
2248  }
2249  }
2250 
2251  /* Test adding all points together in random order equals infinity. */
2252  {
2253  secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2254  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2255  for (i = 0; i < 4 * runs + 1; i++) {
2256  gej_shuffled[i] = gej[i];
2257  }
2258  for (i = 0; i < 4 * runs + 1; i++) {
2259  int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
2260  if (swap != i) {
2261  secp256k1_gej t = gej_shuffled[i];
2262  gej_shuffled[i] = gej_shuffled[swap];
2263  gej_shuffled[swap] = t;
2264  }
2265  }
2266  for (i = 0; i < 4 * runs + 1; i++) {
2267  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2268  }
2269  CHECK(secp256k1_gej_is_infinity(&sum));
2270  free(gej_shuffled);
2271  }
2272 
2273  /* Test batch gej -> ge conversion with and without known z ratios. */
2274  {
2275  secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2276  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2277  for (i = 0; i < 4 * runs + 1; i++) {
2278  /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2279  if (i < 4 * runs) {
2280  secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2281  }
2282  }
2283  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2284  for (i = 0; i < 4 * runs + 1; i++) {
2285  secp256k1_fe s;
2286  random_fe_non_zero(&s);
2287  secp256k1_gej_rescale(&gej[i], &s);
2288  ge_equals_gej(&ge_set_all[i], &gej[i]);
2289  }
2290  free(ge_set_all);
2291  free(zr);
2292  }
2293 
2294  /* Test batch gej -> ge conversion with many infinities. */
2295  for (i = 0; i < 4 * runs + 1; i++) {
2296  random_group_element_test(&ge[i]);
2297  /* randomly set half the points to infinity */
2298  if(secp256k1_fe_is_odd(&ge[i].x)) {
2299  secp256k1_ge_set_infinity(&ge[i]);
2300  }
2301  secp256k1_gej_set_ge(&gej[i], &ge[i]);
2302  }
2303  /* batch invert */
2304  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2305  /* check result */
2306  for (i = 0; i < 4 * runs + 1; i++) {
2307  ge_equals_gej(&ge[i], &gej[i]);
2308  }
2309 
2310  free(ge);
2311  free(gej);
2312  free(zinv);
2313 }
2314 
2315 
2316 void test_intialized_inf(void) {
2317  secp256k1_ge p;
2318  secp256k1_gej pj, npj, infj1, infj2, infj3;
2319  secp256k1_fe zinv;
2320 
2321  /* Test that adding P+(-P) results in a fully initalized infinity*/
2322  random_group_element_test(&p);
2323  secp256k1_gej_set_ge(&pj, &p);
2324  secp256k1_gej_neg(&npj, &pj);
2325 
2326  secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
2327  CHECK(secp256k1_gej_is_infinity(&infj1));
2328  CHECK(secp256k1_fe_is_zero(&infj1.x));
2329  CHECK(secp256k1_fe_is_zero(&infj1.y));
2330  CHECK(secp256k1_fe_is_zero(&infj1.z));
2331 
2332  secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
2333  CHECK(secp256k1_gej_is_infinity(&infj2));
2334  CHECK(secp256k1_fe_is_zero(&infj2.x));
2335  CHECK(secp256k1_fe_is_zero(&infj2.y));
2336  CHECK(secp256k1_fe_is_zero(&infj2.z));
2337 
2338  secp256k1_fe_set_int(&zinv, 1);
2339  secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
2340  CHECK(secp256k1_gej_is_infinity(&infj3));
2341  CHECK(secp256k1_fe_is_zero(&infj3.x));
2342  CHECK(secp256k1_fe_is_zero(&infj3.y));
2343  CHECK(secp256k1_fe_is_zero(&infj3.z));
2344 
2345 
2346 }
2347 
2348 void test_add_neg_y_diff_x(void) {
2349  /* The point of this test is to check that we can add two points
2350  * whose y-coordinates are negatives of each other but whose x
2351  * coordinates differ. If the x-coordinates were the same, these
2352  * points would be negatives of each other and their sum is
2353  * infinity. This is cool because it "covers up" any degeneracy
2354  * in the addition algorithm that would cause the xy coordinates
2355  * of the sum to be wrong (since infinity has no xy coordinates).
2356  * HOWEVER, if the x-coordinates are different, infinity is the
2357  * wrong answer, and such degeneracies are exposed. This is the
2358  * root of https://github.com/bitcoin-core/secp256k1/issues/257
2359  * which this test is a regression test for.
2360  *
2361  * These points were generated in sage as
2362  * # secp256k1 params
2363  * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2364  * C = EllipticCurve ([F (0), F (7)])
2365  * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2366  * N = FiniteField(G.order())
2367  *
2368  * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2369  * x = polygen(N)
2370  * lam = (1 - x^3).roots()[1][0]
2371  *
2372  * # random "bad pair"
2373  * P = C.random_element()
2374  * Q = -int(lam) * P
2375  * print " P: %x %x" % P.xy()
2376  * print " Q: %x %x" % Q.xy()
2377  * print "P + Q: %x %x" % (P + Q).xy()
2378  */
2379  secp256k1_gej aj = SECP256K1_GEJ_CONST(
2380  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2381  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2382  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2383  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2384  );
2385  secp256k1_gej bj = SECP256K1_GEJ_CONST(
2386  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2387  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2388  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2389  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2390  );
2391  secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2392  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2393  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2394  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2395  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2396  );
2397  secp256k1_ge b;
2398  secp256k1_gej resj;
2399  secp256k1_ge res;
2400  secp256k1_ge_set_gej(&b, &bj);
2401 
2402  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2403  secp256k1_ge_set_gej(&res, &resj);
2404  ge_equals_gej(&res, &sumj);
2405 
2406  secp256k1_gej_add_ge(&resj, &aj, &b);
2407  secp256k1_ge_set_gej(&res, &resj);
2408  ge_equals_gej(&res, &sumj);
2409 
2410  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2411  secp256k1_ge_set_gej(&res, &resj);
2412  ge_equals_gej(&res, &sumj);
2413 }
2414 
2415 void run_ge(void) {
2416  int i;
2417  for (i = 0; i < count * 32; i++) {
2418  test_ge();
2419  }
2420  test_add_neg_y_diff_x();
2421  test_intialized_inf();
2422 }
2423 
2424 void test_ec_combine(void) {
2425  secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2426  secp256k1_pubkey data[6];
2427  const secp256k1_pubkey* d[6];
2428  secp256k1_pubkey sd;
2429  secp256k1_pubkey sd2;
2430  secp256k1_gej Qj;
2431  secp256k1_ge Q;
2432  int i;
2433  for (i = 1; i <= 6; i++) {
2434  secp256k1_scalar s;
2435  random_scalar_order_test(&s);
2436  secp256k1_scalar_add(&sum, &sum, &s);
2437  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2438  secp256k1_ge_set_gej(&Q, &Qj);
2439  secp256k1_pubkey_save(&data[i - 1], &Q);
2440  d[i - 1] = &data[i - 1];
2441  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2442  secp256k1_ge_set_gej(&Q, &Qj);
2443  secp256k1_pubkey_save(&sd, &Q);
2444  CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2445  CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
2446  }
2447 }
2448 
2449 void run_ec_combine(void) {
2450  int i;
2451  for (i = 0; i < count * 8; i++) {
2452  test_ec_combine();
2453  }
2454 }
2455 
2456 void test_group_decompress(const secp256k1_fe* x) {
2457  /* The input itself, normalized. */
2458  secp256k1_fe fex = *x;
2459  secp256k1_fe fez;
2460  /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2461  secp256k1_ge ge_quad, ge_even, ge_odd;
2462  secp256k1_gej gej_quad;
2463  /* Return values of the above calls. */
2464  int res_quad, res_even, res_odd;
2465 
2466  secp256k1_fe_normalize_var(&fex);
2467 
2468  res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2469  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2470  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2471 
2472  CHECK(res_quad == res_even);
2473  CHECK(res_quad == res_odd);
2474 
2475  if (res_quad) {
2476  secp256k1_fe_normalize_var(&ge_quad.x);
2477  secp256k1_fe_normalize_var(&ge_odd.x);
2478  secp256k1_fe_normalize_var(&ge_even.x);
2479  secp256k1_fe_normalize_var(&ge_quad.y);
2480  secp256k1_fe_normalize_var(&ge_odd.y);
2481  secp256k1_fe_normalize_var(&ge_even.y);
2482 
2483  /* No infinity allowed. */
2484  CHECK(!ge_quad.infinity);
2485  CHECK(!ge_even.infinity);
2486  CHECK(!ge_odd.infinity);
2487 
2488  /* Check that the x coordinates check out. */
2489  CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2490  CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2491  CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2492 
2493  /* Check that the Y coordinate result in ge_quad is a square. */
2494  CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2495 
2496  /* Check odd/even Y in ge_odd, ge_even. */
2497  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2498  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2499 
2500  /* Check secp256k1_gej_has_quad_y_var. */
2501  secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2502  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2503  do {
2504  random_fe_test(&fez);
2505  } while (secp256k1_fe_is_zero(&fez));
2506  secp256k1_gej_rescale(&gej_quad, &fez);
2507  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2508  secp256k1_gej_neg(&gej_quad, &gej_quad);
2509  CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2510  do {
2511  random_fe_test(&fez);
2512  } while (secp256k1_fe_is_zero(&fez));
2513  secp256k1_gej_rescale(&gej_quad, &fez);
2514  CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2515  secp256k1_gej_neg(&gej_quad, &gej_quad);
2516  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2517  }
2518 }
2519 
2520 void run_group_decompress(void) {
2521  int i;
2522  for (i = 0; i < count * 4; i++) {
2523  secp256k1_fe fe;
2524  random_fe_test(&fe);
2525  test_group_decompress(&fe);
2526  }
2527 }
2528 
2529 /***** ECMULT TESTS *****/
2530 
2531 void run_ecmult_chain(void) {
2532  /* random starting point A (on the curve) */
2533  secp256k1_gej a = SECP256K1_GEJ_CONST(
2534  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2535  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2536  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2537  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2538  );
2539  /* two random initial factors xn and gn */
2540  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2541  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2542  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2543  );
2544  secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2545  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2546  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2547  );
2548  /* two small multipliers to be applied to xn and gn in every iteration: */
2549  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2550  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2551  /* accumulators with the resulting coefficients to A and G */
2552  secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2553  secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2554  /* actual points */
2555  secp256k1_gej x;
2556  secp256k1_gej x2;
2557  int i;
2558 
2559  /* the point being computed */
2560  x = a;
2561  for (i = 0; i < 200*count; i++) {
2562  /* in each iteration, compute X = xn*X + gn*G; */
2563  secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2564  /* also compute ae and ge: the actual accumulated factors for A and G */
2565  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2566  secp256k1_scalar_mul(&ae, &ae, &xn);
2567  secp256k1_scalar_mul(&ge, &ge, &xn);
2568  secp256k1_scalar_add(&ge, &ge, &gn);
2569  /* modify xn and gn */
2570  secp256k1_scalar_mul(&xn, &xn, &xf);
2571  secp256k1_scalar_mul(&gn, &gn, &gf);
2572 
2573  /* verify */
2574  if (i == 19999) {
2575  /* expected result after 19999 iterations */
2576  secp256k1_gej rp = SECP256K1_GEJ_CONST(
2577  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2578  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2579  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2580  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2581  );
2582 
2583  secp256k1_gej_neg(&rp, &rp);
2584  secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2585  CHECK(secp256k1_gej_is_infinity(&rp));
2586  }
2587  }
2588  /* redo the computation, but directly with the resulting ae and ge coefficients: */
2589  secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2590  secp256k1_gej_neg(&x2, &x2);
2591  secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2592  CHECK(secp256k1_gej_is_infinity(&x2));
2593 }
2594 
2595 void test_point_times_order(const secp256k1_gej *point) {
2596  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2597  secp256k1_scalar x;
2598  secp256k1_scalar nx;
2599  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2600  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2601  secp256k1_gej res1, res2;
2602  secp256k1_ge res3;
2603  unsigned char pub[65];
2604  size_t psize = 65;
2605  random_scalar_order_test(&x);
2606  secp256k1_scalar_negate(&nx, &x);
2607  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2608  secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2609  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2610  CHECK(secp256k1_gej_is_infinity(&res1));
2611  secp256k1_ge_set_gej(&res3, &res1);
2612  CHECK(secp256k1_ge_is_infinity(&res3));
2613  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2614  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2615  psize = 65;
2616  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2617  /* check zero/one edge cases */
2618  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2619  secp256k1_ge_set_gej(&res3, &res1);
2620  CHECK(secp256k1_ge_is_infinity(&res3));
2621  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2622  secp256k1_ge_set_gej(&res3, &res1);
2623  ge_equals_gej(&res3, point);
2624  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2625  secp256k1_ge_set_gej(&res3, &res1);
2626  ge_equals_ge(&res3, &secp256k1_ge_const_g);
2627 }
2628 
2629 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
2630  *
2631  * They are computed as:
2632  * - For a in [-2, -1, 0, 1, 2]:
2633  * - For b in [-3, -1, 1, 3]:
2634  * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
2635  */
2636 static const secp256k1_scalar scalars_near_split_bounds[20] = {
2637  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
2638  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
2639  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
2640  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
2641  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
2642  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
2643  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
2644  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
2645  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
2646  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
2647  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
2648  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
2649  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
2650  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
2651  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
2652  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
2653  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
2654  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
2655  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
2656  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
2657 };
2658 
2659 void test_ecmult_target(const secp256k1_scalar* target, int mode) {
2660  /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
2661  secp256k1_scalar n1, n2;
2662  secp256k1_ge p;
2663  secp256k1_gej pj, p1j, p2j, ptj;
2664  static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2665 
2666  /* Generate random n1,n2 such that n1+n2 = -target. */
2667  random_scalar_order_test(&n1);
2668  secp256k1_scalar_add(&n2, &n1, target);
2669  secp256k1_scalar_negate(&n2, &n2);
2670 
2671  /* Generate a random input point. */
2672  if (mode != 0) {
2673  random_group_element_test(&p);
2674  secp256k1_gej_set_ge(&pj, &p);
2675  }
2676 
2677  /* EC multiplications */
2678  if (mode == 0) {
2679  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
2680  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
2681  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
2682  } else if (mode == 1) {
2683  secp256k1_ecmult(&ctx->ecmult_ctx, &p1j, &pj, &n1, &zero);
2684  secp256k1_ecmult(&ctx->ecmult_ctx, &p2j, &pj, &n2, &zero);
2685  secp256k1_ecmult(&ctx->ecmult_ctx, &ptj, &pj, target, &zero);
2686  } else {
2687  secp256k1_ecmult_const(&p1j, &p, &n1, 256);
2688  secp256k1_ecmult_const(&p2j, &p, &n2, 256);
2689  secp256k1_ecmult_const(&ptj, &p, target, 256);
2690  }
2691 
2692  /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
2693  secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
2694  secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
2695  CHECK(secp256k1_gej_is_infinity(&ptj));
2696 }
2697 
2698 void run_ecmult_near_split_bound(void) {
2699  int i;
2700  unsigned j;
2701  for (i = 0; i < 4*count; ++i) {
2702  for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
2703  test_ecmult_target(&scalars_near_split_bounds[j], 0);
2704  test_ecmult_target(&scalars_near_split_bounds[j], 1);
2705  test_ecmult_target(&scalars_near_split_bounds[j], 2);
2706  }
2707  }
2708 }
2709 
2710 void run_point_times_order(void) {
2711  int i;
2712  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2713  static const secp256k1_fe xr = SECP256K1_FE_CONST(
2714  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2715  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2716  );
2717  for (i = 0; i < 500; i++) {
2718  secp256k1_ge p;
2719  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2720  secp256k1_gej j;
2721  CHECK(secp256k1_ge_is_valid_var(&p));
2722  secp256k1_gej_set_ge(&j, &p);
2723  test_point_times_order(&j);
2724  }
2725  secp256k1_fe_sqr(&x, &x);
2726  }
2727  secp256k1_fe_normalize_var(&x);
2728  CHECK(secp256k1_fe_equal_var(&x, &xr));
2729 }
2730 
2731 void ecmult_const_random_mult(void) {
2732  /* random starting point A (on the curve) */
2733  secp256k1_ge a = SECP256K1_GE_CONST(
2734  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2735  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2736  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2737  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2738  );
2739  /* random initial factor xn */
2740  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2741  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2742  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2743  );
2744  /* expected xn * A (from sage) */
2745  secp256k1_ge expected_b = SECP256K1_GE_CONST(
2746  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2747  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2748  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2749  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2750  );
2751  secp256k1_gej b;
2752  secp256k1_ecmult_const(&b, &a, &xn, 256);
2753 
2754  CHECK(secp256k1_ge_is_valid_var(&a));
2755  ge_equals_gej(&expected_b, &b);
2756 }
2757 
2758 void ecmult_const_commutativity(void) {
2759  secp256k1_scalar a;
2760  secp256k1_scalar b;
2761  secp256k1_gej res1;
2762  secp256k1_gej res2;
2763  secp256k1_ge mid1;
2764  secp256k1_ge mid2;
2765  random_scalar_order_test(&a);
2766  random_scalar_order_test(&b);
2767 
2768  secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2769  secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2770  secp256k1_ge_set_gej(&mid1, &res1);
2771  secp256k1_ge_set_gej(&mid2, &res2);
2772  secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2773  secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2774  secp256k1_ge_set_gej(&mid1, &res1);
2775  secp256k1_ge_set_gej(&mid2, &res2);
2776  ge_equals_ge(&mid1, &mid2);
2777 }
2778 
2779 void ecmult_const_mult_zero_one(void) {
2780  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2781  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2782  secp256k1_scalar negone;
2783  secp256k1_gej res1;
2784  secp256k1_ge res2;
2785  secp256k1_ge point;
2786  secp256k1_scalar_negate(&negone, &one);
2787 
2788  random_group_element_test(&point);
2789  secp256k1_ecmult_const(&res1, &point, &zero, 3);
2790  secp256k1_ge_set_gej(&res2, &res1);
2791  CHECK(secp256k1_ge_is_infinity(&res2));
2792  secp256k1_ecmult_const(&res1, &point, &one, 2);
2793  secp256k1_ge_set_gej(&res2, &res1);
2794  ge_equals_ge(&res2, &point);
2795  secp256k1_ecmult_const(&res1, &point, &negone, 256);
2796  secp256k1_gej_neg(&res1, &res1);
2797  secp256k1_ge_set_gej(&res2, &res1);
2798  ge_equals_ge(&res2, &point);
2799 }
2800 
2801 void ecmult_const_chain_multiply(void) {
2802  /* Check known result (randomly generated test problem from sage) */
2803  const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2804  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2805  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2806  );
2807  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2808  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2809  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2810  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2811  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2812  );
2813  secp256k1_gej point;
2814  secp256k1_ge res;
2815  int i;
2816 
2817  secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2818  for (i = 0; i < 100; ++i) {
2819  secp256k1_ge tmp;
2820  secp256k1_ge_set_gej(&tmp, &point);
2821  secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2822  }
2823  secp256k1_ge_set_gej(&res, &point);
2824  ge_equals_gej(&res, &expected_point);
2825 }
2826 
2827 void run_ecmult_const_tests(void) {
2828  ecmult_const_mult_zero_one();
2829  ecmult_const_random_mult();
2830  ecmult_const_commutativity();
2831  ecmult_const_chain_multiply();
2832 }
2833 
2834 typedef struct {
2835  secp256k1_scalar *sc;
2836  secp256k1_ge *pt;
2837 } ecmult_multi_data;
2838 
2839 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2840  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2841  *sc = data->sc[idx];
2842  *pt = data->pt[idx];
2843  return 1;
2844 }
2845 
2846 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2847  (void)sc;
2848  (void)pt;
2849  (void)idx;
2850  (void)cbdata;
2851  return 0;
2852 }
2853 
2854 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2855  int ncount;
2856  secp256k1_scalar szero;
2857  secp256k1_scalar sc[32];
2858  secp256k1_ge pt[32];
2859  secp256k1_gej r;
2860  secp256k1_gej r2;
2861  ecmult_multi_data data;
2862 
2863  data.sc = sc;
2864  data.pt = pt;
2865  secp256k1_scalar_set_int(&szero, 0);
2866 
2867  /* No points to multiply */
2868  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2869 
2870  /* Check 1- and 2-point multiplies against ecmult */
2871  for (ncount = 0; ncount < count; ncount++) {
2872  secp256k1_ge ptg;
2873  secp256k1_gej ptgj;
2874  random_scalar_order(&sc[0]);
2875  random_scalar_order(&sc[1]);
2876 
2877  random_group_element_test(&ptg);
2878  secp256k1_gej_set_ge(&ptgj, &ptg);
2879  pt[0] = ptg;
2880  pt[1] = secp256k1_ge_const_g;
2881 
2882  /* only G scalar */
2883  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2884  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2885  secp256k1_gej_neg(&r2, &r2);
2886  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2887  CHECK(secp256k1_gej_is_infinity(&r));
2888 
2889  /* 1-point */
2890  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2891  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2892  secp256k1_gej_neg(&r2, &r2);
2893  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2894  CHECK(secp256k1_gej_is_infinity(&r));
2895 
2896  /* Try to multiply 1 point, but callback returns false */
2897  CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2898 
2899  /* 2-point */
2900  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2901  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2902  secp256k1_gej_neg(&r2, &r2);
2903  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2904  CHECK(secp256k1_gej_is_infinity(&r));
2905 
2906  /* 2-point with G scalar */
2907  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2908  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2909  secp256k1_gej_neg(&r2, &r2);
2910  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2911  CHECK(secp256k1_gej_is_infinity(&r));
2912  }
2913 
2914  /* Check infinite outputs of various forms */
2915  for (ncount = 0; ncount < count; ncount++) {
2916  secp256k1_ge ptg;
2917  size_t i, j;
2918  size_t sizes[] = { 2, 10, 32 };
2919 
2920  for (j = 0; j < 3; j++) {
2921  for (i = 0; i < 32; i++) {
2922  random_scalar_order(&sc[i]);
2923  secp256k1_ge_set_infinity(&pt[i]);
2924  }
2925  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2926  CHECK(secp256k1_gej_is_infinity(&r));
2927  }
2928 
2929  for (j = 0; j < 3; j++) {
2930  for (i = 0; i < 32; i++) {
2931  random_group_element_test(&ptg);
2932  pt[i] = ptg;
2933  secp256k1_scalar_set_int(&sc[i], 0);
2934  }
2935  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2936  CHECK(secp256k1_gej_is_infinity(&r));
2937  }
2938 
2939  for (j = 0; j < 3; j++) {
2940  random_group_element_test(&ptg);
2941  for (i = 0; i < 16; i++) {
2942  random_scalar_order(&sc[2*i]);
2943  secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2944  pt[2 * i] = ptg;
2945  pt[2 * i + 1] = ptg;
2946  }
2947 
2948  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2949  CHECK(secp256k1_gej_is_infinity(&r));
2950 
2951  random_scalar_order(&sc[0]);
2952  for (i = 0; i < 16; i++) {
2953  random_group_element_test(&ptg);
2954 
2955  sc[2*i] = sc[0];
2956  sc[2*i+1] = sc[0];
2957  pt[2 * i] = ptg;
2958  secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2959  }
2960 
2961  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2962  CHECK(secp256k1_gej_is_infinity(&r));
2963  }
2964 
2965  random_group_element_test(&ptg);
2966  secp256k1_scalar_set_int(&sc[0], 0);
2967  pt[0] = ptg;
2968  for (i = 1; i < 32; i++) {
2969  pt[i] = ptg;
2970 
2971  random_scalar_order(&sc[i]);
2972  secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2973  secp256k1_scalar_negate(&sc[i], &sc[i]);
2974  }
2975 
2976  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2977  CHECK(secp256k1_gej_is_infinity(&r));
2978  }
2979 
2980  /* Check random points, constant scalar */
2981  for (ncount = 0; ncount < count; ncount++) {
2982  size_t i;
2983  secp256k1_gej_set_infinity(&r);
2984 
2985  random_scalar_order(&sc[0]);
2986  for (i = 0; i < 20; i++) {
2987  secp256k1_ge ptg;
2988  sc[i] = sc[0];
2989  random_group_element_test(&ptg);
2990  pt[i] = ptg;
2991  secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2992  }
2993 
2994  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2995  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2996  secp256k1_gej_neg(&r2, &r2);
2997  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2998  CHECK(secp256k1_gej_is_infinity(&r));
2999  }
3000 
3001  /* Check random scalars, constant point */
3002  for (ncount = 0; ncount < count; ncount++) {
3003  size_t i;
3004  secp256k1_ge ptg;
3005  secp256k1_gej p0j;
3006  secp256k1_scalar rs;
3007  secp256k1_scalar_set_int(&rs, 0);
3008 
3009  random_group_element_test(&ptg);
3010  for (i = 0; i < 20; i++) {
3011  random_scalar_order(&sc[i]);
3012  pt[i] = ptg;
3013  secp256k1_scalar_add(&rs, &rs, &sc[i]);
3014  }
3015 
3016  secp256k1_gej_set_ge(&p0j, &pt[0]);
3017  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
3018  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3019  secp256k1_gej_neg(&r2, &r2);
3020  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3021  CHECK(secp256k1_gej_is_infinity(&r));
3022  }
3023 
3024  /* Sanity check that zero scalars don't cause problems */
3025  for (ncount = 0; ncount < 20; ncount++) {
3026  random_scalar_order(&sc[ncount]);
3027  random_group_element_test(&pt[ncount]);
3028  }
3029  secp256k1_scalar_clear(&sc[0]);
3030  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3031  secp256k1_scalar_clear(&sc[1]);
3032  secp256k1_scalar_clear(&sc[2]);
3033  secp256k1_scalar_clear(&sc[3]);
3034  secp256k1_scalar_clear(&sc[4]);
3035  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
3036  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
3037  CHECK(secp256k1_gej_is_infinity(&r));
3038 
3039  /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
3040  {
3041  const size_t TOP = 8;
3042  size_t s0i, s1i;
3043  size_t t0i, t1i;
3044  secp256k1_ge ptg;
3045  secp256k1_gej ptgj;
3046 
3047  random_group_element_test(&ptg);
3048  secp256k1_gej_set_ge(&ptgj, &ptg);
3049 
3050  for(t0i = 0; t0i < TOP; t0i++) {
3051  for(t1i = 0; t1i < TOP; t1i++) {
3052  secp256k1_gej t0p, t1p;
3053  secp256k1_scalar t0, t1;
3054 
3055  secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
3056  secp256k1_scalar_cond_negate(&t0, t0i & 1);
3057  secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
3058  secp256k1_scalar_cond_negate(&t1, t1i & 1);
3059 
3060  secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
3061  secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
3062 
3063  for(s0i = 0; s0i < TOP; s0i++) {
3064  for(s1i = 0; s1i < TOP; s1i++) {
3065  secp256k1_scalar tmp1, tmp2;
3066  secp256k1_gej expected, actual;
3067 
3068  secp256k1_ge_set_gej(&pt[0], &t0p);
3069  secp256k1_ge_set_gej(&pt[1], &t1p);
3070 
3071  secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
3072  secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
3073  secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
3074  secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
3075 
3076  secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
3077  secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
3078  secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
3079 
3080  secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
3081  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
3082  secp256k1_gej_neg(&expected, &expected);
3083  secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
3084  CHECK(secp256k1_gej_is_infinity(&actual));
3085  }
3086  }
3087  }
3088  }
3089  }
3090 }
3091 
3092 void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
3093  secp256k1_scalar szero;
3094  secp256k1_scalar sc;
3095  secp256k1_ge pt;
3096  secp256k1_gej r;
3097  ecmult_multi_data data;
3098  secp256k1_scratch *scratch_empty;
3099 
3100  random_group_element_test(&pt);
3101  random_scalar_order(&sc);
3102  data.sc = &sc;
3103  data.pt = &pt;
3104  secp256k1_scalar_set_int(&szero, 0);
3105 
3106  /* Try to multiply 1 point, but scratch space is empty.*/
3107  scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
3108  CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
3109  secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
3110 }
3111 
3112 void test_secp256k1_pippenger_bucket_window_inv(void) {
3113  int i;
3114 
3115  CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
3116  for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
3117  /* Bucket_window of 8 is not used with endo */
3118  if (i == 8) {
3119  continue;
3120  }
3121  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
3122  if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
3123  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
3124  }
3125  }
3126 }
3127 
3132 void test_ecmult_multi_pippenger_max_points(void) {
3133  size_t scratch_size = secp256k1_testrand_int(256);
3134  size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
3135  secp256k1_scratch *scratch;
3136  size_t n_points_supported;
3137  int bucket_window = 0;
3138 
3139  for(; scratch_size < max_size; scratch_size+=256) {
3140  size_t i;
3141  size_t total_alloc;
3142  size_t checkpoint;
3143  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
3144  CHECK(scratch != NULL);
3145  checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
3146  n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
3147  if (n_points_supported == 0) {
3148  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3149  continue;
3150  }
3151  bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
3152  /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
3153  total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
3154  for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
3155  CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
3156  total_alloc--;
3157  }
3158  CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
3159  secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
3160  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3161  }
3162  CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
3163 }
3164 
3165 void test_ecmult_multi_batch_size_helper(void) {
3166  size_t n_batches, n_batch_points, max_n_batch_points, n;
3167 
3168  max_n_batch_points = 0;
3169  n = 1;
3170  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3171 
3172  max_n_batch_points = 1;
3173  n = 0;
3174  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3175  CHECK(n_batches == 0);
3176  CHECK(n_batch_points == 0);
3177 
3178  max_n_batch_points = 2;
3179  n = 5;
3180  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3181  CHECK(n_batches == 3);
3182  CHECK(n_batch_points == 2);
3183 
3184  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3185  n = ECMULT_MAX_POINTS_PER_BATCH;
3186  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3187  CHECK(n_batches == 1);
3188  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3189 
3190  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3191  n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3192  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3193  CHECK(n_batches == 2);
3194  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3195 
3196  max_n_batch_points = 1;
3197  n = SIZE_MAX;
3198  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3199  CHECK(n_batches == SIZE_MAX);
3200  CHECK(n_batch_points == 1);
3201 
3202  max_n_batch_points = 2;
3203  n = SIZE_MAX;
3204  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3205  CHECK(n_batches == SIZE_MAX/2 + 1);
3206  CHECK(n_batch_points == 2);
3207 }
3208 
3213 void test_ecmult_multi_batching(void) {
3214  static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
3215  secp256k1_scalar scG;
3216  secp256k1_scalar szero;
3217  secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3218  secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3219  secp256k1_gej r;
3220  secp256k1_gej r2;
3221  ecmult_multi_data data;
3222  int i;
3223  secp256k1_scratch *scratch;
3224 
3225  secp256k1_gej_set_infinity(&r2);
3226  secp256k1_scalar_set_int(&szero, 0);
3227 
3228  /* Get random scalars and group elements and compute result */
3229  random_scalar_order(&scG);
3230  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3231  for(i = 0; i < n_points; i++) {
3232  secp256k1_ge ptg;
3233  secp256k1_gej ptgj;
3234  random_group_element_test(&ptg);
3235  secp256k1_gej_set_ge(&ptgj, &ptg);
3236  pt[i] = ptg;
3237  random_scalar_order(&sc[i]);
3238  secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3239  secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
3240  }
3241  data.sc = sc;
3242  data.pt = pt;
3243  secp256k1_gej_neg(&r2, &r2);
3244 
3245  /* Test with empty scratch space. It should compute the correct result using
3246  * ecmult_mult_simple algorithm which doesn't require a scratch space. */
3247  scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
3248  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3249  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3250  CHECK(secp256k1_gej_is_infinity(&r));
3251  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3252 
3253  /* Test with space for 1 point in pippenger. That's not enough because
3254  * ecmult_multi selects strauss which requires more memory. It should
3255  * therefore select the simple algorithm. */
3256  scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3257  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3258  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3259  CHECK(secp256k1_gej_is_infinity(&r));
3260  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3261 
3262  for(i = 1; i <= n_points; i++) {
3263  if (i > ECMULT_PIPPENGER_THRESHOLD) {
3264  int bucket_window = secp256k1_pippenger_bucket_window(i);
3265  size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
3266  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3267  } else {
3268  size_t scratch_size = secp256k1_strauss_scratch_size(i);
3269  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3270  }
3271  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3272  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3273  CHECK(secp256k1_gej_is_infinity(&r));
3274  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3275  }
3276  free(sc);
3277  free(pt);
3278 }
3279 
3280 void run_ecmult_multi_tests(void) {
3281  secp256k1_scratch *scratch;
3282 
3283  test_secp256k1_pippenger_bucket_window_inv();
3284  test_ecmult_multi_pippenger_max_points();
3285  scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
3286  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3287  test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
3288  test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
3289  test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
3290  test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
3291  test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
3292  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3293 
3294  /* Run test_ecmult_multi with space for exactly one point */
3295  scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3296  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3297  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3298 
3299  test_ecmult_multi_batch_size_helper();
3300  test_ecmult_multi_batching();
3301 }
3302 
3303 void test_wnaf(const secp256k1_scalar *number, int w) {
3304  secp256k1_scalar x, two, t;
3305  int wnaf[256];
3306  int zeroes = -1;
3307  int i;
3308  int bits;
3309  secp256k1_scalar_set_int(&x, 0);
3310  secp256k1_scalar_set_int(&two, 2);
3311  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
3312  CHECK(bits <= 256);
3313  for (i = bits-1; i >= 0; i--) {
3314  int v = wnaf[i];
3315  secp256k1_scalar_mul(&x, &x, &two);
3316  if (v) {
3317  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3318  zeroes=0;
3319  CHECK((v & 1) == 1); /* check non-zero elements are odd */
3320  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3321  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3322  } else {
3323  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3324  zeroes++;
3325  }
3326  if (v >= 0) {
3327  secp256k1_scalar_set_int(&t, v);
3328  } else {
3329  secp256k1_scalar_set_int(&t, -v);
3330  secp256k1_scalar_negate(&t, &t);
3331  }
3332  secp256k1_scalar_add(&x, &x, &t);
3333  }
3334  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3335 }
3336 
3337 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3338  secp256k1_scalar neg1 = *number;
3339  secp256k1_scalar neg2 = *number;
3340  int sign1 = 1;
3341  int sign2 = 1;
3342 
3343  if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3344  secp256k1_scalar_negate(&neg1, &neg1);
3345  sign1 = -1;
3346  }
3347  sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3348  CHECK(sign1 == sign2);
3349  CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3350 }
3351 
3352 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3353  secp256k1_scalar x, shift;
3354  int wnaf[256] = {0};
3355  int i;
3356  int skew;
3357  int bits = 256;
3358  secp256k1_scalar num = *number;
3359  secp256k1_scalar scalar_skew;
3360 
3361  secp256k1_scalar_set_int(&x, 0);
3362  secp256k1_scalar_set_int(&shift, 1 << w);
3363  for (i = 0; i < 16; ++i) {
3364  secp256k1_scalar_shr_int(&num, 8);
3365  }
3366  bits = 128;
3367  skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
3368 
3369  for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3370  secp256k1_scalar t;
3371  int v = wnaf[i];
3372  CHECK(v != 0); /* check nonzero */
3373  CHECK(v & 1); /* check parity */
3374  CHECK(v > -(1 << w)); /* check range above */
3375  CHECK(v < (1 << w)); /* check range below */
3376 
3377  secp256k1_scalar_mul(&x, &x, &shift);
3378  if (v >= 0) {
3379  secp256k1_scalar_set_int(&t, v);
3380  } else {
3381  secp256k1_scalar_set_int(&t, -v);
3382  secp256k1_scalar_negate(&t, &t);
3383  }
3384  secp256k1_scalar_add(&x, &x, &t);
3385  }
3386  /* Skew num because when encoding numbers as odd we use an offset */
3387  secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
3388  secp256k1_scalar_add(&num, &num, &scalar_skew);
3389  CHECK(secp256k1_scalar_eq(&x, &num));
3390 }
3391 
3392 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3393  secp256k1_scalar x, shift;
3394  int wnaf[256] = {0};
3395  int i;
3396  int skew;
3397  secp256k1_scalar num = *number;
3398 
3399  secp256k1_scalar_set_int(&x, 0);
3400  secp256k1_scalar_set_int(&shift, 1 << w);
3401  for (i = 0; i < 16; ++i) {
3402  secp256k1_scalar_shr_int(&num, 8);
3403  }
3404  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3405 
3406  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3407  secp256k1_scalar t;
3408  int v = wnaf[i];
3409  CHECK(v == 0 || v & 1); /* check parity */
3410  CHECK(v > -(1 << w)); /* check range above */
3411  CHECK(v < (1 << w)); /* check range below */
3412 
3413  secp256k1_scalar_mul(&x, &x, &shift);
3414  if (v >= 0) {
3415  secp256k1_scalar_set_int(&t, v);
3416  } else {
3417  secp256k1_scalar_set_int(&t, -v);
3418  secp256k1_scalar_negate(&t, &t);
3419  }
3420  secp256k1_scalar_add(&x, &x, &t);
3421  }
3422  /* If skew is 1 then add 1 to num */
3423  secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3424  CHECK(secp256k1_scalar_eq(&x, &num));
3425 }
3426 
3427 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3428  * rest is 0.*/
3429 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3430  int i;
3431  for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3432  CHECK(wnaf[i] == 0);
3433  }
3434  for (i = 7; i >= 0; --i) {
3435  CHECK(wnaf[i] == wnaf_expected[i]);
3436  }
3437 }
3438 
3439 void test_fixed_wnaf_small(void) {
3440  int w = 4;
3441  int wnaf[256] = {0};
3442  int i;
3443  int skew;
3444  secp256k1_scalar num;
3445 
3446  secp256k1_scalar_set_int(&num, 0);
3447  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3448  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3449  int v = wnaf[i];
3450  CHECK(v == 0);
3451  }
3452  CHECK(skew == 0);
3453 
3454  secp256k1_scalar_set_int(&num, 1);
3455  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3456  for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3457  int v = wnaf[i];
3458  CHECK(v == 0);
3459  }
3460  CHECK(wnaf[0] == 1);
3461  CHECK(skew == 0);
3462 
3463  {
3464  int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3465  secp256k1_scalar_set_int(&num, 0xffffffff);
3466  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3467  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3468  CHECK(skew == 0);
3469  }
3470  {
3471  int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3472  secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3473  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3474  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3475  CHECK(skew == 1);
3476  }
3477  {
3478  int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3479  secp256k1_scalar_set_int(&num, 0x01010101);
3480  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3481  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3482  CHECK(skew == 0);
3483  }
3484  {
3485  int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3486  secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3487  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3488  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3489  CHECK(skew == 0);
3490  }
3491 }
3492 
3493 void run_wnaf(void) {
3494  int i;
3495  secp256k1_scalar n = {{0}};
3496 
3497  test_constant_wnaf(&n, 4);
3498  /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3499  * have easier-to-diagnose failure modes */
3500  n.d[0] = 1;
3501  test_constant_wnaf(&n, 4);
3502  n.d[0] = 2;
3503  test_constant_wnaf(&n, 4);
3504  /* Test -1, because it's a special case in wnaf_const */
3505  n = secp256k1_scalar_one;
3506  secp256k1_scalar_negate(&n, &n);
3507  test_constant_wnaf(&n, 4);
3508 
3509  /* Test -2, which may not lead to overflows in wnaf_const */
3510  secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
3511  secp256k1_scalar_negate(&n, &n);
3512  test_constant_wnaf(&n, 4);
3513 
3514  /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
3515  as corner cases of negation handling in wnaf_const */
3516  secp256k1_scalar_inverse(&n, &n);
3517  test_constant_wnaf(&n, 4);
3518 
3519  secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
3520  test_constant_wnaf(&n, 4);
3521 
3522  /* Test 0 for fixed wnaf */
3523  test_fixed_wnaf_small();
3524  /* Random tests */
3525  for (i = 0; i < count; i++) {
3526  random_scalar_order(&n);
3527  test_wnaf(&n, 4+(i%10));
3528  test_constant_wnaf_negate(&n);
3529  test_constant_wnaf(&n, 4 + (i % 10));
3530  test_fixed_wnaf(&n, 4 + (i % 10));
3531  }
3532  secp256k1_scalar_set_int(&n, 0);
3533  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3534  CHECK(secp256k1_scalar_is_zero(&n));
3535  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3536  CHECK(secp256k1_scalar_is_zero(&n));
3537 }
3538 
3539 void test_ecmult_constants(void) {
3540  /* Test ecmult_gen() for [0..36) and [order-36..0). */
3541  secp256k1_scalar x;
3542  secp256k1_gej r;
3543  secp256k1_ge ng;
3544  int i;
3545  int j;
3546  secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3547  for (i = 0; i < 36; i++ ) {
3548  secp256k1_scalar_set_int(&x, i);
3549  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3550  for (j = 0; j < i; j++) {
3551  if (j == i - 1) {
3552  ge_equals_gej(&secp256k1_ge_const_g, &r);
3553  }
3554  secp256k1_gej_add_ge(&r, &r, &ng);
3555  }
3556  CHECK(secp256k1_gej_is_infinity(&r));
3557  }
3558  for (i = 1; i <= 36; i++ ) {
3559  secp256k1_scalar_set_int(&x, i);
3560  secp256k1_scalar_negate(&x, &x);
3561  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3562  for (j = 0; j < i; j++) {
3563  if (j == i - 1) {
3564  ge_equals_gej(&ng, &r);
3565  }
3566  secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3567  }
3568  CHECK(secp256k1_gej_is_infinity(&r));
3569  }
3570 }
3571 
3572 void run_ecmult_constants(void) {
3573  test_ecmult_constants();
3574 }
3575 
3576 void test_ecmult_gen_blind(void) {
3577  /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3578  secp256k1_scalar key;
3579  secp256k1_scalar b;
3580  unsigned char seed32[32];
3581  secp256k1_gej pgej;
3582  secp256k1_gej pgej2;
3583  secp256k1_gej i;
3584  secp256k1_ge pge;
3585  random_scalar_order_test(&key);
3586  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3587  secp256k1_testrand256(seed32);
3588  b = ctx->ecmult_gen_ctx.blind;
3589  i = ctx->ecmult_gen_ctx.initial;
3590  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3591  CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3592  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3593  CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3594  CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3595  secp256k1_ge_set_gej(&pge, &pgej);
3596  ge_equals_gej(&pge, &pgej2);
3597 }
3598 
3599 void test_ecmult_gen_blind_reset(void) {
3600  /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3601  secp256k1_scalar b;
3602  secp256k1_gej initial;
3603  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3604  b = ctx->ecmult_gen_ctx.blind;
3605  initial = ctx->ecmult_gen_ctx.initial;
3606  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3607  CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3608  CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3609 }
3610 
3611 void run_ecmult_gen_blind(void) {
3612  int i;
3613  test_ecmult_gen_blind_reset();
3614  for (i = 0; i < 10; i++) {
3615  test_ecmult_gen_blind();
3616  }
3617 }
3618 
3619 /***** ENDOMORPHISH TESTS *****/
3620 void test_scalar_split(const secp256k1_scalar* full) {
3621  secp256k1_scalar s, s1, slam;
3622  const unsigned char zero[32] = {0};
3623  unsigned char tmp[32];
3624 
3625  secp256k1_scalar_split_lambda(&s1, &slam, full);
3626 
3627  /* check slam*lambda + s1 == full */
3628  secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
3629  secp256k1_scalar_add(&s, &s, &s1);
3630  CHECK(secp256k1_scalar_eq(&s, full));
3631 
3632  /* check that both are <= 128 bits in size */
3633  if (secp256k1_scalar_is_high(&s1)) {
3634  secp256k1_scalar_negate(&s1, &s1);
3635  }
3636  if (secp256k1_scalar_is_high(&slam)) {
3637  secp256k1_scalar_negate(&slam, &slam);
3638  }
3639 
3640  secp256k1_scalar_get_b32(tmp, &s1);
3641  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3642  secp256k1_scalar_get_b32(tmp, &slam);
3643  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3644 }
3645 
3646 
3647 void run_endomorphism_tests(void) {
3648  unsigned i;
3649  static secp256k1_scalar s;
3650  test_scalar_split(&secp256k1_scalar_zero);
3651  test_scalar_split(&secp256k1_scalar_one);
3652  secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
3653  test_scalar_split(&s);
3654  test_scalar_split(&secp256k1_const_lambda);
3655  secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
3656  test_scalar_split(&s);
3657 
3658  for (i = 0; i < 100U * count; ++i) {
3659  secp256k1_scalar full;
3660  random_scalar_order_test(&full);
3661  test_scalar_split(&full);
3662  }
3663  for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
3664  test_scalar_split(&scalars_near_split_bounds[i]);
3665  }
3666 }
3667 
3668 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3669  unsigned char pubkeyc[65];
3670  secp256k1_pubkey pubkey;
3671  secp256k1_ge ge;
3672  size_t pubkeyclen;
3673  int32_t ecount;
3674  ecount = 0;
3675  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3676  for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3677  /* Smaller sizes are tested exhaustively elsewhere. */
3678  int32_t i;
3679  memcpy(&pubkeyc[1], input, 64);
3680  VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3681  for (i = 0; i < 256; i++) {
3682  /* Try all type bytes. */
3683  int xpass;
3684  int ypass;
3685  int ysign;
3686  pubkeyc[0] = i;
3687  /* What sign does this point have? */
3688  ysign = (input[63] & 1) + 2;
3689  /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3690  xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3691  /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3692  ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3693  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3694  if (xpass || ypass) {
3695  /* These cases must parse. */
3696  unsigned char pubkeyo[65];
3697  size_t outl;
3698  memset(&pubkey, 0, sizeof(pubkey));
3699  VG_UNDEF(&pubkey, sizeof(pubkey));
3700  ecount = 0;
3701  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3702  VG_CHECK(&pubkey, sizeof(pubkey));
3703  outl = 65;
3704  VG_UNDEF(pubkeyo, 65);
3705  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3706  VG_CHECK(pubkeyo, outl);
3707  CHECK(outl == 33);
3708  CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3709  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3710  if (ypass) {
3711  /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3712  CHECK(pubkeyo[0] == ysign);
3713  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3714  memset(&pubkey, 0, sizeof(pubkey));
3715  VG_UNDEF(&pubkey, sizeof(pubkey));
3716  secp256k1_pubkey_save(&pubkey, &ge);
3717  VG_CHECK(&pubkey, sizeof(pubkey));
3718  outl = 65;
3719  VG_UNDEF(pubkeyo, 65);
3720  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3721  VG_CHECK(pubkeyo, outl);
3722  CHECK(outl == 65);
3723  CHECK(pubkeyo[0] == 4);
3724  CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
3725  }
3726  CHECK(ecount == 0);
3727  } else {
3728  /* These cases must fail to parse. */
3729  memset(&pubkey, 0xfe, sizeof(pubkey));
3730  ecount = 0;
3731  VG_UNDEF(&pubkey, sizeof(pubkey));
3732  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3733  VG_CHECK(&pubkey, sizeof(pubkey));
3734  CHECK(ecount == 0);
3735  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3736  CHECK(ecount == 1);
3737  }
3738  }
3739  }
3740  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3741 }
3742 
3743 void run_ec_pubkey_parse_test(void) {
3744 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3745  const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3746  {
3747  /* Point with leading and trailing zeros in x and y serialization. */
3748  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3749  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3750  0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3751  0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3752  },
3753  {
3754  /* Point with x equal to a 3rd root of unity.*/
3755  0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3756  0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3757  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3758  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3759  },
3760  {
3761  /* Point with largest x. (1/2) */
3762  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3763  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3764  0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3765  0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3766  },
3767  {
3768  /* Point with largest x. (2/2) */
3769  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3770  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3771  0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3772  0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3773  },
3774  {
3775  /* Point with smallest x. (1/2) */
3776  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3777  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3778  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3779  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3780  },
3781  {
3782  /* Point with smallest x. (2/2) */
3783  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3784  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3785  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3786  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3787  },
3788  {
3789  /* Point with largest y. (1/3) */
3790  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3791  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3792  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3793  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3794  },
3795  {
3796  /* Point with largest y. (2/3) */
3797  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3798  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3799  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3800  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3801  },
3802  {
3803  /* Point with largest y. (3/3) */
3804  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3805  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3806  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3807  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3808  },
3809  {
3810  /* Point with smallest y. (1/3) */
3811  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3812  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3813  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3814  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3815  },
3816  {
3817  /* Point with smallest y. (2/3) */
3818  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3819  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3820  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3821  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3822  },
3823  {
3824  /* Point with smallest y. (3/3) */
3825  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3826  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3827  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3828  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3829  }
3830  };
3831 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3832  const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3833  {
3834  /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3835  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3836  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3837  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3838  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3839  },
3840  {
3841  /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3842  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3843  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3844  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3845  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3846  },
3847  {
3848  /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3849  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3850  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3851  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3852  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3853  },
3854  {
3855  /* x on curve, y is from y^2 = x^3 + 8. */
3856  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3857  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3858  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3859  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3860  }
3861  };
3862 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3863  const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3864  {
3865  /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3866  0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3867  0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3868  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3869  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3870  },
3871  {
3872  /* Valid if x overflow ignored (x = 1 mod p). */
3873  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3874  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3875  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3876  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3877  },
3878  {
3879  /* Valid if x overflow ignored (x = 1 mod p). */
3880  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3881  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3882  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3883  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3884  },
3885  {
3886  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3887  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3888  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3889  0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3890  0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3891  },
3892  {
3893  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3894  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3895  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3896  0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3897  0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3898  },
3899  {
3900  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3901  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3902  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3903  0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3904  0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3905  },
3906  {
3907  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3908  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3909  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3910  0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3911  0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3912  }
3913  };
3914  const unsigned char pubkeyc[66] = {
3915  /* Serialization of G. */
3916  0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3917  0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3918  0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3919  0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3920  0xB8, 0x00
3921  };
3922  unsigned char sout[65];
3923  unsigned char shortkey[2];
3924  secp256k1_ge ge;
3925  secp256k1_pubkey pubkey;
3926  size_t len;
3927  int32_t i;
3928  int32_t ecount;
3929  int32_t ecount2;
3930  ecount = 0;
3931  /* Nothing should be reading this far into pubkeyc. */
3932  VG_UNDEF(&pubkeyc[65], 1);
3933  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3934  /* Zero length claimed, fail, zeroize, no illegal arg error. */
3935  memset(&pubkey, 0xfe, sizeof(pubkey));
3936  ecount = 0;
3937  VG_UNDEF(shortkey, 2);
3938  VG_UNDEF(&pubkey, sizeof(pubkey));
3939  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3940  VG_CHECK(&pubkey, sizeof(pubkey));
3941  CHECK(ecount == 0);
3942  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3943  CHECK(ecount == 1);
3944  /* Length one claimed, fail, zeroize, no illegal arg error. */
3945  for (i = 0; i < 256 ; i++) {
3946  memset(&pubkey, 0xfe, sizeof(pubkey));
3947  ecount = 0;
3948  shortkey[0] = i;
3949  VG_UNDEF(&shortkey[1], 1);
3950  VG_UNDEF(&pubkey, sizeof(pubkey));
3951  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3952  VG_CHECK(&pubkey, sizeof(pubkey));
3953  CHECK(ecount == 0);
3954  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3955  CHECK(ecount == 1);
3956  }
3957  /* Length two claimed, fail, zeroize, no illegal arg error. */
3958  for (i = 0; i < 65536 ; i++) {
3959  memset(&pubkey, 0xfe, sizeof(pubkey));
3960  ecount = 0;
3961  shortkey[0] = i & 255;
3962  shortkey[1] = i >> 8;
3963  VG_UNDEF(&pubkey, sizeof(pubkey));
3964  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3965  VG_CHECK(&pubkey, sizeof(pubkey));
3966  CHECK(ecount == 0);
3967  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3968  CHECK(ecount == 1);
3969  }
3970  memset(&pubkey, 0xfe, sizeof(pubkey));
3971  ecount = 0;
3972  VG_UNDEF(&pubkey, sizeof(pubkey));
3973  /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3974  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3975  VG_CHECK(&pubkey, sizeof(pubkey));
3976  CHECK(ecount == 0);
3977  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3978  CHECK(ecount == 1);
3979  /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3980  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3981  CHECK(ecount == 2);
3982  /* NULL input string. Illegal arg and zeroize output. */
3983  memset(&pubkey, 0xfe, sizeof(pubkey));
3984  ecount = 0;
3985  VG_UNDEF(&pubkey, sizeof(pubkey));
3986  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3987  VG_CHECK(&pubkey, sizeof(pubkey));
3988  CHECK(ecount == 1);
3989  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3990  CHECK(ecount == 2);
3991  /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3992  memset(&pubkey, 0xfe, sizeof(pubkey));
3993  ecount = 0;
3994  VG_UNDEF(&pubkey, sizeof(pubkey));
3995  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3996  VG_CHECK(&pubkey, sizeof(pubkey));
3997  CHECK(ecount == 0);
3998  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3999  CHECK(ecount == 1);
4000  /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
4001  memset(&pubkey, 0xfe, sizeof(pubkey));
4002  ecount = 0;
4003  VG_UNDEF(&pubkey, sizeof(pubkey));
4004  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
4005  VG_CHECK(&pubkey, sizeof(pubkey));
4006  CHECK(ecount == 0);
4007  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4008  CHECK(ecount == 1);
4009  /* Valid parse. */
4010  memset(&pubkey, 0, sizeof(pubkey));
4011  ecount = 0;
4012  VG_UNDEF(&pubkey, sizeof(pubkey));
4013  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
4014  CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
4015  VG_CHECK(&pubkey, sizeof(pubkey));
4016  CHECK(ecount == 0);
4017  VG_UNDEF(&ge, sizeof(ge));
4018  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
4019  VG_CHECK(&ge.x, sizeof(ge.x));
4020  VG_CHECK(&ge.y, sizeof(ge.y));
4021  VG_CHECK(&ge.infinity, sizeof(ge.infinity));
4022  ge_equals_ge(&secp256k1_ge_const_g, &ge);
4023  CHECK(ecount == 0);
4024  /* secp256k1_ec_pubkey_serialize illegal args. */
4025  ecount = 0;
4026  len = 65;
4027  CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4028  CHECK(ecount == 1);
4029  CHECK(len == 0);
4030  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4031  CHECK(ecount == 2);
4032  len = 65;
4033  VG_UNDEF(sout, 65);
4034  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
4035  VG_CHECK(sout, 65);
4036  CHECK(ecount == 3);
4037  CHECK(len == 0);
4038  len = 65;
4039  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
4040  CHECK(ecount == 4);
4041  CHECK(len == 0);
4042  len = 65;
4043  VG_UNDEF(sout, 65);
4044  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
4045  VG_CHECK(sout, 65);
4046  CHECK(ecount == 4);
4047  CHECK(len == 65);
4048  /* Multiple illegal args. Should still set arg error only once. */
4049  ecount = 0;
4050  ecount2 = 11;
4051  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4052  CHECK(ecount == 1);
4053  /* Does the illegal arg callback actually change the behavior? */
4054  secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
4055  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4056  CHECK(ecount == 1);
4057  CHECK(ecount2 == 10);
4058  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4059  /* Try a bunch of prefabbed points with all possible encodings. */
4060  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
4061  ec_pubkey_parse_pointtest(valid[i], 1, 1);
4062  }
4063  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
4064  ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
4065  }
4066  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
4067  ec_pubkey_parse_pointtest(invalid[i], 0, 0);
4068  }
4069 }
4070 
4071 void run_eckey_edge_case_test(void) {
4072  const unsigned char orderc[32] = {
4073  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4074  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4075  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4076  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
4077  };
4078  const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
4079  unsigned char ctmp[33];
4080  unsigned char ctmp2[33];
4081  secp256k1_pubkey pubkey;
4082  secp256k1_pubkey pubkey2;
4083  secp256k1_pubkey pubkey_one;
4084  secp256k1_pubkey pubkey_negone;
4085  const secp256k1_pubkey *pubkeys[3];
4086  size_t len;
4087  int32_t ecount;
4088  /* Group order is too large, reject. */
4089  CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
4090  VG_UNDEF(&pubkey, sizeof(pubkey));
4091  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
4092  VG_CHECK(&pubkey, sizeof(pubkey));
4093  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4094  /* Maximum value is too large, reject. */
4095  memset(ctmp, 255, 32);
4096  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4097  memset(&pubkey, 1, sizeof(pubkey));
4098  VG_UNDEF(&pubkey, sizeof(pubkey));
4099  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4100  VG_CHECK(&pubkey, sizeof(pubkey));
4101  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4102  /* Zero is too small, reject. */
4103  memset(ctmp, 0, 32);
4104  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4105  memset(&pubkey, 1, sizeof(pubkey));
4106  VG_UNDEF(&pubkey, sizeof(pubkey));
4107  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4108  VG_CHECK(&pubkey, sizeof(pubkey));
4109  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4110  /* One must be accepted. */
4111  ctmp[31] = 0x01;
4112  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4113  memset(&pubkey, 0, sizeof(pubkey));
4114  VG_UNDEF(&pubkey, sizeof(pubkey));
4115  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4116  VG_CHECK(&pubkey, sizeof(pubkey));
4117  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4118  pubkey_one = pubkey;
4119  /* Group order + 1 is too large, reject. */
4120  memcpy(ctmp, orderc, 32);
4121  ctmp[31] = 0x42;
4122  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4123  memset(&pubkey, 1, sizeof(pubkey));
4124  VG_UNDEF(&pubkey, sizeof(pubkey));
4125  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4126  VG_CHECK(&pubkey, sizeof(pubkey));
4127  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4128  /* -1 must be accepted. */
4129  ctmp[31] = 0x40;
4130  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4131  memset(&pubkey, 0, sizeof(pubkey));
4132  VG_UNDEF(&pubkey, sizeof(pubkey));
4133  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4134  VG_CHECK(&pubkey, sizeof(pubkey));
4135  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4136  pubkey_negone = pubkey;
4137  /* Tweak of zero leaves the value unchanged. */
4138  memset(ctmp2, 0, 32);
4139  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
4140  CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
4141  memcpy(&pubkey2, &pubkey, sizeof(pubkey));
4142  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4143  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4144  /* Multiply tweak of zero zeroizes the output. */
4145  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4146  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4147  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
4148  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4149  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4150  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4151  seckey, the seckey is zeroized. */
4152  memcpy(ctmp, orderc, 32);
4153  memset(ctmp2, 0, 32);
4154  ctmp2[31] = 0x01;
4155  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
4156  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4157  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
4158  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4159  memcpy(ctmp, orderc, 32);
4160  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4161  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4162  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4163  tweak, the seckey is zeroized. */
4164  memcpy(ctmp, orderc, 32);
4165  ctmp[31] = 0x40;
4166  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
4167  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4168  memcpy(ctmp, orderc, 32);
4169  ctmp[31] = 0x40;
4170  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
4171  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4172  memcpy(ctmp, orderc, 32);
4173  ctmp[31] = 0x40;
4174  /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
4175  tweak, the pubkey is zeroized. */
4176  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
4177  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4178  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4179  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
4180  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4181  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4182  /* If the resulting key in secp256k1_ec_seckey_tweak_add and
4183  * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
4184  * case the pubkey is zeroized. */
4185  memcpy(ctmp, orderc, 32);
4186  ctmp[31] = 0x40;
4187  memset(ctmp2, 0, 32);
4188  ctmp2[31] = 1;
4189  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
4190  CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
4191  ctmp2[31] = 1;
4192  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4193  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4194  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4195  /* Tweak computation wraps and results in a key of 1. */
4196  ctmp2[31] = 2;
4197  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
4198  CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
4199  ctmp2[31] = 2;
4200  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4201  ctmp2[31] = 1;
4202  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
4203  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4204  /* Tweak mul * 2 = 1+1. */
4205  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4206  ctmp2[31] = 2;
4207  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
4208  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4209  /* Test argument errors. */
4210  ecount = 0;
4211  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4212  CHECK(ecount == 0);
4213  /* Zeroize pubkey on parse error. */
4214  memset(&pubkey, 0, 32);
4215  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4216  CHECK(ecount == 1);
4217  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4218  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4219  memset(&pubkey2, 0, 32);
4220  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
4221  CHECK(ecount == 2);
4222  CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
4223  /* Plain argument errors. */
4224  ecount = 0;
4225  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4226  CHECK(ecount == 0);
4227  CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
4228  CHECK(ecount == 1);
4229  ecount = 0;
4230  memset(ctmp2, 0, 32);
4231  ctmp2[31] = 4;
4232  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
4233  CHECK(ecount == 1);
4234  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
4235  CHECK(ecount == 2);
4236  ecount = 0;
4237  memset(ctmp2, 0, 32);
4238  ctmp2[31] = 4;
4239  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4240  CHECK(ecount == 1);
4241  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
4242  CHECK(ecount == 2);
4243  ecount = 0;
4244  memset(ctmp2, 0, 32);
4245  CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
4246  CHECK(ecount == 1);
4247  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
4248  CHECK(ecount == 2);
4249  ecount = 0;
4250  memset(ctmp2, 0, 32);
4251  ctmp2[31] = 1;
4252  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
4253  CHECK(ecount == 1);
4254  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
4255  CHECK(ecount == 2);
4256  ecount = 0;
4257  CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4258  CHECK(ecount == 1);
4259  memset(&pubkey, 1, sizeof(pubkey));
4260  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4261  CHECK(ecount == 2);
4262  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4263  /* secp256k1_ec_pubkey_combine tests. */
4264  ecount = 0;
4265  pubkeys[0] = &pubkey_one;
4266  VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4267  VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4268  VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4269  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4270  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4271  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4272  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4273  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4274  CHECK(ecount == 1);
4275  CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4276  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4277  CHECK(ecount == 2);
4278  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4279  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4280  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4281  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4282  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4283  CHECK(ecount == 3);
4284  pubkeys[0] = &pubkey_negone;
4285  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4286  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4287  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4288  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4289  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4290  CHECK(ecount == 3);
4291  len = 33;
4292  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4293  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4294  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4295  /* Result is infinity. */
4296  pubkeys[0] = &pubkey_one;
4297  pubkeys[1] = &pubkey_negone;
4298  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4299  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4300  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4301  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4302  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4303  CHECK(ecount == 3);
4304  /* Passes through infinity but comes out one. */
4305  pubkeys[2] = &pubkey_one;
4306  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4307  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4308  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4309  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4310  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4311  CHECK(ecount == 3);
4312  len = 33;
4313  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4314  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4315  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4316  /* Adds to two. */
4317  pubkeys[1] = &pubkey_one;
4318  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4319  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4320  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4321  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4322  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4323  CHECK(ecount == 3);
4324  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4325 }
4326 
4327 void run_eckey_negate_test(void) {
4328  unsigned char seckey[32];
4329  unsigned char seckey_tmp[32];
4330 
4331  random_scalar_order_b32(seckey);
4332  memcpy(seckey_tmp, seckey, 32);
4333 
4334  /* Verify negation changes the key and changes it back */
4335  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4336  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
4337  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4338  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4339 
4340  /* Check that privkey alias gives same result */
4341  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4342  CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
4343  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4344 
4345  /* Negating all 0s fails */
4346  memset(seckey, 0, 32);
4347  memset(seckey_tmp, 0, 32);
4348  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4349  /* Check that seckey is not modified */
4350  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4351 
4352  /* Negating an overflowing seckey fails and the seckey is zeroed. In this
4353  * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
4354  * doesn't just set seckey to a constant value in case of failure. */
4355  random_scalar_order_b32(seckey);
4356  memset(seckey, 0xFF, 16);
4357  memset(seckey_tmp, 0, 32);
4358  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4359  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4360 }
4361 
4362 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4363  secp256k1_scalar nonce;
4364  do {
4365  random_scalar_order_test(&nonce);
4366  } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
4367 }
4368 
4369 void test_ecdsa_sign_verify(void) {
4370  secp256k1_gej pubj;
4371  secp256k1_ge pub;
4372  secp256k1_scalar one;
4373  secp256k1_scalar msg, key;
4374  secp256k1_scalar sigr, sigs;
4375  int recid;
4376  int getrec;
4377  random_scalar_order_test(&msg);
4378  random_scalar_order_test(&key);
4379  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
4380  secp256k1_ge_set_gej(&pub, &pubj);
4381  getrec = secp256k1_testrand_bits(1);
4382  random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
4383  if (getrec) {
4384  CHECK(recid >= 0 && recid < 4);
4385  }
4386  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4387  secp256k1_scalar_set_int(&one, 1);
4388  secp256k1_scalar_add(&msg, &msg, &one);
4389  CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4390 }
4391 
4392 void run_ecdsa_sign_verify(void) {
4393  int i;
4394  for (i = 0; i < 10*count; i++) {
4395  test_ecdsa_sign_verify();
4396  }
4397 }
4398 
4400 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4401  (void)msg32;
4402  (void)key32;
4403  (void)algo16;
4404  memcpy(nonce32, data, 32);
4405  return (counter == 0);
4406 }
4407 
4408 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4409  /* Dummy nonce generator that has a fatal error on the first counter value. */
4410  if (counter == 0) {
4411  return 0;
4412  }
4413  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4414 }
4415 
4416 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4417  /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4418  if (counter < 3) {
4419  memset(nonce32, counter==0 ? 0 : 255, 32);
4420  if (counter == 2) {
4421  nonce32[31]--;
4422  }
4423  return 1;
4424  }
4425  if (counter < 5) {
4426  static const unsigned char order[] = {
4427  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4428  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4429  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4430  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4431  };
4432  memcpy(nonce32, order, 32);
4433  if (counter == 4) {
4434  nonce32[31]++;
4435  }
4436  return 1;
4437  }
4438  /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4439  /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4440  if (counter > 5) {
4441  return 0;
4442  }
4443  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4444 }
4445 
4446 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4447  static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4448  return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4449 }
4450 
4451 void test_ecdsa_end_to_end(void) {
4452  unsigned char extra[32] = {0x00};
4453  unsigned char privkey[32];
4454  unsigned char message[32];
4455  unsigned char privkey2[32];
4456  secp256k1_ecdsa_signature signature[6];
4457  secp256k1_scalar r, s;
4458  unsigned char sig[74];
4459  size_t siglen = 74;
4460  unsigned char pubkeyc[65];
4461  size_t pubkeyclen = 65;
4462  secp256k1_pubkey pubkey;
4463  secp256k1_pubkey pubkey_tmp;
4464  unsigned char seckey[300];
4465  size_t seckeylen = 300;
4466 
4467  /* Generate a random key and message. */
4468  {
4469  secp256k1_scalar msg, key;
4470  random_scalar_order_test(&msg);
4471  random_scalar_order_test(&key);
4472  secp256k1_scalar_get_b32(privkey, &key);
4473  secp256k1_scalar_get_b32(message, &msg);
4474  }
4475 
4476  /* Construct and verify corresponding public key. */
4477  CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4478  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4479 
4480  /* Verify exporting and importing public key. */
4481  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4482  memset(&pubkey, 0, sizeof(pubkey));
4483  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4484 
4485  /* Verify negation changes the key and changes it back */
4486  memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4487  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4488  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4489  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4490  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4491 
4492  /* Verify private key import and export. */
4493  CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
4494  CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4495  CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
4496 
4497  /* Optionally tweak the keys using addition. */
4498  if (secp256k1_testrand_int(3) == 0) {
4499  int ret1;
4500  int ret2;
4501  int ret3;
4502  unsigned char rnd[32];
4503  unsigned char privkey_tmp[32];
4504  secp256k1_pubkey pubkey2;
4505  secp256k1_testrand256_test(rnd);
4506  memcpy(privkey_tmp, privkey, 32);
4507  ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
4508  ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4509  /* Check that privkey alias gives same result */
4510  ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
4511  CHECK(ret1 == ret2);
4512  CHECK(ret2 == ret3);
4513  if (ret1 == 0) {
4514  return;
4515  }
4516  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4517  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4518  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4519  }
4520 
4521  /* Optionally tweak the keys using multiplication. */
4522  if (secp256k1_testrand_int(3) == 0) {
4523  int ret1;
4524  int ret2;
4525  int ret3;
4526  unsigned char rnd[32];
4527  unsigned char privkey_tmp[32];
4528  secp256k1_pubkey pubkey2;
4529  secp256k1_testrand256_test(rnd);
4530  memcpy(privkey_tmp, privkey, 32);
4531  ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
4532  ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4533  /* Check that privkey alias gives same result */
4534  ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
4535  CHECK(ret1 == ret2);
4536  CHECK(ret2 == ret3);
4537  if (ret1 == 0) {
4538  return;
4539  }
4540  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4541  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4542  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4543  }
4544 
4545  /* Sign. */
4546  CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4547  CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4548  CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4549  extra[31] = 1;
4550  CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4551  extra[31] = 0;
4552  extra[0] = 1;
4553  CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4554  CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4555  CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4556  CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4557  CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4558  CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4559  CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4560  CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4561  /* Verify. */
4562  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4563  CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4564  CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4565  CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4566  /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4567  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4568  secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4569  secp256k1_scalar_negate(&s, &s);
4570  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4571  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4572  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4573  CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4574  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4575  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4576  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4577  secp256k1_scalar_negate(&s, &s);
4578  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4579  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4580  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4581  CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
4582 
4583  /* Serialize/parse DER and verify again */
4584  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4585  memset(&signature[0], 0, sizeof(signature[0]));
4586  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4587  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4588  /* Serialize/destroy/parse DER and verify again. */
4589  siglen = 74;
4590  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4591  sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
4592  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4593  secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4594 }
4595 
4596 void test_random_pubkeys(void) {
4597  secp256k1_ge elem;
4598  secp256k1_ge elem2;
4599  unsigned char in[65];
4600  /* Generate some randomly sized pubkeys. */
4601  size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
4602  if (secp256k1_testrand_bits(2) == 0) {
4603  len = secp256k1_testrand_bits(6);
4604  }
4605  if (len == 65) {
4606  in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
4607  } else {
4608  in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
4609  }
4610  if (secp256k1_testrand_bits(3) == 0) {
4611  in[0] = secp256k1_testrand_bits(8);
4612  }
4613  if (len > 1) {
4614  secp256k1_testrand256(&in[1]);
4615  }
4616  if (len > 33) {
4617  secp256k1_testrand256(&in[33]);
4618  }
4619  if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4620  unsigned char out[65];
4621  unsigned char firstb;
4622  int res;
4623  size_t size = len;
4624  firstb = in[0];
4625  /* If the pubkey can be parsed, it should round-trip... */
4626  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4627  CHECK(size == len);
4628  CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
4629  /* ... except for the type of hybrid inputs. */
4630  if ((in[0] != 6) && (in[0] != 7)) {
4631  CHECK(in[0] == out[0]);
4632  }
4633  size = 65;
4634  CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4635  CHECK(size == 65);
4636  CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4637  ge_equals_ge(&elem,&elem2);
4638  /* Check that the X9.62 hybrid type is checked. */
4639  in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
4640  res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4641  if (firstb == 2 || firstb == 3) {
4642  if (in[0] == firstb + 4) {
4643  CHECK(res);
4644  } else {
4645  CHECK(!res);
4646  }
4647  }
4648  if (res) {
4649  ge_equals_ge(&elem,&elem2);
4650  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4651  CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
4652  }
4653  }
4654 }
4655 
4656 void run_random_pubkeys(void) {
4657  int i;
4658  for (i = 0; i < 10*count; i++) {
4659  test_random_pubkeys();
4660  }
4661 }
4662 
4663 void run_ecdsa_end_to_end(void) {
4664  int i;
4665  for (i = 0; i < 64*count; i++) {
4666  test_ecdsa_end_to_end();
4667  }
4668 }
4669 
4670 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4671  static const unsigned char zeroes[32] = {0};
4672 #ifdef ENABLE_OPENSSL_TESTS
4673  static const unsigned char max_scalar[32] = {
4674  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4675  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4676  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4677  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4678  };
4679 #endif
4680 
4681  int ret = 0;
4682 
4683  secp256k1_ecdsa_signature sig_der;
4684  unsigned char roundtrip_der[2048];
4685  unsigned char compact_der[64];
4686  size_t len_der = 2048;
4687  int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4688 
4689  secp256k1_ecdsa_signature sig_der_lax;
4690  unsigned char roundtrip_der_lax[2048];
4691  unsigned char compact_der_lax[64];
4692  size_t len_der_lax = 2048;
4693  int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4694 
4695 #ifdef ENABLE_OPENSSL_TESTS
4696  ECDSA_SIG *sig_openssl;
4697  const BIGNUM *r = NULL, *s = NULL;
4698  const unsigned char *sigptr;
4699  unsigned char roundtrip_openssl[2048];
4700  int len_openssl = 2048;
4701  int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4702 #endif
4703 
4704  parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4705  if (parsed_der) {
4706  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4707  valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
4708  }
4709  if (valid_der) {
4710  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4711  roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
4712  }
4713 
4714  parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4715  if (parsed_der_lax) {
4716  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4717  valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
4718  }
4719  if (valid_der_lax) {
4720  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4721  roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
4722  }
4723 
4724  if (certainly_der) {
4725  ret |= (!parsed_der) << 2;
4726  }
4727  if (certainly_not_der) {
4728  ret |= (parsed_der) << 17;
4729  }
4730  if (valid_der) {
4731  ret |= (!roundtrips_der) << 3;
4732  }
4733 
4734  if (valid_der) {
4735  ret |= (!roundtrips_der_lax) << 12;
4736  ret |= (len_der != len_der_lax) << 13;
4737  ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
4738  }
4739  ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4740  if (parsed_der) {
4741  ret |= (!parsed_der_lax) << 16;
4742  }
4743 
4744 #ifdef ENABLE_OPENSSL_TESTS
4745  sig_openssl = ECDSA_SIG_new();
4746  sigptr = sig;
4747  parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4748  if (parsed_openssl) {
4749  ECDSA_SIG_get0(sig_openssl, &r, &s);
4750  valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4751  if (valid_openssl) {
4752  unsigned char tmp[32] = {0};
4753  BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4754  valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
4755  }
4756  if (valid_openssl) {
4757  unsigned char tmp[32] = {0};
4758  BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4759  valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
4760  }
4761  }
4762  len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4763  if (len_openssl <= 2048) {
4764  unsigned char *ptr = roundtrip_openssl;
4765  CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4766  roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (secp256k1_memcmp_var(roundtrip_openssl, sig, siglen) == 0);
4767  } else {
4768  len_openssl = 0;
4769  }
4770  ECDSA_SIG_free(sig_openssl);
4771 
4772  ret |= (parsed_der && !parsed_openssl) << 4;
4773  ret |= (valid_der && !valid_openssl) << 5;
4774  ret |= (roundtrips_openssl && !parsed_der) << 6;
4775  ret |= (roundtrips_der != roundtrips_openssl) << 7;
4776  if (roundtrips_openssl) {
4777  ret |= (len_der != (size_t)len_openssl) << 8;
4778  ret |= ((len_der != (size_t)len_openssl) || (secp256k1_memcmp_var(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9;
4779  }
4780 #endif
4781  return ret;
4782 }
4783 
4784 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4785  size_t i;
4786  for (i = 0; i < ptrlen; i++) {
4787  int shift = ptrlen - 1 - i;
4788  if (shift >= 4) {
4789  ptr[i] = 0;
4790  } else {
4791  ptr[i] = (val >> shift) & 0xFF;
4792  }
4793  }
4794 }
4795 
4796 static void damage_array(unsigned char *sig, size_t *len) {
4797  int pos;
4798  int action = secp256k1_testrand_bits(3);
4799  if (action < 1 && *len > 3) {
4800  /* Delete a byte. */
4801  pos = secp256k1_testrand_int(*len);
4802  memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4803  (*len)--;
4804  return;
4805  } else if (action < 2 && *len < 2048) {
4806  /* Insert a byte. */
4807  pos = secp256k1_testrand_int(1 + *len);
4808  memmove(sig + pos + 1, sig + pos, *len - pos);
4809  sig[pos] = secp256k1_testrand_bits(8);
4810  (*len)++;
4811  return;
4812  } else if (action < 4) {
4813  /* Modify a byte. */
4814  sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
4815  return;
4816  } else { /* action < 8 */
4817  /* Modify a bit. */
4818  sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
4819  return;
4820  }
4821 }
4822 
4823 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4824  int der;
4825  int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4826  size_t tlen, elen, glen;
4827  int indet;
4828  int n;
4829 
4830  *len = 0;
4831  der = secp256k1_testrand_bits(2) == 0;
4832  *certainly_der = der;
4833  *certainly_not_der = 0;
4834  indet = der ? 0 : secp256k1_testrand_int(10) == 0;
4835 
4836  for (n = 0; n < 2; n++) {
4837  /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4838  nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
4839  /* The length of the number in bytes (the first byte of which will always be nonzero) */
4840  nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_int(8) / 8;
4841  CHECK(nlen[n] <= 232);
4842  /* The top bit of the number. */
4843  nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
4844  /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4845  nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
4846  /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4847  nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_int(8) / 8);
4848  if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4849  *certainly_not_der = 1;
4850  }
4851  CHECK(nlen[n] + nzlen[n] <= 300);
4852  /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4853  nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4854  if (!der) {
4855  /* nlenlen[n] max 127 bytes */
4856  int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
4857  nlenlen[n] += add;
4858  if (add != 0) {
4859  *certainly_not_der = 1;
4860  }
4861  }
4862  CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4863  }
4864 
4865  /* The total length of the data to go, so far */
4866  tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4867  CHECK(tlen <= 856);
4868 
4869  /* The length of the garbage inside the tuple. */
4870  elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_int(8) / 8;
4871  if (elen != 0) {
4872  *certainly_not_der = 1;
4873  }
4874  tlen += elen;
4875  CHECK(tlen <= 980);
4876 
4877  /* The length of the garbage after the end of the tuple. */
4878  glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_int(8) / 8;
4879  if (glen != 0) {
4880  *certainly_not_der = 1;
4881  }
4882  CHECK(tlen + glen <= 990);
4883 
4884  /* Write the tuple header. */
4885  sig[(*len)++] = 0x30;
4886  if (indet) {
4887  /* Indeterminate length */
4888  sig[(*len)++] = 0x80;
4889  *certainly_not_der = 1;
4890  } else {
4891  int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4892  if (!der) {
4893  int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
4894  tlenlen += add;
4895  if (add != 0) {
4896  *certainly_not_der = 1;
4897  }
4898  }
4899  if (tlenlen == 0) {
4900  /* Short length notation */
4901  sig[(*len)++] = tlen;
4902  } else {
4903  /* Long length notation */
4904  sig[(*len)++] = 128 + tlenlen;
4905  assign_big_endian(sig + *len, tlenlen, tlen);
4906  *len += tlenlen;
4907  }
4908  tlen += tlenlen;
4909  }
4910  tlen += 2;
4911  CHECK(tlen + glen <= 1119);
4912 
4913  for (n = 0; n < 2; n++) {
4914  /* Write the integer header. */
4915  sig[(*len)++] = 0x02;
4916  if (nlenlen[n] == 0) {
4917  /* Short length notation */
4918  sig[(*len)++] = nlen[n] + nzlen[n];
4919  } else {
4920  /* Long length notation. */
4921  sig[(*len)++] = 128 + nlenlen[n];
4922  assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4923  *len += nlenlen[n];
4924  }
4925  /* Write zero padding */
4926  while (nzlen[n] > 0) {
4927  sig[(*len)++] = 0x00;
4928  nzlen[n]--;
4929  }
4930  if (nlen[n] == 32 && !nlow[n]) {
4931  /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4932  int i;
4933  for (i = 0; i < 16; i++) {
4934  sig[(*len)++] = 0xFF;
4935  }
4936  nlen[n] -= 16;
4937  }
4938  /* Write first byte of number */
4939  if (nlen[n] > 0) {
4940  sig[(*len)++] = nhbyte[n];
4941  nlen[n]--;
4942  }
4943  /* Generate remaining random bytes of number */
4944  secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
4945  *len += nlen[n];
4946  nlen[n] = 0;
4947  }
4948 
4949  /* Generate random garbage inside tuple. */
4950  secp256k1_testrand_bytes_test(sig + *len, elen);
4951  *len += elen;
4952 
4953  /* Generate end-of-contents bytes. */
4954  if (indet) {
4955  sig[(*len)++] = 0;
4956  sig[(*len)++] = 0;
4957  tlen += 2;
4958  }
4959  CHECK(tlen + glen <= 1121);
4960 
4961  /* Generate random garbage outside tuple. */
4962  secp256k1_testrand_bytes_test(sig + *len, glen);
4963  *len += glen;
4964  tlen += glen;
4965  CHECK(tlen <= 1121);
4966  CHECK(tlen == *len);
4967 }
4968 
4969 void run_ecdsa_der_parse(void) {
4970  int i,j;
4971  for (i = 0; i < 200 * count; i++) {
4972  unsigned char buffer[2048];
4973  size_t buflen = 0;
4974  int certainly_der = 0;
4975  int certainly_not_der = 0;
4976  random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4977  CHECK(buflen <= 2048);
4978  for (j = 0; j < 16; j++) {
4979  int ret = 0;
4980  if (j > 0) {
4981  damage_array(buffer, &buflen);
4982  /* We don't know anything anymore about the DERness of the result */
4983  certainly_der = 0;
4984  certainly_not_der = 0;
4985  }
4986  ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4987  if (ret != 0) {
4988  size_t k;
4989  fprintf(stderr, "Failure %x on ", ret);
4990  for (k = 0; k < buflen; k++) {
4991  fprintf(stderr, "%02x ", buffer[k]);
4992  }
4993  fprintf(stderr, "\n");
4994  }
4995  CHECK(ret == 0);
4996  }
4997  }
4998 }
4999 
5000 /* Tests several edge cases. */
5001 void test_ecdsa_edge_cases(void) {
5002  int t;
5003  secp256k1_ecdsa_signature sig;
5004 
5005  /* Test the case where ECDSA recomputes a point that is infinity. */
5006  {
5007  secp256k1_gej keyj;
5008  secp256k1_ge key;
5009  secp256k1_scalar msg;
5010  secp256k1_scalar sr, ss;
5011  secp256k1_scalar_set_int(&ss, 1);
5012  secp256k1_scalar_negate(&ss, &ss);
5013  secp256k1_scalar_inverse(&ss, &ss);
5014  secp256k1_scalar_set_int(&sr, 1);
5015  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
5016  secp256k1_ge_set_gej(&key, &keyj);
5017  msg = ss;
5018  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5019  }
5020 
5021  /* Verify signature with r of zero fails. */
5022  {
5023  const unsigned char pubkey_mods_zero[33] = {
5024  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5025  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5026  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5027  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5028  0x41
5029  };
5030  secp256k1_ge key;
5031  secp256k1_scalar msg;
5032  secp256k1_scalar sr, ss;
5033  secp256k1_scalar_set_int(&ss, 1);
5034  secp256k1_scalar_set_int(&msg, 0);
5035  secp256k1_scalar_set_int(&sr, 0);
5036  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
5037  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5038  }
5039 
5040  /* Verify signature with s of zero fails. */
5041  {
5042  const unsigned char pubkey[33] = {
5043  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5044  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5045  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5046  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5047  0x01
5048  };
5049  secp256k1_ge key;
5050  secp256k1_scalar msg;
5051  secp256k1_scalar sr, ss;
5052  secp256k1_scalar_set_int(&ss, 0);
5053  secp256k1_scalar_set_int(&msg, 0);
5054  secp256k1_scalar_set_int(&sr, 1);
5055  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5056  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5057  }
5058 
5059  /* Verify signature with message 0 passes. */
5060  {
5061  const unsigned char pubkey[33] = {
5062  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5063  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5064  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5065  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5066  0x02
5067  };
5068  const unsigned char pubkey2[33] = {
5069  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5070  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5071  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5072  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5073  0x43
5074  };
5075  secp256k1_ge key;
5076  secp256k1_ge key2;
5077  secp256k1_scalar msg;
5078  secp256k1_scalar sr, ss;
5079  secp256k1_scalar_set_int(&ss, 2);
5080  secp256k1_scalar_set_int(&msg, 0);
5081  secp256k1_scalar_set_int(&sr, 2);
5082  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5083  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5084  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5085  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5086  secp256k1_scalar_negate(&ss, &ss);
5087  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5088  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5089  secp256k1_scalar_set_int(&ss, 1);
5090  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5091  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5092  }
5093 
5094  /* Verify signature with message 1 passes. */
5095  {
5096  const unsigned char pubkey[33] = {
5097  0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
5098  0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
5099  0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
5100  0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
5101  0x25
5102  };
5103  const unsigned char pubkey2[33] = {
5104  0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
5105  0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
5106  0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
5107  0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
5108  0x62
5109  };
5110  const unsigned char csr[32] = {
5111  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5112  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5113  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5114  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
5115  };
5116  secp256k1_ge key;
5117  secp256k1_ge key2;
5118  secp256k1_scalar msg;
5119  secp256k1_scalar sr, ss;
5120  secp256k1_scalar_set_int(&ss, 1);
5121  secp256k1_scalar_set_int(&msg, 1);
5122  secp256k1_scalar_set_b32(&sr, csr, NULL);
5123  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5124  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5125  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5126  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5127  secp256k1_scalar_negate(&ss, &ss);
5128  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5129  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5130  secp256k1_scalar_set_int(&ss, 2);
5131  secp256k1_scalar_inverse_var(&ss, &ss);
5132  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5133  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5134  }
5135 
5136  /* Verify signature with message -1 passes. */
5137  {
5138  const unsigned char pubkey[33] = {
5139  0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
5140  0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
5141  0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
5142  0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
5143  0xf1
5144  };
5145  const unsigned char csr[32] = {
5146  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5147  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5148  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5149  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
5150  };
5151  secp256k1_ge key;
5152  secp256k1_scalar msg;
5153  secp256k1_scalar sr, ss;
5154  secp256k1_scalar_set_int(&ss, 1);
5155  secp256k1_scalar_set_int(&msg, 1);
5156  secp256k1_scalar_negate(&msg, &msg);
5157  secp256k1_scalar_set_b32(&sr, csr, NULL);
5158  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5159  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5160  secp256k1_scalar_negate(&ss, &ss);
5161  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5162  secp256k1_scalar_set_int(&ss, 3);
5163  secp256k1_scalar_inverse_var(&ss, &ss);
5164  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5165  }
5166 
5167  /* Signature where s would be zero. */
5168  {
5169  secp256k1_pubkey pubkey;
5170  size_t siglen;
5171  int32_t ecount;
5172  unsigned char signature[72];
5173  static const unsigned char nonce[32] = {
5174  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5175  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5176  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5177  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5178  };
5179  static const unsigned char nonce2[32] = {
5180  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
5181  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
5182  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
5183  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
5184  };
5185  const unsigned char key[32] = {
5186  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5187  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5188  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5189  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5190  };
5191  unsigned char msg[32] = {
5192  0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
5193  0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
5194  0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
5195  0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
5196  };
5197  ecount = 0;
5198  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5199  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
5200  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
5201  msg[31] = 0xaa;
5202  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
5203  CHECK(ecount == 0);
5204  CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
5205  CHECK(ecount == 1);
5206  CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
5207  CHECK(ecount == 2);
5208  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
5209  CHECK(ecount == 3);
5210  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
5211  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
5212  CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
5213  CHECK(ecount == 4);
5214  CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
5215  CHECK(ecount == 5);
5216  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
5217  CHECK(ecount == 6);
5218  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
5219  CHECK(ecount == 6);
5220  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5221  CHECK(ecount == 7);
5222  /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
5223  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
5224  CHECK(ecount == 8);
5225  siglen = 72;
5226  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
5227  CHECK(ecount == 9);
5228  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
5229  CHECK(ecount == 10);
5230  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
5231  CHECK(ecount == 11);
5232  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
5233  CHECK(ecount == 11);
5234  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
5235  CHECK(ecount == 12);
5236  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
5237  CHECK(ecount == 13);
5238  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
5239  CHECK(ecount == 13);
5240  siglen = 10;
5241  /* Too little room for a signature does not fail via ARGCHECK. */
5242  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5243  CHECK(ecount == 13);
5244  ecount = 0;
5245  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
5246  CHECK(ecount == 1);
5247  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
5248  CHECK(ecount == 2);
5249  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
5250  CHECK(ecount == 3);
5251  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
5252  CHECK(ecount == 3);
5253  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
5254  CHECK(ecount == 4);
5255  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
5256  CHECK(ecount == 5);
5257  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
5258  CHECK(ecount == 5);
5259  memset(signature, 255, 64);
5260  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
5261  CHECK(ecount == 5);
5262  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5263  }
5264 
5265  /* Nonce function corner cases. */
5266  for (t = 0; t < 2; t++) {
5267  static const unsigned char zero[32] = {0x00};
5268  int i;
5269  unsigned char key[32];
5270  unsigned char msg[32];
5271  secp256k1_ecdsa_signature sig2;
5272  secp256k1_scalar sr[512], ss;
5273  const unsigned char *extra;
5274  extra = t == 0 ? NULL : zero;
5275  memset(msg, 0, 32);
5276  msg[31] = 1;
5277  /* High key results in signature failure. */
5278  memset(key, 0xFF, 32);
5279  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5280  CHECK(is_empty_signature(&sig));
5281  /* Zero key results in signature failure. */
5282  memset(key, 0, 32);
5283  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5284  CHECK(is_empty_signature(&sig));
5285  /* Nonce function failure results in signature failure. */
5286  key[31] = 1;
5287  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
5288  CHECK(is_empty_signature(&sig));
5289  /* The retry loop successfully makes its way to the first good value. */
5290  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
5291  CHECK(!is_empty_signature(&sig));
5292  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
5293  CHECK(!is_empty_signature(&sig2));
5294  CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
5295  /* The default nonce function is deterministic. */
5296  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5297  CHECK(!is_empty_signature(&sig2));
5298  CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
5299  /* The default nonce function changes output with different messages. */
5300  for(i = 0; i < 256; i++) {
5301  int j;
5302  msg[0] = i;
5303  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5304  CHECK(!is_empty_signature(&sig2));
5305  secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5306  for (j = 0; j < i; j++) {
5307  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5308  }
5309  }
5310  msg[0] = 0;
5311  msg[31] = 2;
5312  /* The default nonce function changes output with different keys. */
5313  for(i = 256; i < 512; i++) {
5314  int j;
5315  key[0] = i - 256;
5316  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5317  CHECK(!is_empty_signature(&sig2));
5318  secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5319  for (j = 0; j < i; j++) {
5320  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5321  }
5322  }
5323  key[0] = 0;
5324  }
5325 
5326  {
5327  /* Check that optional nonce arguments do not have equivalent effect. */
5328  const unsigned char zeros[32] = {0};
5329  unsigned char nonce[32];
5330  unsigned char nonce2[32];
5331  unsigned char nonce3[32];
5332  unsigned char nonce4[32];
5333  VG_UNDEF(nonce,32);
5334  VG_UNDEF(nonce2,32);
5335  VG_UNDEF(nonce3,32);
5336  VG_UNDEF(nonce4,32);
5337  CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
5338  VG_CHECK(nonce,32);
5339  CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
5340  VG_CHECK(nonce2,32);
5341  CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5342  VG_CHECK(nonce3,32);
5343  CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5344  VG_CHECK(nonce4,32);
5345  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
5346  CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
5347  CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
5348  CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
5349  CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
5350  CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
5351  }
5352 
5353 
5354  /* Privkey export where pubkey is the point at infinity. */
5355  {
5356  unsigned char privkey[300];
5357  unsigned char seckey[32] = {
5358  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5359  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5360  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5361  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5362  };
5363  size_t outlen = 300;
5364  CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
5365  outlen = 300;
5366  CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
5367  }
5368 }
5369 
5370 void run_ecdsa_edge_cases(void) {
5371  test_ecdsa_edge_cases();
5372 }
5373 
5374 #ifdef ENABLE_OPENSSL_TESTS
5375 EC_KEY *get_openssl_key(const unsigned char *key32) {
5376  unsigned char privkey[300];
5377  size_t privkeylen;
5378  const unsigned char* pbegin = privkey;
5379  int compr = secp256k1_testrand_bits(1);
5380  EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
5381  CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
5382  CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5383  CHECK(EC_KEY_check_key(ec_key));
5384  return ec_key;
5385 }
5386 
5387 void test_ecdsa_openssl(void) {
5388  secp256k1_gej qj;
5389  secp256k1_ge q;
5390  secp256k1_scalar sigr, sigs;
5391  secp256k1_scalar one;
5392  secp256k1_scalar msg2;
5393  secp256k1_scalar key, msg;
5394  EC_KEY *ec_key;
5395  unsigned int sigsize = 80;
5396  size_t secp_sigsize = 80;
5397  unsigned char message[32];
5398  unsigned char signature[80];
5399  unsigned char key32[32];
5400  secp256k1_testrand256_test(message);
5401  secp256k1_scalar_set_b32(&msg, message, NULL);
5402  random_scalar_order_test(&key);
5403  secp256k1_scalar_get_b32(key32, &key);
5404  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
5405  secp256k1_ge_set_gej(&q, &qj);
5406  ec_key = get_openssl_key(key32);
5407  CHECK(ec_key != NULL);
5408  CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
5409  CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs,