Bitcoin ABC  0.26.3
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10 
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 
15 #include <time.h>
16 
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
21 #include "util.h"
22 
23 #include "contrib/lax_der_parsing.c"
24 #include "contrib/lax_der_privatekey_parsing.c"
25 
26 #include "modinv32_impl.h"
27 #ifdef SECP256K1_WIDEMUL_INT128
28 #include "modinv64_impl.h"
29 #endif
30 
31 static int count = 64;
32 static secp256k1_context *ctx = NULL;
33 
34 static void counting_illegal_callback_fn(const char* str, void* data) {
35  /* Dummy callback function that just counts. */
36  int32_t *p;
37  (void)str;
38  p = data;
39  (*p)++;
40 }
41 
42 static void uncounting_illegal_callback_fn(const char* str, void* data) {
43  /* Dummy callback function that just counts (backwards). */
44  int32_t *p;
45  (void)str;
46  p = data;
47  (*p)--;
48 }
49 
50 void random_field_element_test(secp256k1_fe *fe) {
51  do {
52  unsigned char b32[32];
53  secp256k1_testrand256_test(b32);
54  if (secp256k1_fe_set_b32(fe, b32)) {
55  break;
56  }
57  } while(1);
58 }
59 
60 void random_field_element_magnitude(secp256k1_fe *fe) {
61  secp256k1_fe zero;
62  int n = secp256k1_testrand_int(9);
63  secp256k1_fe_normalize(fe);
64  if (n == 0) {
65  return;
66  }
67  secp256k1_fe_clear(&zero);
68  secp256k1_fe_negate(&zero, &zero, 0);
69  secp256k1_fe_mul_int(&zero, n - 1);
70  secp256k1_fe_add(fe, &zero);
71 #ifdef VERIFY
72  CHECK(fe->magnitude == n);
73 #endif
74 }
75 
76 void random_group_element_test(secp256k1_ge *ge) {
77  secp256k1_fe fe;
78  do {
79  random_field_element_test(&fe);
80  if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
81  secp256k1_fe_normalize(&ge->y);
82  break;
83  }
84  } while(1);
85  ge->infinity = 0;
86 }
87 
88 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
89  secp256k1_fe z2, z3;
90  do {
91  random_field_element_test(&gej->z);
92  if (!secp256k1_fe_is_zero(&gej->z)) {
93  break;
94  }
95  } while(1);
96  secp256k1_fe_sqr(&z2, &gej->z);
97  secp256k1_fe_mul(&z3, &z2, &gej->z);
98  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
99  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
100  gej->infinity = ge->infinity;
101 }
102 
103 void random_scalar_order_test(secp256k1_scalar *num) {
104  do {
105  unsigned char b32[32];
106  int overflow = 0;
107  secp256k1_testrand256_test(b32);
108  secp256k1_scalar_set_b32(num, b32, &overflow);
109  if (overflow || secp256k1_scalar_is_zero(num)) {
110  continue;
111  }
112  break;
113  } while(1);
114 }
115 
116 void random_scalar_order(secp256k1_scalar *num) {
117  do {
118  unsigned char b32[32];
119  int overflow = 0;
120  secp256k1_testrand256(b32);
121  secp256k1_scalar_set_b32(num, b32, &overflow);
122  if (overflow || secp256k1_scalar_is_zero(num)) {
123  continue;
124  }
125  break;
126  } while(1);
127 }
128 
129 void random_scalar_order_b32(unsigned char *b32) {
130  secp256k1_scalar num;
131  random_scalar_order(&num);
132  secp256k1_scalar_get_b32(b32, &num);
133 }
134 
135 void run_context_tests(int use_prealloc) {
136  secp256k1_pubkey pubkey;
137  secp256k1_pubkey zero_pubkey;
138  secp256k1_ecdsa_signature sig;
139  unsigned char ctmp[32];
140  int32_t ecount;
141  int32_t ecount2;
142  secp256k1_context *none;
143  secp256k1_context *sign;
144  secp256k1_context *vrfy;
145  secp256k1_context *both;
146  void *none_prealloc = NULL;
147  void *sign_prealloc = NULL;
148  void *vrfy_prealloc = NULL;
149  void *both_prealloc = NULL;
150 
151  secp256k1_gej pubj;
152  secp256k1_ge pub;
153  secp256k1_scalar msg, key, nonce;
154  secp256k1_scalar sigr, sigs;
155 
156  if (use_prealloc) {
157  none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
158  sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
159  vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
160  both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
161  CHECK(none_prealloc != NULL);
162  CHECK(sign_prealloc != NULL);
163  CHECK(vrfy_prealloc != NULL);
164  CHECK(both_prealloc != NULL);
165  none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
166  sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
167  vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
168  both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
169  } else {
170  none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
171  sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
172  vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
173  both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
174  }
175 
176  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
177 
178  ecount = 0;
179  ecount2 = 10;
180  secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
181  secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
182  /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
183  secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL);
184  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
185  CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
186 
187  /* check if sizes for cloning are consistent */
188  CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
189  CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
190  CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
191  CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
192 
193  /*** clone and destroy all of them to make sure cloning was complete ***/
194  {
195  secp256k1_context *ctx_tmp;
196 
197  if (use_prealloc) {
198  /* clone into a non-preallocated context and then again into a new preallocated one. */
199  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
200  free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
201  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
202 
203  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
204  free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
205  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
206 
207  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
208  free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
209  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
210 
211  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
212  free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
213  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
214  } else {
215  /* clone into a preallocated context and then again into a new non-preallocated one. */
216  void *prealloc_tmp;
217 
218  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
219  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
220  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
221  free(prealloc_tmp);
222 
223  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
224  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
225  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
226  free(prealloc_tmp);
227 
228  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
229  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
230  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
231  free(prealloc_tmp);
232 
233  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
234  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
235  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
236  free(prealloc_tmp);
237  }
238  }
239 
240  /* Verify that the error callback makes it across the clone. */
241  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
242  CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
243  /* And that it resets back to default. */
244  secp256k1_context_set_error_callback(sign, NULL, NULL);
245  CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
246 
247  /*** attempt to use them ***/
248  random_scalar_order_test(&msg);
249  random_scalar_order_test(&key);
250  secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
251  secp256k1_ge_set_gej(&pub, &pubj);
252 
253  /* Verify context-type checking illegal-argument errors. */
254  memset(ctmp, 1, 32);
255  CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
256  CHECK(ecount == 1);
257  VG_UNDEF(&pubkey, sizeof(pubkey));
258  CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
259  VG_CHECK(&pubkey, sizeof(pubkey));
260  CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
261  CHECK(ecount == 2);
262  VG_UNDEF(&sig, sizeof(sig));
263  CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
264  VG_CHECK(&sig, sizeof(sig));
265  CHECK(ecount2 == 10);
266  CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
267  CHECK(ecount2 == 11);
268  CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
269  CHECK(ecount == 2);
270  CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
271  CHECK(ecount2 == 12);
272  CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
273  CHECK(ecount == 2);
274  CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
275  CHECK(ecount2 == 13);
276  CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
277  CHECK(ecount == 2);
278  CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
279  CHECK(ecount == 2);
280  CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
281  CHECK(ecount2 == 14);
282  CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
283  CHECK(ecount == 3);
284  CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
285  CHECK(ecount == 3);
286  CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
287  CHECK(ecount == 3);
288  CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
289  CHECK(ecount == 3);
290  CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
291  CHECK(ecount2 == 14);
292  CHECK(secp256k1_context_randomize(sign, NULL) == 1);
293  CHECK(ecount2 == 14);
294  secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
295  secp256k1_context_set_illegal_callback(sign, NULL, NULL);
296 
297  /* obtain a working nonce */
298  do {
299  random_scalar_order_test(&nonce);
300  } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
301 
302  /* try signing */
303  CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
304  CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
305 
306  /* try verifying */
307  CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
308  CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
309 
310  /* cleanup */
311  if (use_prealloc) {
312  secp256k1_context_preallocated_destroy(none);
313  secp256k1_context_preallocated_destroy(sign);
314  secp256k1_context_preallocated_destroy(vrfy);
315  secp256k1_context_preallocated_destroy(both);
316  free(none_prealloc);
317  free(sign_prealloc);
318  free(vrfy_prealloc);
319  free(both_prealloc);
320  } else {
321  secp256k1_context_destroy(none);
322  secp256k1_context_destroy(sign);
323  secp256k1_context_destroy(vrfy);
324  secp256k1_context_destroy(both);
325  }
326  /* Defined as no-op. */
327  secp256k1_context_destroy(NULL);
328  secp256k1_context_preallocated_destroy(NULL);
329 
330 }
331 
332 void run_scratch_tests(void) {
333  const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
334 
335  int32_t ecount = 0;
336  size_t checkpoint;
337  size_t checkpoint_2;
338  secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
339  secp256k1_scratch_space *scratch;
340  secp256k1_scratch_space local_scratch;
341 
342  /* Test public API */
343  secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
344  secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
345 
346  scratch = secp256k1_scratch_space_create(none, 1000);
347  CHECK(scratch != NULL);
348  CHECK(ecount == 0);
349 
350  /* Test internal API */
351  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
352  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
353  CHECK(scratch->alloc_size == 0);
354  CHECK(scratch->alloc_size % ALIGNMENT == 0);
355 
356  /* Allocating 500 bytes succeeds */
357  checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
358  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
359  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
360  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
361  CHECK(scratch->alloc_size != 0);
362  CHECK(scratch->alloc_size % ALIGNMENT == 0);
363 
364  /* Allocating another 501 bytes fails */
365  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
366  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
367  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
368  CHECK(scratch->alloc_size != 0);
369  CHECK(scratch->alloc_size % ALIGNMENT == 0);
370 
371  /* ...but it succeeds once we apply the checkpoint to undo it */
372  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
373  CHECK(scratch->alloc_size == 0);
374  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
375  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
376  CHECK(scratch->alloc_size != 0);
377 
378  /* try to apply a bad checkpoint */
379  checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
380  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
381  CHECK(ecount == 0);
382  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
383  CHECK(ecount == 1);
384  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
385  CHECK(ecount == 2);
386 
387  /* try to use badly initialized scratch space */
388  secp256k1_scratch_space_destroy(none, scratch);
389  memset(&local_scratch, 0, sizeof(local_scratch));
390  scratch = &local_scratch;
391  CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
392  CHECK(ecount == 3);
393  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
394  CHECK(ecount == 4);
395  secp256k1_scratch_space_destroy(none, scratch);
396  CHECK(ecount == 5);
397 
398  /* Test that large integers do not wrap around in a bad way */
399  scratch = secp256k1_scratch_space_create(none, 1000);
400  /* Try max allocation with a large number of objects. Only makes sense if
401  * ALIGNMENT is greater than 1 because otherwise the objects take no extra
402  * space. */
403  CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
404  /* Try allocating SIZE_MAX to test wrap around which only happens if
405  * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
406  * space is too small. */
407  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
408  secp256k1_scratch_space_destroy(none, scratch);
409 
410  /* cleanup */
411  secp256k1_scratch_space_destroy(none, NULL); /* no-op */
412  secp256k1_context_destroy(none);
413 }
414 
415 void run_ctz_tests(void) {
416  static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
417  static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
418  int shift;
419  unsigned i;
420  for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
421  for (shift = 0; shift < 32; ++shift) {
422  CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
423  CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
424  }
425  }
426  for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
427  for (shift = 0; shift < 64; ++shift) {
428  CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
429  CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
430  }
431  }
432 }
433 
434 /***** HASH TESTS *****/
435 
436 void run_sha256_tests(void) {
437  static const char *inputs[8] = {
438  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
439  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
440  "For this sample, this 63-byte string will be used as input data",
441  "This is exactly 64 bytes long, not counting the terminating byte"
442  };
443  static const unsigned char outputs[8][32] = {
444  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
445  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
446  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
447  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
448  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
449  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
450  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
451  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
452  };
453  int i;
454  for (i = 0; i < 8; i++) {
455  unsigned char out[32];
456  secp256k1_sha256 hasher;
457  secp256k1_sha256_initialize(&hasher);
458  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
459  secp256k1_sha256_finalize(&hasher, out);
460  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
461  if (strlen(inputs[i]) > 0) {
462  int split = secp256k1_testrand_int(strlen(inputs[i]));
463  secp256k1_sha256_initialize(&hasher);
464  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
465  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
466  secp256k1_sha256_finalize(&hasher, out);
467  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
468  }
469  }
470 }
471 
472 void run_hmac_sha256_tests(void) {
473  static const char *keys[6] = {
474  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
475  "\x4a\x65\x66\x65",
476  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
477  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
478  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
479  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
480  };
481  static const char *inputs[6] = {
482  "\x48\x69\x20\x54\x68\x65\x72\x65",
483  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
484  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
485  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
486  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
487  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
488  };
489  static const unsigned char outputs[6][32] = {
490  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
491  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
492  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
493  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
494  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
495  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
496  };
497  int i;
498  for (i = 0; i < 6; i++) {
499  secp256k1_hmac_sha256 hasher;
500  unsigned char out[32];
501  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
502  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
503  secp256k1_hmac_sha256_finalize(&hasher, out);
504  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
505  if (strlen(inputs[i]) > 0) {
506  int split = secp256k1_testrand_int(strlen(inputs[i]));
507  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
508  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
509  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
510  secp256k1_hmac_sha256_finalize(&hasher, out);
511  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
512  }
513  }
514 }
515 
516 void run_rfc6979_hmac_sha256_tests(void) {
517  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
518  static const unsigned char out1[3][32] = {
519  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
520  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
521  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
522  };
523 
524  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
525  static const unsigned char out2[3][32] = {
526  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
527  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
528  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
529  };
530 
531  secp256k1_rfc6979_hmac_sha256 rng;
532  unsigned char out[32];
533  int i;
534 
535  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
536  for (i = 0; i < 3; i++) {
537  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
538  CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
539  }
540  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
541 
542  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
543  for (i = 0; i < 3; i++) {
544  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
545  CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
546  }
547  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
548 
549  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
550  for (i = 0; i < 3; i++) {
551  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
552  CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
553  }
554  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
555 }
556 
557 /***** RANDOM TESTS *****/
558 
559 void test_rand_bits(int rand32, int bits) {
560  /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
561  * get a false negative chance below once in a billion */
562  static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
563  /* We try multiplying the results with various odd numbers, which shouldn't
564  * influence the uniform distribution modulo a power of 2. */
565  static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
566  /* We only select up to 6 bits from the output to analyse */
567  unsigned int usebits = bits > 6 ? 6 : bits;
568  unsigned int maxshift = bits - usebits;
569  /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
570  number, track all observed outcomes, one per bit in a uint64_t. */
571  uint64_t x[6][27] = {{0}};
572  unsigned int i, shift, m;
573  /* Multiply the output of all rand calls with the odd number m, which
574  should not change the uniformity of its distribution. */
575  for (i = 0; i < rounds[usebits]; i++) {
576  uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
577  CHECK((((uint64_t)r) >> bits) == 0);
578  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
579  uint32_t rm = r * mults[m];
580  for (shift = 0; shift <= maxshift; shift++) {
581  x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
582  }
583  }
584  }
585  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
586  for (shift = 0; shift <= maxshift; shift++) {
587  /* Test that the lower usebits bits of x[shift] are 1 */
588  CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
589  }
590  }
591 }
592 
593 /* Subrange must be a whole divisor of range, and at most 64 */
594 void test_rand_int(uint32_t range, uint32_t subrange) {
595  /* (1-1/subrange)^rounds < 1/10^9 */
596  int rounds = (subrange * 2073) / 100;
597  int i;
598  uint64_t x = 0;
599  CHECK((range % subrange) == 0);
600  for (i = 0; i < rounds; i++) {
601  uint32_t r = secp256k1_testrand_int(range);
602  CHECK(r < range);
603  r = r % subrange;
604  x |= (((uint64_t)1) << r);
605  }
606  /* Test that the lower subrange bits of x are 1. */
607  CHECK(((~x) << (64 - subrange)) == 0);
608 }
609 
610 void run_rand_bits(void) {
611  size_t b;
612  test_rand_bits(1, 32);
613  for (b = 1; b <= 32; b++) {
614  test_rand_bits(0, b);
615  }
616 }
617 
618 void run_rand_int(void) {
619  static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
620  static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
621  unsigned int m, s;
622  for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
623  for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
624  test_rand_int(ms[m] * ss[s], ss[s]);
625  }
626  }
627 }
628 
629 /***** MODINV TESTS *****/
630 
631 /* Compute the modular inverse of (odd) x mod 2^64. */
632 uint64_t modinv2p64(uint64_t x) {
633  /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
634  * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
635  * why. Start with L=0, for which it is true for every odd x that
636  * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
637  int l;
638  uint64_t w = 1;
639  CHECK(x & 1);
640  for (l = 0; l < 6; ++l) w *= (2 - w*x);
641  return w;
642 }
643 
644 /* compute out = (a*b) mod m; if b=NULL, treat b=1.
645  *
646  * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
647  * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
648 void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
649  uint16_t mul[32];
650  uint64_t c = 0;
651  int i, j;
652  int m_bitlen = 0;
653  int mul_bitlen = 0;
654 
655  if (b != NULL) {
656  /* Compute the product of a and b, and put it in mul. */
657  for (i = 0; i < 32; ++i) {
658  for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
659  c += (uint64_t)a[j] * b[i - j];
660  }
661  mul[i] = c & 0xFFFF;
662  c >>= 16;
663  }
664  CHECK(c == 0);
665 
666  /* compute the highest set bit in mul */
667  for (i = 511; i >= 0; --i) {
668  if ((mul[i >> 4] >> (i & 15)) & 1) {
669  mul_bitlen = i;
670  break;
671  }
672  }
673  } else {
674  /* if b==NULL, set mul=a. */
675  memcpy(mul, a, 32);
676  memset(mul + 16, 0, 32);
677  /* compute the highest set bit in mul */
678  for (i = 255; i >= 0; --i) {
679  if ((mul[i >> 4] >> (i & 15)) & 1) {
680  mul_bitlen = i;
681  break;
682  }
683  }
684  }
685 
686  /* Compute the highest set bit in m. */
687  for (i = 255; i >= 0; --i) {
688  if ((m[i >> 4] >> (i & 15)) & 1) {
689  m_bitlen = i;
690  break;
691  }
692  }
693 
694  /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
695  for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
696  uint16_t mul2[32];
697  int64_t cs;
698 
699  /* Compute mul2 = mul - m<<i. */
700  cs = 0; /* accumulator */
701  for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
702  /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
703  uint16_t sub = 0;
704  int p;
705  for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
706  int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
707  if (bitpos >= 0 && bitpos < 256) {
708  sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
709  }
710  }
711  /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
712  cs += mul[j];
713  cs -= sub;
714  mul2[j] = (cs & 0xFFFF);
715  cs >>= 16;
716  }
717  /* If remainder of subtraction is 0, set mul = mul2. */
718  if (cs == 0) {
719  memcpy(mul, mul2, sizeof(mul));
720  }
721  }
722  /* Sanity check: test that all limbs higher than m's highest are zero */
723  for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
724  CHECK(mul[i] == 0);
725  }
726  memcpy(out, mul, 32);
727 }
728 
729 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
730 void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
731  int i;
732  memset(out->v, 0, sizeof(out->v));
733  for (i = 0; i < 256; ++i) {
734  out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
735  }
736 }
737 
738 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
739 void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
740  int i;
741  memset(out, 0, 32);
742  for (i = 0; i < 256; ++i) {
743  out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
744  }
745 }
746 
747 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
748 void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
749  int i;
750  for (i = 0; i < 16; ++i) {
751  int pos = secp256k1_testrand_int(8);
752  if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
753  x->v[pos] -= 0x40000000;
754  x->v[pos + 1] += 1;
755  } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
756  x->v[pos] += 0x40000000;
757  x->v[pos + 1] -= 1;
758  }
759  }
760 }
761 
762 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
763 void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
764  uint16_t tmp[16];
765  secp256k1_modinv32_signed30 x;
766  secp256k1_modinv32_modinfo m;
767  int i, vartime, nonzero;
768 
769  uint16_to_signed30(&x, in);
770  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
771  uint16_to_signed30(&m.modulus, mod);
772  mutate_sign_signed30(&m.modulus);
773 
774  /* compute 1/modulus mod 2^30 */
775  m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
776  CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
777 
778  for (vartime = 0; vartime < 2; ++vartime) {
779  /* compute inverse */
780  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
781 
782  /* produce output */
783  signed30_to_uint16(out, &x);
784 
785  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
786  mulmod256(tmp, out, in, mod);
787  CHECK(tmp[0] == nonzero);
788  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
789 
790  /* invert again */
791  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
792 
793  /* check if the result is equal to the input */
794  signed30_to_uint16(tmp, &x);
795  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
796  }
797 }
798 
799 #ifdef SECP256K1_WIDEMUL_INT128
800 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
801 void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
802  int i;
803  memset(out->v, 0, sizeof(out->v));
804  for (i = 0; i < 256; ++i) {
805  out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
806  }
807 }
808 
809 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
810 void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
811  int i;
812  memset(out, 0, 32);
813  for (i = 0; i < 256; ++i) {
814  out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
815  }
816 }
817 
818 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
819 void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
820  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
821  int i;
822  for (i = 0; i < 8; ++i) {
823  int pos = secp256k1_testrand_int(4);
824  if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
825  x->v[pos] -= (M62 + 1);
826  x->v[pos + 1] += 1;
827  } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
828  x->v[pos] += (M62 + 1);
829  x->v[pos + 1] -= 1;
830  }
831  }
832 }
833 
834 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
835 void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
836  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
837  uint16_t tmp[16];
838  secp256k1_modinv64_signed62 x;
839  secp256k1_modinv64_modinfo m;
840  int i, vartime, nonzero;
841 
842  uint16_to_signed62(&x, in);
843  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
844  uint16_to_signed62(&m.modulus, mod);
845  mutate_sign_signed62(&m.modulus);
846 
847  /* compute 1/modulus mod 2^62 */
848  m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
849  CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
850 
851  for (vartime = 0; vartime < 2; ++vartime) {
852  /* compute inverse */
853  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
854 
855  /* produce output */
856  signed62_to_uint16(out, &x);
857 
858  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
859  mulmod256(tmp, out, in, mod);
860  CHECK(tmp[0] == nonzero);
861  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
862 
863  /* invert again */
864  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
865 
866  /* check if the result is equal to the input */
867  signed62_to_uint16(tmp, &x);
868  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
869  }
870 }
871 #endif
872 
873 /* test if a and b are coprime */
874 int coprime(const uint16_t* a, const uint16_t* b) {
875  uint16_t x[16], y[16], t[16];
876  int i;
877  int iszero;
878  memcpy(x, a, 32);
879  memcpy(y, b, 32);
880 
881  /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
882  while (1) {
883  iszero = 1;
884  for (i = 0; i < 16; ++i) {
885  if (x[i] != 0) {
886  iszero = 0;
887  break;
888  }
889  }
890  if (iszero) break;
891  mulmod256(t, y, NULL, x);
892  memcpy(y, x, 32);
893  memcpy(x, t, 32);
894  }
895 
896  /* return whether y=1 */
897  if (y[0] != 1) return 0;
898  for (i = 1; i < 16; ++i) {
899  if (y[i] != 0) return 0;
900  }
901  return 1;
902 }
903 
904 void run_modinv_tests(void) {
905  /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
906  static const uint16_t CASES[][3][16] = {
907  /* Test case known to need 713 divsteps */
908  {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
909  0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
910  {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
911  0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
912  {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
913  0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
914  /* Test case known to need 589 divsteps, reaching delta=-140 and
915  delta=141. */
916  {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
917  0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
918  {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
919  0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
920  {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
921  0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
922  /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
923  {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
924  0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
925  {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
926  0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
927  {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
928  0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
929  /* Test case with the group order as modulus, needing 635 divsteps. */
930  {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
931  0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
932  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
933  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
934  {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
935  0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
936  /* Test case with the field size as modulus, needing 637 divsteps. */
937  {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
938  0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
939  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
940  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
941  {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
942  0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
943  /* Test case with the field size as modulus, needing 935 divsteps with
944  broken eta handling. */
945  {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
946  0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
947  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
948  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
949  {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
950  0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
951  /* Test case with the group size as modulus, needing 981 divsteps with
952  broken eta handling. */
953  {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
954  0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
955  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
956  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
957  {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
958  0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
959  /* Test case with the field size as modulus, input = 0. */
960  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
961  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
962  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
963  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
964  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
965  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
966  /* Test case with the field size as modulus, input = 1. */
967  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
968  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
969  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
970  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
971  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
972  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
973  /* Test case with the field size as modulus, input = 2. */
974  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
975  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
976  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
977  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
978  {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
979  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
980  /* Test case with the field size as modulus, input = field - 1. */
981  {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
982  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
983  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
984  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
985  {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
986  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
987  /* Test case with the group size as modulus, input = 0. */
988  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
989  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
990  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
991  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
992  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
993  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
994  /* Test case with the group size as modulus, input = 1. */
995  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
996  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
997  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
998  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
999  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1000  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1001  /* Test case with the group size as modulus, input = 2. */
1002  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1003  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1004  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1005  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1006  {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1007  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1008  /* Test case with the group size as modulus, input = group - 1. */
1009  {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1010  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1011  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1012  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1013  {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1014  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}}
1015  };
1016 
1017  int i, j, ok;
1018 
1019  /* Test known inputs/outputs */
1020  for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1021  uint16_t out[16];
1022  test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1023  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1024 #ifdef SECP256K1_WIDEMUL_INT128
1025  test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1026  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1027 #endif
1028  }
1029 
1030  for (i = 0; i < 100 * count; ++i) {
1031  /* 256-bit numbers in 16-uint16_t's notation */
1032  static const uint16_t ZERO[16] = {0};
1033  uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1034  uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1035  uint16_t id[16]; /* the inverse of xd mod md */
1036 
1037  /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1038  do {
1039  /* generate random xd and md (with many subsequent 0s and 1s) */
1040  secp256k1_testrand256_test((unsigned char*)xd);
1041  secp256k1_testrand256_test((unsigned char*)md);
1042  md[0] |= 1; /* modulus must be odd */
1043  /* If modulus is 1, find another one. */
1044  ok = md[0] != 1;
1045  for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1046  mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1047  } while (!(ok && coprime(xd, md)));
1048 
1049  test_modinv32_uint16(id, xd, md);
1050 #ifdef SECP256K1_WIDEMUL_INT128
1051  test_modinv64_uint16(id, xd, md);
1052 #endif
1053 
1054  /* In a few cases, also test with input=0 */
1055  if (i < count) {
1056  test_modinv32_uint16(id, ZERO, md);
1057 #ifdef SECP256K1_WIDEMUL_INT128
1058  test_modinv64_uint16(id, ZERO, md);
1059 #endif
1060  }
1061  }
1062 }
1063 
1064 /***** SCALAR TESTS *****/
1065 
1066 
1067 void scalar_test(void) {
1068  secp256k1_scalar s;
1069  secp256k1_scalar s1;
1070  secp256k1_scalar s2;
1071  unsigned char c[32];
1072 
1073  /* Set 's' to a random scalar, with value 'snum'. */
1074  random_scalar_order_test(&s);
1075 
1076  /* Set 's1' to a random scalar, with value 's1num'. */
1077  random_scalar_order_test(&s1);
1078 
1079  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
1080  random_scalar_order_test(&s2);
1081  secp256k1_scalar_get_b32(c, &s2);
1082 
1083  {
1084  int i;
1085  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
1086  secp256k1_scalar n;
1087  secp256k1_scalar_set_int(&n, 0);
1088  for (i = 0; i < 256; i += 4) {
1089  secp256k1_scalar t;
1090  int j;
1091  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
1092  for (j = 0; j < 4; j++) {
1093  secp256k1_scalar_add(&n, &n, &n);
1094  }
1095  secp256k1_scalar_add(&n, &n, &t);
1096  }
1097  CHECK(secp256k1_scalar_eq(&n, &s));
1098  }
1099 
1100  {
1101  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
1102  secp256k1_scalar n;
1103  int i = 0;
1104  secp256k1_scalar_set_int(&n, 0);
1105  while (i < 256) {
1106  secp256k1_scalar t;
1107  int j;
1108  int now = secp256k1_testrand_int(15) + 1;
1109  if (now + i > 256) {
1110  now = 256 - i;
1111  }
1112  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
1113  for (j = 0; j < now; j++) {
1114  secp256k1_scalar_add(&n, &n, &n);
1115  }
1116  secp256k1_scalar_add(&n, &n, &t);
1117  i += now;
1118  }
1119  CHECK(secp256k1_scalar_eq(&n, &s));
1120  }
1121 
1122  {
1123  /* test secp256k1_scalar_shr_int */
1124  secp256k1_scalar r;
1125  int i;
1126  random_scalar_order_test(&r);
1127  for (i = 0; i < 100; ++i) {
1128  int low;
1129  int shift = 1 + secp256k1_testrand_int(15);
1130  int expected = r.d[0] % (1 << shift);
1131  low = secp256k1_scalar_shr_int(&r, shift);
1132  CHECK(expected == low);
1133  }
1134  }
1135 
1136  {
1137  /* Test commutativity of add. */
1138  secp256k1_scalar r1, r2;
1139  secp256k1_scalar_add(&r1, &s1, &s2);
1140  secp256k1_scalar_add(&r2, &s2, &s1);
1141  CHECK(secp256k1_scalar_eq(&r1, &r2));
1142  }
1143 
1144  {
1145  secp256k1_scalar r1, r2;
1146  secp256k1_scalar b;
1147  int i;
1148  /* Test add_bit. */
1149  int bit = secp256k1_testrand_bits(8);
1150  secp256k1_scalar_set_int(&b, 1);
1151  CHECK(secp256k1_scalar_is_one(&b));
1152  for (i = 0; i < bit; i++) {
1153  secp256k1_scalar_add(&b, &b, &b);
1154  }
1155  r1 = s1;
1156  r2 = s1;
1157  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1158  /* No overflow happened. */
1159  secp256k1_scalar_cadd_bit(&r2, bit, 1);
1160  CHECK(secp256k1_scalar_eq(&r1, &r2));
1161  /* cadd is a noop when flag is zero */
1162  secp256k1_scalar_cadd_bit(&r2, bit, 0);
1163  CHECK(secp256k1_scalar_eq(&r1, &r2));
1164  }
1165  }
1166 
1167  {
1168  /* Test commutativity of mul. */
1169  secp256k1_scalar r1, r2;
1170  secp256k1_scalar_mul(&r1, &s1, &s2);
1171  secp256k1_scalar_mul(&r2, &s2, &s1);
1172  CHECK(secp256k1_scalar_eq(&r1, &r2));
1173  }
1174 
1175  {
1176  /* Test associativity of add. */
1177  secp256k1_scalar r1, r2;
1178  secp256k1_scalar_add(&r1, &s1, &s2);
1179  secp256k1_scalar_add(&r1, &r1, &s);
1180  secp256k1_scalar_add(&r2, &s2, &s);
1181  secp256k1_scalar_add(&r2, &s1, &r2);
1182  CHECK(secp256k1_scalar_eq(&r1, &r2));
1183  }
1184 
1185  {
1186  /* Test associativity of mul. */
1187  secp256k1_scalar r1, r2;
1188  secp256k1_scalar_mul(&r1, &s1, &s2);
1189  secp256k1_scalar_mul(&r1, &r1, &s);
1190  secp256k1_scalar_mul(&r2, &s2, &s);
1191  secp256k1_scalar_mul(&r2, &s1, &r2);
1192  CHECK(secp256k1_scalar_eq(&r1, &r2));
1193  }
1194 
1195  {
1196  /* Test distributitivity of mul over add. */
1197  secp256k1_scalar r1, r2, t;
1198  secp256k1_scalar_add(&r1, &s1, &s2);
1199  secp256k1_scalar_mul(&r1, &r1, &s);
1200  secp256k1_scalar_mul(&r2, &s1, &s);
1201  secp256k1_scalar_mul(&t, &s2, &s);
1202  secp256k1_scalar_add(&r2, &r2, &t);
1203  CHECK(secp256k1_scalar_eq(&r1, &r2));
1204  }
1205 
1206  {
1207  /* Test multiplicative identity. */
1208  secp256k1_scalar r1, v1;
1209  secp256k1_scalar_set_int(&v1,1);
1210  secp256k1_scalar_mul(&r1, &s1, &v1);
1211  CHECK(secp256k1_scalar_eq(&r1, &s1));
1212  }
1213 
1214  {
1215  /* Test additive identity. */
1216  secp256k1_scalar r1, v0;
1217  secp256k1_scalar_set_int(&v0,0);
1218  secp256k1_scalar_add(&r1, &s1, &v0);
1219  CHECK(secp256k1_scalar_eq(&r1, &s1));
1220  }
1221 
1222  {
1223  /* Test zero product property. */
1224  secp256k1_scalar r1, v0;
1225  secp256k1_scalar_set_int(&v0,0);
1226  secp256k1_scalar_mul(&r1, &s1, &v0);
1227  CHECK(secp256k1_scalar_eq(&r1, &v0));
1228  }
1229 
1230 }
1231 
1232 void run_scalar_set_b32_seckey_tests(void) {
1233  unsigned char b32[32];
1234  secp256k1_scalar s1;
1235  secp256k1_scalar s2;
1236 
1237  /* Usually set_b32 and set_b32_seckey give the same result */
1238  random_scalar_order_b32(b32);
1239  secp256k1_scalar_set_b32(&s1, b32, NULL);
1240  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1241  CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1242 
1243  memset(b32, 0, sizeof(b32));
1244  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1245  memset(b32, 0xFF, sizeof(b32));
1246  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1247 }
1248 
1249 void run_scalar_tests(void) {
1250  int i;
1251  for (i = 0; i < 128 * count; i++) {
1252  scalar_test();
1253  }
1254  for (i = 0; i < count; i++) {
1255  run_scalar_set_b32_seckey_tests();
1256  }
1257 
1258  {
1259  /* (-1)+1 should be zero. */
1260  secp256k1_scalar s, o;
1261  secp256k1_scalar_set_int(&s, 1);
1262  CHECK(secp256k1_scalar_is_one(&s));
1263  secp256k1_scalar_negate(&o, &s);
1264  secp256k1_scalar_add(&o, &o, &s);
1265  CHECK(secp256k1_scalar_is_zero(&o));
1266  secp256k1_scalar_negate(&o, &o);
1267  CHECK(secp256k1_scalar_is_zero(&o));
1268  }
1269 
1270  {
1271  /* Does check_overflow check catch all ones? */
1272  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1273  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1274  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1275  );
1276  CHECK(secp256k1_scalar_check_overflow(&overflowed));
1277  }
1278 
1279  {
1280  /* Static test vectors.
1281  * These were reduced from ~10^12 random vectors based on comparison-decision
1282  * and edge-case coverage on 32-bit and 64-bit implementations.
1283  * The responses were generated with Sage 5.9.
1284  */
1285  secp256k1_scalar x;
1286  secp256k1_scalar y;
1287  secp256k1_scalar z;
1288  secp256k1_scalar zz;
1289  secp256k1_scalar one;
1290  secp256k1_scalar r1;
1291  secp256k1_scalar r2;
1292  secp256k1_scalar zzv;
1293  int overflow;
1294  unsigned char chal[33][2][32] = {
1295  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1296  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1297  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1298  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1299  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1300  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1301  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1302  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1303  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1304  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1305  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1306  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1307  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1308  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1309  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1310  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1311  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1312  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1313  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1314  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1315  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1316  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1317  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1318  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1319  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1320  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1321  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1322  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1323  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1324  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1325  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1326  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1327  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1328  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1329  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1330  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1331  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1332  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1333  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1334  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1335  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1336  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1337  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1338  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1339  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1340  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1341  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1342  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1343  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1344  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1345  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1346  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1347  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1348  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1349  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1350  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1351  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1352  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1353  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1354  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1355  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1356  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1357  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1358  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1359  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1360  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1361  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1362  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1363  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1364  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1365  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1366  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1367  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1368  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1369  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1370  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1371  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1372  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1373  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1374  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1375  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1376  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1377  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1378  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1379  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1380  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1381  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1382  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1383  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1384  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1385  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1386  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1387  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1388  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1389  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1390  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1391  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1392  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1393  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1394  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1395  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1396  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1397  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1398  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1399  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1400  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1401  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1402  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1403  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1404  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1405  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1406  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1407  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1408  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1409  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1410  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1411  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1412  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1413  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1414  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1415  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1416  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1417  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1418  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1419  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1420  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1421  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1422  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1423  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1424  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1425  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1426  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1427  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1428  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1429  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1430  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1431  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1432  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1433  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1434  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1435  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1436  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1437  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1438  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1439  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1440  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1441  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1442  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1443  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1444  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1445  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1446  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1447  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1448  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1449  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1450  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1451  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1452  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1453  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1454  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1455  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1456  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1457  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1458  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1459  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1460  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1461  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1462  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1463  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1464  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1465  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1466  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1467  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1468  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1469  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1470  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1471  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1472  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1473  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1474  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1475  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1476  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1477  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1478  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1479  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1480  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1481  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1482  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1483  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1484  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1485  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1486  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1487  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1488  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1489  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1490  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1491  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1492  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1493  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1494  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1495  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1496  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1497  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1498  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1499  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1500  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1501  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1502  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1503  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1504  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1505  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1506  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1507  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1508  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1509  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1510  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1511  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1512  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1513  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1514  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1515  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1516  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1517  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1518  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1519  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1520  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1521  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1522  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1523  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1524  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1525  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1526  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1527  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1528  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1529  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1530  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1531  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1532  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1533  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1534  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1535  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1536  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1537  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1538  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1539  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1540  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1541  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1542  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1543  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1544  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1545  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1546  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1547  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1548  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1549  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1550  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1551  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1552  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1553  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1554  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1555  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1556  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1557  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1558  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1559  };
1560  unsigned char res[33][2][32] = {
1561  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1562  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1563  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1564  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1565  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1566  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1567  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1568  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1569  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1570  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1571  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1572  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1573  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1574  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1575  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1576  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1577  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1578  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1579  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1580  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1581  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1582  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1583  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1584  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1585  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1586  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1587  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1588  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1589  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1590  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1591  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1592  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1593  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1594  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1595  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1596  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1597  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1598  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1599  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1600  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1601  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1602  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1603  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1604  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1605  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1606  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1607  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1608  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1609  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1610  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1611  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1612  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1613  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1614  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1615  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1616  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1617  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1618  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1619  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1620  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1621  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1622  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1623  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1624  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1625  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1626  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1627  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1628  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1629  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1630  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1631  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1632  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1633  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1634  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1635  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1636  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1637  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1638  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1639  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1640  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1641  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1642  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1643  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1644  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1645  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1646  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1647  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1648  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1649  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1650  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1651  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1652  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1653  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1654  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1655  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1656  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1657  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1658  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1659  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1660  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1661  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1662  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1663  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1664  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1665  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1666  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1667  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1668  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1669  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1670  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1671  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1672  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1673  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1674  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1675  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1676  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1677  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1678  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1679  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1680  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1681  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1682  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1683  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1684  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1685  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1686  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1687  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1688  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1689  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1690  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1691  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1692  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1693  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1694  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1695  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1696  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1697  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1698  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1699  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1700  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1701  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1702  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1703  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1704  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1705  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1706  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1707  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1708  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1709  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1710  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1711  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1712  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1713  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1714  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1715  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1716  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1717  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1718  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1719  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1720  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1721  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1722  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1723  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1724  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1725  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1726  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1727  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1728  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1729  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1730  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1731  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1732  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1733  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1734  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1735  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1736  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1737  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1738  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1739  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1740  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1741  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1742  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1743  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1744  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1745  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1746  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1747  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1748  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1749  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1750  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1751  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1752  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1753  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1754  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1755  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1756  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1757  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1758  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1759  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1760  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1761  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1762  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1763  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1764  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1765  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1766  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1767  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1768  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1769  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1770  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1771  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1772  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1773  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1774  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1775  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1776  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1777  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1778  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1779  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1780  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1781  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1782  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1783  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1784  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1785  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1786  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1787  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1788  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1789  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1790  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1791  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1792  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1793  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1794  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1795  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1796  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1797  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1798  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1799  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1800  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1801  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1802  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1803  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1804  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1805  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1806  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1807  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1808  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1809  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1810  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1811  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1812  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1813  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1814  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1815  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1816  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1817  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1818  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1819  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1820  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1821  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1822  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1823  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1824  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1825  };
1826  secp256k1_scalar_set_int(&one, 1);
1827  for (i = 0; i < 33; i++) {
1828  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1829  CHECK(!overflow);
1830  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1831  CHECK(!overflow);
1832  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1833  CHECK(!overflow);
1834  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1835  CHECK(!overflow);
1836  secp256k1_scalar_mul(&z, &x, &y);
1837  CHECK(!secp256k1_scalar_check_overflow(&z));
1838  CHECK(secp256k1_scalar_eq(&r1, &z));
1839  if (!secp256k1_scalar_is_zero(&y)) {
1840  secp256k1_scalar_inverse(&zz, &y);
1841  CHECK(!secp256k1_scalar_check_overflow(&zz));
1842  secp256k1_scalar_inverse_var(&zzv, &y);
1843  CHECK(secp256k1_scalar_eq(&zzv, &zz));
1844  secp256k1_scalar_mul(&z, &z, &zz);
1845  CHECK(!secp256k1_scalar_check_overflow(&z));
1846  CHECK(secp256k1_scalar_eq(&x, &z));
1847  secp256k1_scalar_mul(&zz, &zz, &y);
1848  CHECK(!secp256k1_scalar_check_overflow(&zz));
1849  CHECK(secp256k1_scalar_eq(&one, &zz));
1850  }
1851  }
1852  }
1853 }
1854 
1855 /***** FIELD TESTS *****/
1856 
1857 void random_fe(secp256k1_fe *x) {
1858  unsigned char bin[32];
1859  do {
1860  secp256k1_testrand256(bin);
1861  if (secp256k1_fe_set_b32(x, bin)) {
1862  return;
1863  }
1864  } while(1);
1865 }
1866 
1867 void random_fe_test(secp256k1_fe *x) {
1868  unsigned char bin[32];
1869  do {
1870  secp256k1_testrand256_test(bin);
1871  if (secp256k1_fe_set_b32(x, bin)) {
1872  return;
1873  }
1874  } while(1);
1875 }
1876 
1877 void random_fe_non_zero(secp256k1_fe *nz) {
1878  int tries = 10;
1879  while (--tries >= 0) {
1880  random_fe(nz);
1881  secp256k1_fe_normalize(nz);
1882  if (!secp256k1_fe_is_zero(nz)) {
1883  break;
1884  }
1885  }
1886  /* Infinitesimal probability of spurious failure here */
1887  CHECK(tries >= 0);
1888 }
1889 
1890 void random_fe_non_square(secp256k1_fe *ns) {
1891  secp256k1_fe r;
1892  random_fe_non_zero(ns);
1893  if (secp256k1_fe_sqrt(&r, ns)) {
1894  secp256k1_fe_negate(ns, ns, 1);
1895  }
1896 }
1897 
1898 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1899  secp256k1_fe an = *a;
1900  secp256k1_fe bn = *b;
1901  secp256k1_fe_normalize_weak(&an);
1902  secp256k1_fe_normalize_var(&bn);
1903  return secp256k1_fe_equal_var(&an, &bn);
1904 }
1905 
1906 void run_field_convert(void) {
1907  static const unsigned char b32[32] = {
1908  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1909  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1910  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1911  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1912  };
1913  static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1914  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1915  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1916  );
1917  static const secp256k1_fe fe = SECP256K1_FE_CONST(
1918  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1919  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1920  );
1921  secp256k1_fe fe2;
1922  unsigned char b322[32];
1923  secp256k1_fe_storage fes2;
1924  /* Check conversions to fe. */
1925  CHECK(secp256k1_fe_set_b32(&fe2, b32));
1926  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1927  secp256k1_fe_from_storage(&fe2, &fes);
1928  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1929  /* Check conversion from fe. */
1930  secp256k1_fe_get_b32(b322, &fe);
1931  CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
1932  secp256k1_fe_to_storage(&fes2, &fe);
1933  CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
1934 }
1935 
1936 int fe_secp256k1_memcmp_var(const secp256k1_fe *a, const secp256k1_fe *b) {
1937  secp256k1_fe t = *b;
1938 #ifdef VERIFY
1939  t.magnitude = a->magnitude;
1940  t.normalized = a->normalized;
1941 #endif
1942  return secp256k1_memcmp_var(a, &t, sizeof(secp256k1_fe));
1943 }
1944 
1945 void run_field_misc(void) {
1946  secp256k1_fe x;
1947  secp256k1_fe y;
1948  secp256k1_fe z;
1949  secp256k1_fe q;
1950  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1951  int i, j;
1952  for (i = 0; i < 5*count; i++) {
1953  secp256k1_fe_storage xs, ys, zs;
1954  random_fe(&x);
1955  random_fe_non_zero(&y);
1956  /* Test the fe equality and comparison operations. */
1957  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1958  CHECK(secp256k1_fe_equal_var(&x, &x));
1959  z = x;
1960  secp256k1_fe_add(&z,&y);
1961  /* Test fe conditional move; z is not normalized here. */
1962  q = x;
1963  secp256k1_fe_cmov(&x, &z, 0);
1964 #ifdef VERIFY
1965  CHECK(x.normalized && x.magnitude == 1);
1966 #endif
1967  secp256k1_fe_cmov(&x, &x, 1);
1968  CHECK(fe_secp256k1_memcmp_var(&x, &z) != 0);
1969  CHECK(fe_secp256k1_memcmp_var(&x, &q) == 0);
1970  secp256k1_fe_cmov(&q, &z, 1);
1971 #ifdef VERIFY
1972  CHECK(!q.normalized && q.magnitude == z.magnitude);
1973 #endif
1974  CHECK(fe_secp256k1_memcmp_var(&q, &z) == 0);
1975  secp256k1_fe_normalize_var(&x);
1976  secp256k1_fe_normalize_var(&z);
1977  CHECK(!secp256k1_fe_equal_var(&x, &z));
1978  secp256k1_fe_normalize_var(&q);
1979  secp256k1_fe_cmov(&q, &z, (i&1));
1980 #ifdef VERIFY
1981  CHECK(q.normalized && q.magnitude == 1);
1982 #endif
1983  for (j = 0; j < 6; j++) {
1984  secp256k1_fe_negate(&z, &z, j+1);
1985  secp256k1_fe_normalize_var(&q);
1986  secp256k1_fe_cmov(&q, &z, (j&1));
1987 #ifdef VERIFY
1988  CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
1989 #endif
1990  }
1991  secp256k1_fe_normalize_var(&z);
1992  /* Test storage conversion and conditional moves. */
1993  secp256k1_fe_to_storage(&xs, &x);
1994  secp256k1_fe_to_storage(&ys, &y);
1995  secp256k1_fe_to_storage(&zs, &z);
1996  secp256k1_fe_storage_cmov(&zs, &xs, 0);
1997  secp256k1_fe_storage_cmov(&zs, &zs, 1);
1998  CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
1999  secp256k1_fe_storage_cmov(&ys, &xs, 1);
2000  CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
2001  secp256k1_fe_from_storage(&x, &xs);
2002  secp256k1_fe_from_storage(&y, &ys);
2003  secp256k1_fe_from_storage(&z, &zs);
2004  /* Test that mul_int, mul, and add agree. */
2005  secp256k1_fe_add(&y, &x);
2006  secp256k1_fe_add(&y, &x);
2007  z = x;
2008  secp256k1_fe_mul_int(&z, 3);
2009  CHECK(check_fe_equal(&y, &z));
2010  secp256k1_fe_add(&y, &x);
2011  secp256k1_fe_add(&z, &x);
2012  CHECK(check_fe_equal(&z, &y));
2013  z = x;
2014  secp256k1_fe_mul_int(&z, 5);
2015  secp256k1_fe_mul(&q, &x, &fe5);
2016  CHECK(check_fe_equal(&z, &q));
2017  secp256k1_fe_negate(&x, &x, 1);
2018  secp256k1_fe_add(&z, &x);
2019  secp256k1_fe_add(&q, &x);
2020  CHECK(check_fe_equal(&y, &z));
2021  CHECK(check_fe_equal(&q, &y));
2022  }
2023 }
2024 
2025 void run_sqr(void) {
2026  secp256k1_fe x, s;
2027 
2028  {
2029  int i;
2030  secp256k1_fe_set_int(&x, 1);
2031  secp256k1_fe_negate(&x, &x, 1);
2032 
2033  for (i = 1; i <= 512; ++i) {
2034  secp256k1_fe_mul_int(&x, 2);
2035  secp256k1_fe_normalize(&x);
2036  secp256k1_fe_sqr(&s, &x);
2037  }
2038  }
2039 }
2040 
2041 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2042  secp256k1_fe r1, r2;
2043  int v = secp256k1_fe_sqrt(&r1, a);
2044  CHECK((v == 0) == (k == NULL));
2045 
2046  if (k != NULL) {
2047  /* Check that the returned root is +/- the given known answer */
2048  secp256k1_fe_negate(&r2, &r1, 1);
2049  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2050  secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
2051  CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
2052  }
2053 }
2054 
2055 void run_sqrt(void) {
2056  secp256k1_fe ns, x, s, t;
2057  int i;
2058 
2059  /* Check sqrt(0) is 0 */
2060  secp256k1_fe_set_int(&x, 0);
2061  secp256k1_fe_sqr(&s, &x);
2062  test_sqrt(&s, &x);
2063 
2064  /* Check sqrt of small squares (and their negatives) */
2065  for (i = 1; i <= 100; i++) {
2066  secp256k1_fe_set_int(&x, i);
2067  secp256k1_fe_sqr(&s, &x);
2068  test_sqrt(&s, &x);
2069  secp256k1_fe_negate(&t, &s, 1);
2070  test_sqrt(&t, NULL);
2071  }
2072 
2073  /* Consistency checks for large random values */
2074  for (i = 0; i < 10; i++) {
2075  int j;
2076  random_fe_non_square(&ns);
2077  for (j = 0; j < count; j++) {
2078  random_fe(&x);
2079  secp256k1_fe_sqr(&s, &x);
2080  test_sqrt(&s, &x);
2081  secp256k1_fe_negate(&t, &s, 1);
2082  test_sqrt(&t, NULL);
2083  secp256k1_fe_mul(&t, &s, &ns);
2084  test_sqrt(&t, NULL);
2085  }
2086  }
2087 }
2088 
2089 /***** FIELD/SCALAR INVERSE TESTS *****/
2090 
2091 static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
2092  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
2093  0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
2094 );
2095 
2096 static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
2097  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
2098  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
2099 );
2100 
2101 /* These tests test the following identities:
2102  *
2103  * for x==0: 1/x == 0
2104  * for x!=0: x*(1/x) == 1
2105  * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
2106  */
2107 
2108 void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
2109 {
2110  secp256k1_scalar l, r, t;
2111 
2112  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&l, x); /* l = 1/x */
2113  if (out) *out = l;
2114  if (secp256k1_scalar_is_zero(x)) {
2115  CHECK(secp256k1_scalar_is_zero(&l));
2116  return;
2117  }
2118  secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
2119  CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
2120  secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
2121  if (secp256k1_scalar_is_zero(&r)) return;
2122  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&r, &r); /* r = 1/(x-1) */
2123  secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
2124  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&l, &l); /* l = 1/(1/x-1) */
2125  secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
2126  secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2127  CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
2128 }
2129 
2130 void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
2131 {
2132  secp256k1_fe l, r, t;
2133 
2134  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
2135  if (out) *out = l;
2136  t = *x; /* t = x */
2137  if (secp256k1_fe_normalizes_to_zero_var(&t)) {
2138  CHECK(secp256k1_fe_normalizes_to_zero(&l));
2139  return;
2140  }
2141  secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
2142  secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
2143  CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
2144  r = *x; /* r = x */
2145  secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
2146  if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
2147  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
2148  secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
2149  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
2150  secp256k1_fe_add(&l, &secp256k1_fe_one); /* l = 1/(1/x-1)+1 */
2151  secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2152  CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
2153 }
2154 
2155 void run_inverse_tests(void)
2156 {
2157  /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
2158  static const secp256k1_fe fe_cases[][2] = {
2159  /* 0 */
2160  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2161  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2162  /* 1 */
2163  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2164  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2165  /* -1 */
2166  {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
2167  SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
2168  /* 2 */
2169  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2170  SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
2171  /* 2**128 */
2172  {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2173  SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
2174  /* Input known to need 637 divsteps */
2175  {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
2176  SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)}
2177  };
2178  /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
2179  static const secp256k1_scalar scalar_cases[][2] = {
2180  /* 0 */
2181  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2182  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2183  /* 1 */
2184  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2185  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2186  /* -1 */
2187  {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
2188  SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
2189  /* 2 */
2190  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2191  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
2192  /* 2**128 */
2193  {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2194  SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
2195  /* Input known to need 635 divsteps */
2196  {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
2197  SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)}
2198  };
2199  int i, var, testrand;
2200  unsigned char b32[32];
2201  secp256k1_fe x_fe;
2202  secp256k1_scalar x_scalar;
2203  memset(b32, 0, sizeof(b32));
2204  /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
2205  for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
2206  for (var = 0; var <= 1; ++var) {
2207  test_inverse_field(&x_fe, &fe_cases[i][0], var);
2208  check_fe_equal(&x_fe, &fe_cases[i][1]);
2209  test_inverse_field(&x_fe, &fe_cases[i][1], var);
2210  check_fe_equal(&x_fe, &fe_cases[i][0]);
2211  }
2212  }
2213  for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
2214  for (var = 0; var <= 1; ++var) {
2215  test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
2216  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
2217  test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
2218  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
2219  }
2220  }
2221  /* Test inputs 0..999 and their respective negations. */
2222  for (i = 0; i < 1000; ++i) {
2223  b32[31] = i & 0xff;
2224  b32[30] = (i >> 8) & 0xff;
2225  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2226  secp256k1_fe_set_b32(&x_fe, b32);
2227  for (var = 0; var <= 1; ++var) {
2228  test_inverse_scalar(NULL, &x_scalar, var);
2229  test_inverse_field(NULL, &x_fe, var);
2230  }
2231  secp256k1_scalar_negate(&x_scalar, &x_scalar);
2232  secp256k1_fe_negate(&x_fe, &x_fe, 1);
2233  for (var = 0; var <= 1; ++var) {
2234  test_inverse_scalar(NULL, &x_scalar, var);
2235  test_inverse_field(NULL, &x_fe, var);
2236  }
2237  }
2238  /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
2239  for (testrand = 0; testrand <= 1; ++testrand) {
2240  for (i = 0; i < 64 * count; ++i) {
2241  (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32);
2242  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2243  secp256k1_fe_set_b32(&x_fe, b32);
2244  for (var = 0; var <= 1; ++var) {
2245  test_inverse_scalar(NULL, &x_scalar, var);
2246  test_inverse_field(NULL, &x_fe, var);
2247  }
2248  }
2249  }
2250 }
2251 
2252 /***** GROUP TESTS *****/
2253 
2254 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
2255  CHECK(a->infinity == b->infinity);
2256  if (a->infinity) {
2257  return;
2258  }
2259  CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2260  CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2261 }
2262 
2263 /* This compares jacobian points including their Z, not just their geometric meaning. */
2264 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2265  secp256k1_gej a2;
2266  secp256k1_gej b2;
2267  int ret = 1;
2268  ret &= a->infinity == b->infinity;
2269  if (ret && !a->infinity) {
2270  a2 = *a;
2271  b2 = *b;
2272  secp256k1_fe_normalize(&a2.x);
2273  secp256k1_fe_normalize(&a2.y);
2274  secp256k1_fe_normalize(&a2.z);
2275  secp256k1_fe_normalize(&b2.x);
2276  secp256k1_fe_normalize(&b2.y);
2277  secp256k1_fe_normalize(&b2.z);
2278  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2279  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2280  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2281  }
2282  return ret;
2283 }
2284 
2285 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2286  secp256k1_fe z2s;
2287  secp256k1_fe u1, u2, s1, s2;
2288  CHECK(a->infinity == b->infinity);
2289  if (a->infinity) {
2290  return;
2291  }
2292  /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
2293  secp256k1_fe_sqr(&z2s, &b->z);
2294  secp256k1_fe_mul(&u1, &a->x, &z2s);
2295  u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2296  secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2297  s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2298  CHECK(secp256k1_fe_equal_var(&u1, &u2));
2299  CHECK(secp256k1_fe_equal_var(&s1, &s2));
2300 }
2301 
2302 void test_ge(void) {
2303  int i, i1;
2304  int runs = 6;
2305  /* 25 points are used:
2306  * - infinity
2307  * - for each of four random points p1 p2 p3 p4, we add the point, its
2308  * negation, and then those two again but with randomized Z coordinate.
2309  * - The same is then done for lambda*p1 and lambda^2*p1.
2310  */
2311  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2312  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2313  secp256k1_fe zf;
2314  secp256k1_fe zfi2, zfi3;
2315 
2316  secp256k1_gej_set_infinity(&gej[0]);
2317  secp256k1_ge_clear(&ge[0]);
2318  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2319  for (i = 0; i < runs; i++) {
2320  int j;
2321  secp256k1_ge g;
2322  random_group_element_test(&g);
2323  if (i >= runs - 2) {
2324  secp256k1_ge_mul_lambda(&g, &ge[1]);
2325  }
2326  if (i >= runs - 1) {
2327  secp256k1_ge_mul_lambda(&g, &g);
2328  }
2329  ge[1 + 4 * i] = g;
2330  ge[2 + 4 * i] = g;
2331  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2332  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2333  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2334  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2335  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2336  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2337  for (j = 0; j < 4; j++) {
2338  random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2339  random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2340  random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2341  random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2342  random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2343  }
2344  }
2345 
2346  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2347  do {
2348  random_field_element_test(&zf);
2349  } while(secp256k1_fe_is_zero(&zf));
2350  random_field_element_magnitude(&zf);
2351  secp256k1_fe_inv_var(&zfi3, &zf);
2352  secp256k1_fe_sqr(&zfi2, &zfi3);
2353  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2354 
2355  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2356  int i2;
2357  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2358  /* Compute reference result using gej + gej (var). */
2359  secp256k1_gej refj, resj;
2360  secp256k1_ge ref;
2361  secp256k1_fe zr;
2362  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2363  /* Check Z ratio. */
2364  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2365  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2366  CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2367  }
2368  secp256k1_ge_set_gej_var(&ref, &refj);
2369 
2370  /* Test gej + ge with Z ratio result (var). */
2371  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2372  ge_equals_gej(&ref, &resj);
2373  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2374  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2375  CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2376  }
2377 
2378  /* Test gej + ge (var, with additional Z factor). */
2379  {
2380  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2381  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2382  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2383  random_field_element_magnitude(&ge2_zfi.x);
2384  random_field_element_magnitude(&ge2_zfi.y);
2385  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2386  ge_equals_gej(&ref, &resj);
2387  }
2388 
2389  /* Test gej + ge (const). */
2390  if (i2 != 0) {
2391  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2392  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2393  ge_equals_gej(&ref, &resj);
2394  }
2395 
2396  /* Test doubling (var). */
2397  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2398  secp256k1_fe zr2;
2399  /* Normal doubling with Z ratio result. */
2400  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2401  ge_equals_gej(&ref, &resj);
2402  /* Check Z ratio. */
2403  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2404  CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2405  /* Normal doubling. */
2406  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2407  ge_equals_gej(&ref, &resj);
2408  /* Constant-time doubling. */
2409  secp256k1_gej_double(&resj, &gej[i2]);
2410  ge_equals_gej(&ref, &resj);
2411  }
2412 
2413  /* Test adding opposites. */
2414  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2415  CHECK(secp256k1_ge_is_infinity(&ref));
2416  }
2417 
2418  /* Test adding infinity. */
2419  if (i1 == 0) {
2420  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2421  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2422  ge_equals_gej(&ref, &gej[i2]);
2423  }
2424  if (i2 == 0) {
2425  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2426  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2427  ge_equals_gej(&ref, &gej[i1]);
2428  }
2429  }
2430  }
2431 
2432  /* Test adding all points together in random order equals infinity. */
2433  {
2434  secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2435  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2436  for (i = 0; i < 4 * runs + 1; i++) {
2437  gej_shuffled[i] = gej[i];
2438  }
2439  for (i = 0; i < 4 * runs + 1; i++) {
2440  int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
2441  if (swap != i) {
2442  secp256k1_gej t = gej_shuffled[i];
2443  gej_shuffled[i] = gej_shuffled[swap];
2444  gej_shuffled[swap] = t;
2445  }
2446  }
2447  for (i = 0; i < 4 * runs + 1; i++) {
2448  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2449  }
2450  CHECK(secp256k1_gej_is_infinity(&sum));
2451  free(gej_shuffled);
2452  }
2453 
2454  /* Test batch gej -> ge conversion without known z ratios. */
2455  {
2456  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2457  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2458  for (i = 0; i < 4 * runs + 1; i++) {
2459  secp256k1_fe s;
2460  random_fe_non_zero(&s);
2461  secp256k1_gej_rescale(&gej[i], &s);
2462  ge_equals_gej(&ge_set_all[i], &gej[i]);
2463  }
2464  free(ge_set_all);
2465  }
2466 
2467  /* Test batch gej -> ge conversion with many infinities. */
2468  for (i = 0; i < 4 * runs + 1; i++) {
2469  random_group_element_test(&ge[i]);
2470  /* randomly set half the points to infinity */
2471  if(secp256k1_fe_is_odd(&ge[i].x)) {
2472  secp256k1_ge_set_infinity(&ge[i]);
2473  }
2474  secp256k1_gej_set_ge(&gej[i], &ge[i]);
2475  }
2476  /* batch invert */
2477  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2478  /* check result */
2479  for (i = 0; i < 4 * runs + 1; i++) {
2480  ge_equals_gej(&ge[i], &gej[i]);
2481  }
2482 
2483  free(ge);
2484  free(gej);
2485 }
2486 
2487 
2488 void test_intialized_inf(void) {
2489  secp256k1_ge p;
2490  secp256k1_gej pj, npj, infj1, infj2, infj3;
2491  secp256k1_fe zinv;
2492 
2493  /* Test that adding P+(-P) results in a fully initalized infinity*/
2494  random_group_element_test(&p);
2495  secp256k1_gej_set_ge(&pj, &p);
2496  secp256k1_gej_neg(&npj, &pj);
2497 
2498  secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
2499  CHECK(secp256k1_gej_is_infinity(&infj1));
2500  CHECK(secp256k1_fe_is_zero(&infj1.x));
2501  CHECK(secp256k1_fe_is_zero(&infj1.y));
2502  CHECK(secp256k1_fe_is_zero(&infj1.z));
2503 
2504  secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
2505  CHECK(secp256k1_gej_is_infinity(&infj2));
2506  CHECK(secp256k1_fe_is_zero(&infj2.x));
2507  CHECK(secp256k1_fe_is_zero(&infj2.y));
2508  CHECK(secp256k1_fe_is_zero(&infj2.z));
2509 
2510  secp256k1_fe_set_int(&zinv, 1);
2511  secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
2512  CHECK(secp256k1_gej_is_infinity(&infj3));
2513  CHECK(secp256k1_fe_is_zero(&infj3.x));
2514  CHECK(secp256k1_fe_is_zero(&infj3.y));
2515  CHECK(secp256k1_fe_is_zero(&infj3.z));
2516 
2517 
2518 }
2519 
2520 void test_add_neg_y_diff_x(void) {
2521  /* The point of this test is to check that we can add two points
2522  * whose y-coordinates are negatives of each other but whose x
2523  * coordinates differ. If the x-coordinates were the same, these
2524  * points would be negatives of each other and their sum is
2525  * infinity. This is cool because it "covers up" any degeneracy
2526  * in the addition algorithm that would cause the xy coordinates
2527  * of the sum to be wrong (since infinity has no xy coordinates).
2528  * HOWEVER, if the x-coordinates are different, infinity is the
2529  * wrong answer, and such degeneracies are exposed. This is the
2530  * root of https://github.com/bitcoin-core/secp256k1/issues/257
2531  * which this test is a regression test for.
2532  *
2533  * These points were generated in sage as
2534  * # secp256k1 params
2535  * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2536  * C = EllipticCurve ([F (0), F (7)])
2537  * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2538  * N = FiniteField(G.order())
2539  *
2540  * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2541  * x = polygen(N)
2542  * lam = (1 - x^3).roots()[1][0]
2543  *
2544  * # random "bad pair"
2545  * P = C.random_element()
2546  * Q = -int(lam) * P
2547  * print " P: %x %x" % P.xy()
2548  * print " Q: %x %x" % Q.xy()
2549  * print "P + Q: %x %x" % (P + Q).xy()
2550  */
2551  secp256k1_gej aj = SECP256K1_GEJ_CONST(
2552  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2553  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2554  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2555  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2556  );
2557  secp256k1_gej bj = SECP256K1_GEJ_CONST(
2558  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2559  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2560  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2561  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2562  );
2563  secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2564  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2565  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2566  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2567  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2568  );
2569  secp256k1_ge b;
2570  secp256k1_gej resj;
2571  secp256k1_ge res;
2572  secp256k1_ge_set_gej(&b, &bj);
2573 
2574  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2575  secp256k1_ge_set_gej(&res, &resj);
2576  ge_equals_gej(&res, &sumj);
2577 
2578  secp256k1_gej_add_ge(&resj, &aj, &b);
2579  secp256k1_ge_set_gej(&res, &resj);
2580  ge_equals_gej(&res, &sumj);
2581 
2582  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2583  secp256k1_ge_set_gej(&res, &resj);
2584  ge_equals_gej(&res, &sumj);
2585 }
2586 
2587 void run_ge(void) {
2588  int i;
2589  for (i = 0; i < count * 32; i++) {
2590  test_ge();
2591  }
2592  test_add_neg_y_diff_x();
2593  test_intialized_inf();
2594 }
2595 
2596 void test_ec_combine(void) {
2597  secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2598  secp256k1_pubkey data[6];
2599  const secp256k1_pubkey* d[6];
2600  secp256k1_pubkey sd;
2601  secp256k1_pubkey sd2;
2602  secp256k1_gej Qj;
2603  secp256k1_ge Q;
2604  int i;
2605  for (i = 1; i <= 6; i++) {
2606  secp256k1_scalar s;
2607  random_scalar_order_test(&s);
2608  secp256k1_scalar_add(&sum, &sum, &s);
2609  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2610  secp256k1_ge_set_gej(&Q, &Qj);
2611  secp256k1_pubkey_save(&data[i - 1], &Q);
2612  d[i - 1] = &data[i - 1];
2613  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2614  secp256k1_ge_set_gej(&Q, &Qj);
2615  secp256k1_pubkey_save(&sd, &Q);
2616  CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2617  CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
2618  }
2619 }
2620 
2621 void run_ec_combine(void) {
2622  int i;
2623  for (i = 0; i < count * 8; i++) {
2624  test_ec_combine();
2625  }
2626 }
2627 
2628 void test_group_decompress(const secp256k1_fe* x) {
2629  /* The input itself, normalized. */
2630  secp256k1_fe fex = *x;
2631  secp256k1_fe fez;
2632  /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2633  secp256k1_ge ge_quad, ge_even, ge_odd;
2634  secp256k1_gej gej_quad;
2635  /* Return values of the above calls. */
2636  int res_quad, res_even, res_odd;
2637 
2638  secp256k1_fe_normalize_var(&fex);
2639 
2640  res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2641  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2642  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2643 
2644  CHECK(res_quad == res_even);
2645  CHECK(res_quad == res_odd);
2646 
2647  if (res_quad) {
2648  secp256k1_fe_normalize_var(&ge_quad.x);
2649  secp256k1_fe_normalize_var(&ge_odd.x);
2650  secp256k1_fe_normalize_var(&ge_even.x);
2651  secp256k1_fe_normalize_var(&ge_quad.y);
2652  secp256k1_fe_normalize_var(&ge_odd.y);
2653  secp256k1_fe_normalize_var(&ge_even.y);
2654 
2655  /* No infinity allowed. */
2656  CHECK(!ge_quad.infinity);
2657  CHECK(!ge_even.infinity);
2658  CHECK(!ge_odd.infinity);
2659 
2660  /* Check that the x coordinates check out. */
2661  CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2662  CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2663  CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2664 
2665  /* Check that the Y coordinate result in ge_quad is a square. */
2666  CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2667 
2668  /* Check odd/even Y in ge_odd, ge_even. */
2669  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2670  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2671 
2672  /* Check secp256k1_gej_has_quad_y_var. */
2673  secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2674  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2675  do {
2676  random_fe_test(&fez);
2677  } while (secp256k1_fe_is_zero(&fez));
2678  secp256k1_gej_rescale(&gej_quad, &fez);
2679  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2680  secp256k1_gej_neg(&gej_quad, &gej_quad);
2681  CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2682  do {
2683  random_fe_test(&fez);
2684  } while (secp256k1_fe_is_zero(&fez));
2685  secp256k1_gej_rescale(&gej_quad, &fez);
2686  CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2687  secp256k1_gej_neg(&gej_quad, &gej_quad);
2688  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2689  }
2690 }
2691 
2692 void run_group_decompress(void) {
2693  int i;
2694  for (i = 0; i < count * 4; i++) {
2695  secp256k1_fe fe;
2696  random_fe_test(&fe);
2697  test_group_decompress(&fe);
2698  }
2699 }
2700 
2701 /***** ECMULT TESTS *****/
2702 
2703 void run_ecmult_chain(void) {
2704  /* random starting point A (on the curve) */
2705  secp256k1_gej a = SECP256K1_GEJ_CONST(
2706  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2707  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2708  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2709  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2710  );
2711  /* two random initial factors xn and gn */
2712  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2713  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2714  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2715  );
2716  secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2717  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2718  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2719  );
2720  /* two small multipliers to be applied to xn and gn in every iteration: */
2721  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2722  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2723  /* accumulators with the resulting coefficients to A and G */
2724  secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2725  secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2726  /* actual points */
2727  secp256k1_gej x;
2728  secp256k1_gej x2;
2729  int i;
2730 
2731  /* the point being computed */
2732  x = a;
2733  for (i = 0; i < 200*count; i++) {
2734  /* in each iteration, compute X = xn*X + gn*G; */
2735  secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2736  /* also compute ae and ge: the actual accumulated factors for A and G */
2737  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2738  secp256k1_scalar_mul(&ae, &ae, &xn);
2739  secp256k1_scalar_mul(&ge, &ge, &xn);
2740  secp256k1_scalar_add(&ge, &ge, &gn);
2741  /* modify xn and gn */
2742  secp256k1_scalar_mul(&xn, &xn, &xf);
2743  secp256k1_scalar_mul(&gn, &gn, &gf);
2744 
2745  /* verify */
2746  if (i == 19999) {
2747  /* expected result after 19999 iterations */
2748  secp256k1_gej rp = SECP256K1_GEJ_CONST(
2749  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2750  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2751  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2752  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2753  );
2754 
2755  secp256k1_gej_neg(&rp, &rp);
2756  secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2757  CHECK(secp256k1_gej_is_infinity(&rp));
2758  }
2759  }
2760  /* redo the computation, but directly with the resulting ae and ge coefficients: */
2761  secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2762  secp256k1_gej_neg(&x2, &x2);
2763  secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2764  CHECK(secp256k1_gej_is_infinity(&x2));
2765 }
2766 
2767 void test_point_times_order(const secp256k1_gej *point) {
2768  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2769  secp256k1_scalar x;
2770  secp256k1_scalar nx;
2771  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2772  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2773  secp256k1_gej res1, res2;
2774  secp256k1_ge res3;
2775  unsigned char pub[65];
2776  size_t psize = 65;
2777  random_scalar_order_test(&x);
2778  secp256k1_scalar_negate(&nx, &x);
2779  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2780  secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2781  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2782  CHECK(secp256k1_gej_is_infinity(&res1));
2783  secp256k1_ge_set_gej(&res3, &res1);
2784  CHECK(secp256k1_ge_is_infinity(&res3));
2785  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2786  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2787  psize = 65;
2788  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2789  /* check zero/one edge cases */
2790  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2791  secp256k1_ge_set_gej(&res3, &res1);
2792  CHECK(secp256k1_ge_is_infinity(&res3));
2793  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2794  secp256k1_ge_set_gej(&res3, &res1);
2795  ge_equals_gej(&res3, point);
2796  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2797  secp256k1_ge_set_gej(&res3, &res1);
2798  ge_equals_ge(&res3, &secp256k1_ge_const_g);
2799 }
2800 
2801 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
2802  *
2803  * They are computed as:
2804  * - For a in [-2, -1, 0, 1, 2]:
2805  * - For b in [-3, -1, 1, 3]:
2806  * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
2807  */
2808 static const secp256k1_scalar scalars_near_split_bounds[20] = {
2809  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
2810  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
2811  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
2812  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
2813  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
2814  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
2815  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
2816  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
2817  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
2818  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
2819  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
2820  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
2821  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
2822  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
2823  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
2824  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
2825  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
2826  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
2827  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
2828  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
2829 };
2830 
2831 void test_ecmult_target(const secp256k1_scalar* target, int mode) {
2832  /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
2833  secp256k1_scalar n1, n2;
2834  secp256k1_ge p;
2835  secp256k1_gej pj, p1j, p2j, ptj;
2836  static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2837 
2838  /* Generate random n1,n2 such that n1+n2 = -target. */
2839  random_scalar_order_test(&n1);
2840  secp256k1_scalar_add(&n2, &n1, target);
2841  secp256k1_scalar_negate(&n2, &n2);
2842 
2843  /* Generate a random input point. */
2844  if (mode != 0) {
2845  random_group_element_test(&p);
2846  secp256k1_gej_set_ge(&pj, &p);
2847  }
2848 
2849  /* EC multiplications */
2850  if (mode == 0) {
2851  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
2852  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
2853  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
2854  } else if (mode == 1) {
2855  secp256k1_ecmult(&ctx->ecmult_ctx, &p1j, &pj, &n1, &zero);
2856  secp256k1_ecmult(&ctx->ecmult_ctx, &p2j, &pj, &n2, &zero);
2857  secp256k1_ecmult(&ctx->ecmult_ctx, &ptj, &pj, target, &zero);
2858  } else {
2859  secp256k1_ecmult_const(&p1j, &p, &n1, 256);
2860  secp256k1_ecmult_const(&p2j, &p, &n2, 256);
2861  secp256k1_ecmult_const(&ptj, &p, target, 256);
2862  }
2863 
2864  /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
2865  secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
2866  secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
2867  CHECK(secp256k1_gej_is_infinity(&ptj));
2868 }
2869 
2870 void run_ecmult_near_split_bound(void) {
2871  int i;
2872  unsigned j;
2873  for (i = 0; i < 4*count; ++i) {
2874  for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
2875  test_ecmult_target(&scalars_near_split_bounds[j], 0);
2876  test_ecmult_target(&scalars_near_split_bounds[j], 1);
2877  test_ecmult_target(&scalars_near_split_bounds[j], 2);
2878  }
2879  }
2880 }
2881 
2882 void run_point_times_order(void) {
2883  int i;
2884  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2885  static const secp256k1_fe xr = SECP256K1_FE_CONST(
2886  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2887  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2888  );
2889  for (i = 0; i < 500; i++) {
2890  secp256k1_ge p;
2891  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2892  secp256k1_gej j;
2893  CHECK(secp256k1_ge_is_valid_var(&p));
2894  secp256k1_gej_set_ge(&j, &p);
2895  test_point_times_order(&j);
2896  }
2897  secp256k1_fe_sqr(&x, &x);
2898  }
2899  secp256k1_fe_normalize_var(&x);
2900  CHECK(secp256k1_fe_equal_var(&x, &xr));
2901 }
2902 
2903 void ecmult_const_random_mult(void) {
2904  /* random starting point A (on the curve) */
2905  secp256k1_ge a = SECP256K1_GE_CONST(
2906  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2907  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2908  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2909  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2910  );
2911  /* random initial factor xn */
2912  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2913  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2914  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2915  );
2916  /* expected xn * A (from sage) */
2917  secp256k1_ge expected_b = SECP256K1_GE_CONST(
2918  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2919  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2920  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2921  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2922  );
2923  secp256k1_gej b;
2924  secp256k1_ecmult_const(&b, &a, &xn, 256);
2925 
2926  CHECK(secp256k1_ge_is_valid_var(&a));
2927  ge_equals_gej(&expected_b, &b);
2928 }
2929 
2930 void ecmult_const_commutativity(void) {
2931  secp256k1_scalar a;
2932  secp256k1_scalar b;
2933  secp256k1_gej res1;
2934  secp256k1_gej res2;
2935  secp256k1_ge mid1;
2936  secp256k1_ge mid2;
2937  random_scalar_order_test(&a);
2938  random_scalar_order_test(&b);
2939 
2940  secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2941  secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2942  secp256k1_ge_set_gej(&mid1, &res1);
2943  secp256k1_ge_set_gej(&mid2, &res2);
2944  secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2945  secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2946  secp256k1_ge_set_gej(&mid1, &res1);
2947  secp256k1_ge_set_gej(&mid2, &res2);
2948  ge_equals_ge(&mid1, &mid2);
2949 }
2950 
2951 void ecmult_const_mult_zero_one(void) {
2952  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2953  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2954  secp256k1_scalar negone;
2955  secp256k1_gej res1;
2956  secp256k1_ge res2;
2957  secp256k1_ge point;
2958  secp256k1_scalar_negate(&negone, &one);
2959 
2960  random_group_element_test(&point);
2961  secp256k1_ecmult_const(&res1, &point, &zero, 3);
2962  secp256k1_ge_set_gej(&res2, &res1);
2963  CHECK(secp256k1_ge_is_infinity(&res2));
2964  secp256k1_ecmult_const(&res1, &point, &one, 2);
2965  secp256k1_ge_set_gej(&res2, &res1);
2966  ge_equals_ge(&res2, &point);
2967  secp256k1_ecmult_const(&res1, &point, &negone, 256);
2968  secp256k1_gej_neg(&res1, &res1);
2969  secp256k1_ge_set_gej(&res2, &res1);
2970  ge_equals_ge(&res2, &point);
2971 }
2972 
2973 void ecmult_const_chain_multiply(void) {
2974  /* Check known result (randomly generated test problem from sage) */
2975  const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2976  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2977  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2978  );
2979  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2980  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2981  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2982  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2983  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2984  );
2985  secp256k1_gej point;
2986  secp256k1_ge res;
2987  int i;
2988 
2989  secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2990  for (i = 0; i < 100; ++i) {
2991  secp256k1_ge tmp;
2992  secp256k1_ge_set_gej(&tmp, &point);
2993  secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2994  }
2995  secp256k1_ge_set_gej(&res, &point);
2996  ge_equals_gej(&res, &expected_point);
2997 }
2998 
2999 void run_ecmult_const_tests(void) {
3000  ecmult_const_mult_zero_one();
3001  ecmult_const_random_mult();
3002  ecmult_const_commutativity();
3003  ecmult_const_chain_multiply();
3004 }
3005 
3006 typedef struct {
3007  secp256k1_scalar *sc;
3008  secp256k1_ge *pt;
3009 } ecmult_multi_data;
3010 
3011 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3012  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
3013  *sc = data->sc[idx];
3014  *pt = data->pt[idx];
3015  return 1;
3016 }
3017 
3018 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3019  (void)sc;
3020  (void)pt;
3021  (void)idx;
3022  (void)cbdata;
3023  return 0;
3024 }
3025 
3026 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
3027  int ncount;
3028  secp256k1_scalar szero;
3029  secp256k1_scalar sc[32];
3030  secp256k1_ge pt[32];
3031  secp256k1_gej r;
3032  secp256k1_gej r2;
3033  ecmult_multi_data data;
3034 
3035  data.sc = sc;
3036  data.pt = pt;
3037  secp256k1_scalar_set_int(&szero, 0);
3038 
3039  /* No points to multiply */
3040  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
3041 
3042  /* Check 1- and 2-point multiplies against ecmult */
3043  for (ncount = 0; ncount < count; ncount++) {
3044  secp256k1_ge ptg;
3045  secp256k1_gej ptgj;
3046  random_scalar_order(&sc[0]);
3047  random_scalar_order(&sc[1]);
3048 
3049  random_group_element_test(&ptg);
3050  secp256k1_gej_set_ge(&ptgj, &ptg);
3051  pt[0] = ptg;
3052  pt[1] = secp256k1_ge_const_g;
3053 
3054  /* only G scalar */
3055  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
3056  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
3057  secp256k1_gej_neg(&r2, &r2);
3058  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3059  CHECK(secp256k1_gej_is_infinity(&r));
3060 
3061  /* 1-point */
3062  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
3063  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
3064  secp256k1_gej_neg(&r2, &r2);
3065  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3066  CHECK(secp256k1_gej_is_infinity(&r));
3067 
3068  /* Try to multiply 1 point, but callback returns false */
3069  CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
3070 
3071  /* 2-point */
3072  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
3073  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
3074  secp256k1_gej_neg(&r2, &r2);
3075  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3076  CHECK(secp256k1_gej_is_infinity(&r));
3077 
3078  /* 2-point with G scalar */
3079  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
3080  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
3081  secp256k1_gej_neg(&r2, &r2);
3082  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3083  CHECK(secp256k1_gej_is_infinity(&r));
3084  }
3085 
3086  /* Check infinite outputs of various forms */
3087  for (ncount = 0; ncount < count; ncount++) {
3088  secp256k1_ge ptg;
3089  size_t i, j;
3090  size_t sizes[] = { 2, 10, 32 };
3091 
3092  for (j = 0; j < 3; j++) {
3093  for (i = 0; i < 32; i++) {
3094  random_scalar_order(&sc[i]);
3095  secp256k1_ge_set_infinity(&pt[i]);
3096  }
3097  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3098  CHECK(secp256k1_gej_is_infinity(&r));
3099  }
3100 
3101  for (j = 0; j < 3; j++) {
3102  for (i = 0; i < 32; i++) {
3103  random_group_element_test(&ptg);
3104  pt[i] = ptg;
3105  secp256k1_scalar_set_int(&sc[i], 0);
3106  }
3107  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3108  CHECK(secp256k1_gej_is_infinity(&r));
3109  }
3110 
3111  for (j = 0; j < 3; j++) {
3112  random_group_element_test(&ptg);
3113  for (i = 0; i < 16; i++) {
3114  random_scalar_order(&sc[2*i]);
3115  secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
3116  pt[2 * i] = ptg;
3117  pt[2 * i + 1] = ptg;
3118  }
3119 
3120  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3121  CHECK(secp256k1_gej_is_infinity(&r));
3122 
3123  random_scalar_order(&sc[0]);
3124  for (i = 0; i < 16; i++) {
3125  random_group_element_test(&ptg);
3126 
3127  sc[2*i] = sc[0];
3128  sc[2*i+1] = sc[0];
3129  pt[2 * i] = ptg;
3130  secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
3131  }
3132 
3133  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3134  CHECK(secp256k1_gej_is_infinity(&r));
3135  }
3136 
3137  random_group_element_test(&ptg);
3138  secp256k1_scalar_set_int(&sc[0], 0);
3139  pt[0] = ptg;
3140  for (i = 1; i < 32; i++) {
3141  pt[i] = ptg;
3142 
3143  random_scalar_order(&sc[i]);
3144  secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
3145  secp256k1_scalar_negate(&sc[i], &sc[i]);
3146  }
3147 
3148  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
3149  CHECK(secp256k1_gej_is_infinity(&r));
3150  }
3151 
3152  /* Check random points, constant scalar */
3153  for (ncount = 0; ncount < count; ncount++) {
3154  size_t i;
3155  secp256k1_gej_set_infinity(&r);
3156 
3157  random_scalar_order(&sc[0]);
3158  for (i = 0; i < 20; i++) {
3159  secp256k1_ge ptg;
3160  sc[i] = sc[0];
3161  random_group_element_test(&ptg);
3162  pt[i] = ptg;
3163  secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
3164  }
3165 
3166  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
3167  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3168  secp256k1_gej_neg(&r2, &r2);
3169  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3170  CHECK(secp256k1_gej_is_infinity(&r));
3171  }
3172 
3173  /* Check random scalars, constant point */
3174  for (ncount = 0; ncount < count; ncount++) {
3175  size_t i;
3176  secp256k1_ge ptg;
3177  secp256k1_gej p0j;
3178  secp256k1_scalar rs;
3179  secp256k1_scalar_set_int(&rs, 0);
3180 
3181  random_group_element_test(&ptg);
3182  for (i = 0; i < 20; i++) {
3183  random_scalar_order(&sc[i]);
3184  pt[i] = ptg;
3185  secp256k1_scalar_add(&rs, &rs, &sc[i]);
3186  }
3187 
3188  secp256k1_gej_set_ge(&p0j, &pt[0]);
3189  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
3190  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3191  secp256k1_gej_neg(&r2, &r2);
3192  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3193  CHECK(secp256k1_gej_is_infinity(&r));
3194  }
3195 
3196  /* Sanity check that zero scalars don't cause problems */
3197  for (ncount = 0; ncount < 20; ncount++) {
3198  random_scalar_order(&sc[ncount]);
3199  random_group_element_test(&pt[ncount]);
3200  }
3201  secp256k1_scalar_clear(&sc[0]);
3202  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3203  secp256k1_scalar_clear(&sc[1]);
3204  secp256k1_scalar_clear(&sc[2]);
3205  secp256k1_scalar_clear(&sc[3]);
3206  secp256k1_scalar_clear(&sc[4]);
3207  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
3208  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
3209  CHECK(secp256k1_gej_is_infinity(&r));
3210 
3211  /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
3212  {
3213  const size_t TOP = 8;
3214  size_t s0i, s1i;
3215  size_t t0i, t1i;
3216  secp256k1_ge ptg;
3217  secp256k1_gej ptgj;
3218 
3219  random_group_element_test(&ptg);
3220  secp256k1_gej_set_ge(&ptgj, &ptg);
3221 
3222  for(t0i = 0; t0i < TOP; t0i++) {
3223  for(t1i = 0; t1i < TOP; t1i++) {
3224  secp256k1_gej t0p, t1p;
3225  secp256k1_scalar t0, t1;
3226 
3227  secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
3228  secp256k1_scalar_cond_negate(&t0, t0i & 1);
3229  secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
3230  secp256k1_scalar_cond_negate(&t1, t1i & 1);
3231 
3232  secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
3233  secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
3234 
3235  for(s0i = 0; s0i < TOP; s0i++) {
3236  for(s1i = 0; s1i < TOP; s1i++) {
3237  secp256k1_scalar tmp1, tmp2;
3238  secp256k1_gej expected, actual;
3239 
3240  secp256k1_ge_set_gej(&pt[0], &t0p);
3241  secp256k1_ge_set_gej(&pt[1], &t1p);
3242 
3243  secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
3244  secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
3245  secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
3246  secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
3247 
3248  secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
3249  secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
3250  secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
3251 
3252  secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
3253  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
3254  secp256k1_gej_neg(&expected, &expected);
3255  secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
3256  CHECK(secp256k1_gej_is_infinity(&actual));
3257  }
3258  }
3259  }
3260  }
3261  }
3262 }
3263 
3264 void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
3265  secp256k1_scalar szero;
3266  secp256k1_scalar sc;
3267  secp256k1_ge pt;
3268  secp256k1_gej r;
3269  ecmult_multi_data data;
3270  secp256k1_scratch *scratch_empty;
3271 
3272  random_group_element_test(&pt);
3273  random_scalar_order(&sc);
3274  data.sc = &sc;
3275  data.pt = &pt;
3276  secp256k1_scalar_set_int(&szero, 0);
3277 
3278  /* Try to multiply 1 point, but scratch space is empty.*/
3279  scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
3280  CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
3281  secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
3282 }
3283 
3284 void test_secp256k1_pippenger_bucket_window_inv(void) {
3285  int i;
3286 
3287  CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
3288  for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
3289  /* Bucket_window of 8 is not used with endo */
3290  if (i == 8) {
3291  continue;
3292  }
3293  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
3294  if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
3295  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
3296  }
3297  }
3298 }
3299 
3304 void test_ecmult_multi_pippenger_max_points(void) {
3305  size_t scratch_size = secp256k1_testrand_int(256);
3306  size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
3307  secp256k1_scratch *scratch;
3308  size_t n_points_supported;
3309  int bucket_window = 0;
3310 
3311  for(; scratch_size < max_size; scratch_size+=256) {
3312  size_t i;
3313  size_t total_alloc;
3314  size_t checkpoint;
3315  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
3316  CHECK(scratch != NULL);
3317  checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
3318  n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
3319  if (n_points_supported == 0) {
3320  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3321  continue;
3322  }
3323  bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
3324  /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
3325  total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
3326  for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
3327  CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
3328  total_alloc--;
3329  }
3330  CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
3331  secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
3332  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3333  }
3334  CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
3335 }
3336 
3337 void test_ecmult_multi_batch_size_helper(void) {
3338  size_t n_batches, n_batch_points, max_n_batch_points, n;
3339 
3340  max_n_batch_points = 0;
3341  n = 1;
3342  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3343 
3344  max_n_batch_points = 1;
3345  n = 0;
3346  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3347  CHECK(n_batches == 0);
3348  CHECK(n_batch_points == 0);
3349 
3350  max_n_batch_points = 2;
3351  n = 5;
3352  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3353  CHECK(n_batches == 3);
3354  CHECK(n_batch_points == 2);
3355 
3356  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3357  n = ECMULT_MAX_POINTS_PER_BATCH;
3358  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3359  CHECK(n_batches == 1);
3360  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3361 
3362  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3363  n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3364  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3365  CHECK(n_batches == 2);
3366  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3367 
3368  max_n_batch_points = 1;
3369  n = SIZE_MAX;
3370  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3371  CHECK(n_batches == SIZE_MAX);
3372  CHECK(n_batch_points == 1);
3373 
3374  max_n_batch_points = 2;
3375  n = SIZE_MAX;
3376  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3377  CHECK(n_batches == SIZE_MAX/2 + 1);
3378  CHECK(n_batch_points == 2);
3379 }
3380 
3385 void test_ecmult_multi_batching(void) {
3386  static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
3387  secp256k1_scalar scG;
3388  secp256k1_scalar szero;
3389  secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3390  secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3391  secp256k1_gej r;
3392  secp256k1_gej r2;
3393  ecmult_multi_data data;
3394  int i;
3395  secp256k1_scratch *scratch;
3396 
3397  secp256k1_gej_set_infinity(&r2);
3398  secp256k1_scalar_set_int(&szero, 0);
3399 
3400  /* Get random scalars and group elements and compute result */
3401  random_scalar_order(&scG);
3402  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3403  for(i = 0; i < n_points; i++) {
3404  secp256k1_ge ptg;
3405  secp256k1_gej ptgj;
3406  random_group_element_test(&ptg);
3407  secp256k1_gej_set_ge(&ptgj, &ptg);
3408  pt[i] = ptg;
3409  random_scalar_order(&sc[i]);
3410  secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3411  secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
3412  }
3413  data.sc = sc;
3414  data.pt = pt;
3415  secp256k1_gej_neg(&r2, &r2);
3416 
3417  /* Test with empty scratch space. It should compute the correct result using
3418  * ecmult_mult_simple algorithm which doesn't require a scratch space. */
3419  scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
3420  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3421  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3422  CHECK(secp256k1_gej_is_infinity(&r));
3423  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3424 
3425  /* Test with space for 1 point in pippenger. That's not enough because
3426  * ecmult_multi selects strauss which requires more memory. It should
3427  * therefore select the simple algorithm. */
3428  scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3429  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3430  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3431  CHECK(secp256k1_gej_is_infinity(&r));
3432  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3433 
3434  for(i = 1; i <= n_points; i++) {
3435  if (i > ECMULT_PIPPENGER_THRESHOLD) {
3436  int bucket_window = secp256k1_pippenger_bucket_window(i);
3437  size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
3438  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3439  } else {
3440  size_t scratch_size = secp256k1_strauss_scratch_size(i);
3441  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3442  }
3443  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3444  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3445  CHECK(secp256k1_gej_is_infinity(&r));
3446  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3447  }
3448  free(sc);
3449  free(pt);
3450 }
3451 
3452 void run_ecmult_multi_tests(void) {
3453  secp256k1_scratch *scratch;
3454 
3455  test_secp256k1_pippenger_bucket_window_inv();
3456  test_ecmult_multi_pippenger_max_points();
3457  scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
3458  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3459  test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
3460  test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
3461  test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
3462  test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
3463  test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
3464  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3465 
3466  /* Run test_ecmult_multi with space for exactly one point */
3467  scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3468  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3469  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3470 
3471  test_ecmult_multi_batch_size_helper();
3472  test_ecmult_multi_batching();
3473 }
3474 
3475 void test_wnaf(const secp256k1_scalar *number, int w) {
3476  secp256k1_scalar x, two, t;
3477  int wnaf[256];
3478  int zeroes = -1;
3479  int i;
3480  int bits;
3481  secp256k1_scalar_set_int(&x, 0);
3482  secp256k1_scalar_set_int(&two, 2);
3483  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
3484  CHECK(bits <= 256);
3485  for (i = bits-1; i >= 0; i--) {
3486  int v = wnaf[i];
3487  secp256k1_scalar_mul(&x, &x, &two);
3488  if (v) {
3489  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3490  zeroes=0;
3491  CHECK((v & 1) == 1); /* check non-zero elements are odd */
3492  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3493  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3494  } else {
3495  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3496  zeroes++;
3497  }
3498  if (v >= 0) {
3499  secp256k1_scalar_set_int(&t, v);
3500  } else {
3501  secp256k1_scalar_set_int(&t, -v);
3502  secp256k1_scalar_negate(&t, &t);
3503  }
3504  secp256k1_scalar_add(&x, &x, &t);
3505  }
3506  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3507 }
3508 
3509 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3510  secp256k1_scalar neg1 = *number;
3511  secp256k1_scalar neg2 = *number;
3512  int sign1 = 1;
3513  int sign2 = 1;
3514 
3515  if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3516  secp256k1_scalar_negate(&neg1, &neg1);
3517  sign1 = -1;
3518  }
3519  sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3520  CHECK(sign1 == sign2);
3521  CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3522 }
3523 
3524 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3525  secp256k1_scalar x, shift;
3526  int wnaf[256] = {0};
3527  int i;
3528  int skew;
3529  int bits = 256;
3530  secp256k1_scalar num = *number;
3531  secp256k1_scalar scalar_skew;
3532 
3533  secp256k1_scalar_set_int(&x, 0);
3534  secp256k1_scalar_set_int(&shift, 1 << w);
3535  for (i = 0; i < 16; ++i) {
3536  secp256k1_scalar_shr_int(&num, 8);
3537  }
3538  bits = 128;
3539  skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
3540 
3541  for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3542  secp256k1_scalar t;
3543  int v = wnaf[i];
3544  CHECK(v != 0); /* check nonzero */
3545  CHECK(v & 1); /* check parity */
3546  CHECK(v > -(1 << w)); /* check range above */
3547  CHECK(v < (1 << w)); /* check range below */
3548 
3549  secp256k1_scalar_mul(&x, &x, &shift);
3550  if (v >= 0) {
3551  secp256k1_scalar_set_int(&t, v);
3552  } else {
3553  secp256k1_scalar_set_int(&t, -v);
3554  secp256k1_scalar_negate(&t, &t);
3555  }
3556  secp256k1_scalar_add(&x, &x, &t);
3557  }
3558  /* Skew num because when encoding numbers as odd we use an offset */
3559  secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
3560  secp256k1_scalar_add(&num, &num, &scalar_skew);
3561  CHECK(secp256k1_scalar_eq(&x, &num));
3562 }
3563 
3564 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3565  secp256k1_scalar x, shift;
3566  int wnaf[256] = {0};
3567  int i;
3568  int skew;
3569  secp256k1_scalar num = *number;
3570 
3571  secp256k1_scalar_set_int(&x, 0);
3572  secp256k1_scalar_set_int(&shift, 1 << w);
3573  for (i = 0; i < 16; ++i) {
3574  secp256k1_scalar_shr_int(&num, 8);
3575  }
3576  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3577 
3578  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3579  secp256k1_scalar t;
3580  int v = wnaf[i];
3581  CHECK(v == 0 || v & 1); /* check parity */
3582  CHECK(v > -(1 << w)); /* check range above */
3583  CHECK(v < (1 << w)); /* check range below */
3584 
3585  secp256k1_scalar_mul(&x, &x, &shift);
3586  if (v >= 0) {
3587  secp256k1_scalar_set_int(&t, v);
3588  } else {
3589  secp256k1_scalar_set_int(&t, -v);
3590  secp256k1_scalar_negate(&t, &t);
3591  }
3592  secp256k1_scalar_add(&x, &x, &t);
3593  }
3594  /* If skew is 1 then add 1 to num */
3595  secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3596  CHECK(secp256k1_scalar_eq(&x, &num));
3597 }
3598 
3599 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3600  * rest is 0.*/
3601 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3602  int i;
3603  for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3604  CHECK(wnaf[i] == 0);
3605  }
3606  for (i = 7; i >= 0; --i) {
3607  CHECK(wnaf[i] == wnaf_expected[i]);
3608  }
3609 }
3610 
3611 void test_fixed_wnaf_small(void) {
3612  int w = 4;
3613  int wnaf[256] = {0};
3614  int i;
3615  int skew;
3616  secp256k1_scalar num;
3617 
3618  secp256k1_scalar_set_int(&num, 0);
3619  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3620  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3621  int v = wnaf[i];
3622  CHECK(v == 0);
3623  }
3624  CHECK(skew == 0);
3625 
3626  secp256k1_scalar_set_int(&num, 1);
3627  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3628  for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3629  int v = wnaf[i];
3630  CHECK(v == 0);
3631  }
3632  CHECK(wnaf[0] == 1);
3633  CHECK(skew == 0);
3634 
3635  {
3636  int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3637  secp256k1_scalar_set_int(&num, 0xffffffff);
3638  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3639  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3640  CHECK(skew == 0);
3641  }
3642  {
3643  int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3644  secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3645  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3646  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3647  CHECK(skew == 1);
3648  }
3649  {
3650  int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3651  secp256k1_scalar_set_int(&num, 0x01010101);
3652  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3653  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3654  CHECK(skew == 0);
3655  }
3656  {
3657  int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3658  secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3659  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3660  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3661  CHECK(skew == 0);
3662  }
3663 }
3664 
3665 void run_wnaf(void) {
3666  int i;
3667  secp256k1_scalar n = {{0}};
3668 
3669  test_constant_wnaf(&n, 4);
3670  /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3671  * have easier-to-diagnose failure modes */
3672  n.d[0] = 1;
3673  test_constant_wnaf(&n, 4);
3674  n.d[0] = 2;
3675  test_constant_wnaf(&n, 4);
3676  /* Test -1, because it's a special case in wnaf_const */
3677  n = secp256k1_scalar_one;
3678  secp256k1_scalar_negate(&n, &n);
3679  test_constant_wnaf(&n, 4);
3680 
3681  /* Test -2, which may not lead to overflows in wnaf_const */
3682  secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
3683  secp256k1_scalar_negate(&n, &n);
3684  test_constant_wnaf(&n, 4);
3685 
3686  /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
3687  as corner cases of negation handling in wnaf_const */
3688  secp256k1_scalar_inverse(&n, &n);
3689  test_constant_wnaf(&n, 4);
3690 
3691  secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
3692  test_constant_wnaf(&n, 4);
3693 
3694  /* Test 0 for fixed wnaf */
3695  test_fixed_wnaf_small();
3696  /* Random tests */
3697  for (i = 0; i < count; i++) {
3698  random_scalar_order(&n);
3699  test_wnaf(&n, 4+(i%10));
3700  test_constant_wnaf_negate(&n);
3701  test_constant_wnaf(&n, 4 + (i % 10));
3702  test_fixed_wnaf(&n, 4 + (i % 10));
3703  }
3704  secp256k1_scalar_set_int(&n, 0);
3705  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3706  CHECK(secp256k1_scalar_is_zero(&n));
3707  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3708  CHECK(secp256k1_scalar_is_zero(&n));
3709 }
3710 
3711 void test_ecmult_constants(void) {
3712  /* Test ecmult_gen() for [0..36) and [order-36..0). */
3713  secp256k1_scalar x;
3714  secp256k1_gej r;
3715  secp256k1_ge ng;
3716  int i;
3717  int j;
3718  secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3719  for (i = 0; i < 36; i++ ) {
3720  secp256k1_scalar_set_int(&x, i);
3721  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3722  for (j = 0; j < i; j++) {
3723  if (j == i - 1) {
3724  ge_equals_gej(&secp256k1_ge_const_g, &r);
3725  }
3726  secp256k1_gej_add_ge(&r, &r, &ng);
3727  }
3728  CHECK(secp256k1_gej_is_infinity(&r));
3729  }
3730  for (i = 1; i <= 36; i++ ) {
3731  secp256k1_scalar_set_int(&x, i);
3732  secp256k1_scalar_negate(&x, &x);
3733  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3734  for (j = 0; j < i; j++) {
3735  if (j == i - 1) {
3736  ge_equals_gej(&ng, &r);
3737  }
3738  secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3739  }
3740  CHECK(secp256k1_gej_is_infinity(&r));
3741  }
3742 }
3743 
3744 void run_ecmult_constants(void) {
3745  test_ecmult_constants();
3746 }
3747 
3748 void test_ecmult_gen_blind(void) {
3749  /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3750  secp256k1_scalar key;
3751  secp256k1_scalar b;
3752  unsigned char seed32[32];
3753  secp256k1_gej pgej;
3754  secp256k1_gej pgej2;
3755  secp256k1_gej i;
3756  secp256k1_ge pge;
3757  random_scalar_order_test(&key);
3758  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3759  secp256k1_testrand256(seed32);
3760  b = ctx->ecmult_gen_ctx.blind;
3761  i = ctx->ecmult_gen_ctx.initial;
3762  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3763  CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3764  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3765  CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3766  CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3767  secp256k1_ge_set_gej(&pge, &pgej);
3768  ge_equals_gej(&pge, &pgej2);
3769 }
3770 
3771 void test_ecmult_gen_blind_reset(void) {
3772  /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3773  secp256k1_scalar b;
3774  secp256k1_gej initial;
3775  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3776  b = ctx->ecmult_gen_ctx.blind;
3777  initial = ctx->ecmult_gen_ctx.initial;
3778  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3779  CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3780  CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3781 }
3782 
3783 void run_ecmult_gen_blind(void) {
3784  int i;
3785  test_ecmult_gen_blind_reset();
3786  for (i = 0; i < 10; i++) {
3787  test_ecmult_gen_blind();
3788  }
3789 }
3790 
3791 /***** ENDOMORPHISH TESTS *****/
3792 void test_scalar_split(const secp256k1_scalar* full) {
3793  secp256k1_scalar s, s1, slam;
3794  const unsigned char zero[32] = {0};
3795  unsigned char tmp[32];
3796 
3797  secp256k1_scalar_split_lambda(&s1, &slam, full);
3798 
3799  /* check slam*lambda + s1 == full */
3800  secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
3801  secp256k1_scalar_add(&s, &s, &s1);
3802  CHECK(secp256k1_scalar_eq(&s, full));
3803 
3804  /* check that both are <= 128 bits in size */
3805  if (secp256k1_scalar_is_high(&s1)) {
3806  secp256k1_scalar_negate(&s1, &s1);
3807  }
3808  if (secp256k1_scalar_is_high(&slam)) {
3809  secp256k1_scalar_negate(&slam, &slam);
3810  }
3811 
3812  secp256k1_scalar_get_b32(tmp, &s1);
3813  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3814  secp256k1_scalar_get_b32(tmp, &slam);
3815  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3816 }
3817 
3818 
3819 void run_endomorphism_tests(void) {
3820  unsigned i;
3821  static secp256k1_scalar s;
3822  test_scalar_split(&secp256k1_scalar_zero);
3823  test_scalar_split(&secp256k1_scalar_one);
3824  secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
3825  test_scalar_split(&s);
3826  test_scalar_split(&secp256k1_const_lambda);
3827  secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
3828  test_scalar_split(&s);
3829 
3830  for (i = 0; i < 100U * count; ++i) {
3831  secp256k1_scalar full;
3832  random_scalar_order_test(&full);
3833  test_scalar_split(&full);
3834  }
3835  for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
3836  test_scalar_split(&scalars_near_split_bounds[i]);
3837  }
3838 }
3839 
3840 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3841  unsigned char pubkeyc[65];
3842  secp256k1_pubkey pubkey;
3843  secp256k1_ge ge;
3844  size_t pubkeyclen;
3845  int32_t ecount;
3846  ecount = 0;
3847  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3848  for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3849  /* Smaller sizes are tested exhaustively elsewhere. */
3850  int32_t i;
3851  memcpy(&pubkeyc[1], input, 64);
3852  VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3853  for (i = 0; i < 256; i++) {
3854  /* Try all type bytes. */
3855  int xpass;
3856  int ypass;
3857  int ysign;
3858  pubkeyc[0] = i;
3859  /* What sign does this point have? */
3860  ysign = (input[63] & 1) + 2;
3861  /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3862  xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3863  /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3864  ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3865  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3866  if (xpass || ypass) {
3867  /* These cases must parse. */
3868  unsigned char pubkeyo[65];
3869  size_t outl;
3870  memset(&pubkey, 0, sizeof(pubkey));
3871  VG_UNDEF(&pubkey, sizeof(pubkey));
3872  ecount = 0;
3873  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3874  VG_CHECK(&pubkey, sizeof(pubkey));
3875  outl = 65;
3876  VG_UNDEF(pubkeyo, 65);
3877  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3878  VG_CHECK(pubkeyo, outl);
3879  CHECK(outl == 33);
3880  CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3881  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3882  if (ypass) {
3883  /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3884  CHECK(pubkeyo[0] == ysign);
3885  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3886  memset(&pubkey, 0, sizeof(pubkey));
3887  VG_UNDEF(&pubkey, sizeof(pubkey));
3888  secp256k1_pubkey_save(&pubkey, &ge);
3889  VG_CHECK(&pubkey, sizeof(pubkey));
3890  outl = 65;
3891  VG_UNDEF(pubkeyo, 65);
3892  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3893  VG_CHECK(pubkeyo, outl);
3894  CHECK(outl == 65);
3895  CHECK(pubkeyo[0] == 4);
3896  CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
3897  }
3898  CHECK(ecount == 0);
3899  } else {
3900  /* These cases must fail to parse. */
3901  memset(&pubkey, 0xfe, sizeof(pubkey));
3902  ecount = 0;
3903  VG_UNDEF(&pubkey, sizeof(pubkey));
3904  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3905  VG_CHECK(&pubkey, sizeof(pubkey));
3906  CHECK(ecount == 0);
3907  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3908  CHECK(ecount == 1);
3909  }
3910  }
3911  }
3912  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3913 }
3914 
3915 void run_ec_pubkey_parse_test(void) {
3916 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3917  const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3918  {
3919  /* Point with leading and trailing zeros in x and y serialization. */
3920  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3921  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3922  0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3923  0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3924  },
3925  {
3926  /* Point with x equal to a 3rd root of unity.*/
3927  0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3928  0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3929  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3930  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3931  },
3932  {
3933  /* Point with largest x. (1/2) */
3934  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3935  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3936  0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3937  0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3938  },
3939  {
3940  /* Point with largest x. (2/2) */
3941  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3942  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3943  0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3944  0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3945  },
3946  {
3947  /* Point with smallest x. (1/2) */
3948  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3949  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3950  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3951  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3952  },
3953  {
3954  /* Point with smallest x. (2/2) */
3955  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3956  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3957  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3958  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3959  },
3960  {
3961  /* Point with largest y. (1/3) */
3962  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3963  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3964  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3965  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3966  },
3967  {
3968  /* Point with largest y. (2/3) */
3969  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3970  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3971  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3972  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3973  },
3974  {
3975  /* Point with largest y. (3/3) */
3976  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3977  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3978  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3979  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3980  },
3981  {
3982  /* Point with smallest y. (1/3) */
3983  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3984  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3985  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3986  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3987  },
3988  {
3989  /* Point with smallest y. (2/3) */
3990  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3991  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3992  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3993  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3994  },
3995  {
3996  /* Point with smallest y. (3/3) */
3997  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3998  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3999  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4000  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
4001  }
4002  };
4003 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
4004  const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
4005  {
4006  /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
4007  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4008  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4009  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4010  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4011  },
4012  {
4013  /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
4014  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4015  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4016  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4017  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4018  },
4019  {
4020  /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
4021  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4022  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4023  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4024  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4025  },
4026  {
4027  /* x on curve, y is from y^2 = x^3 + 8. */
4028  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4029  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4030  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4031  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
4032  }
4033  };
4034 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
4035  const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
4036  {
4037  /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
4038  0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
4039  0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
4040  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4041  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4042  },
4043  {
4044  /* Valid if x overflow ignored (x = 1 mod p). */
4045  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4046  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4047  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4048  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4049  },
4050  {
4051  /* Valid if x overflow ignored (x = 1 mod p). */
4052  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4053  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4054  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
4055  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
4056  },
4057  {
4058  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4059  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4060  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4061  0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
4062  0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
4063  },
4064  {
4065  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4066  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4067  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4068  0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
4069  0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
4070  },
4071  {
4072  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4073  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4074  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4075  0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
4076  0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
4077  },
4078  {
4079  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4080  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4081  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4082  0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
4083  0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
4084  }
4085  };
4086  const unsigned char pubkeyc[66] = {
4087  /* Serialization of G. */
4088  0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
4089  0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
4090  0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
4091  0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
4092  0xB8, 0x00
4093  };
4094  unsigned char sout[65];
4095  unsigned char shortkey[2];
4096  secp256k1_ge ge;
4097  secp256k1_pubkey pubkey;
4098  size_t len;
4099  int32_t i;
4100  int32_t ecount;
4101  int32_t ecount2;
4102  ecount = 0;
4103  /* Nothing should be reading this far into pubkeyc. */
4104  VG_UNDEF(&pubkeyc[65], 1);
4105  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4106  /* Zero length claimed, fail, zeroize, no illegal arg error. */
4107  memset(&pubkey, 0xfe, sizeof(pubkey));
4108  ecount = 0;
4109  VG_UNDEF(shortkey, 2);
4110  VG_UNDEF(&pubkey, sizeof(pubkey));
4111  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
4112  VG_CHECK(&pubkey, sizeof(pubkey));
4113  CHECK(ecount == 0);
4114  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4115  CHECK(ecount == 1);
4116  /* Length one claimed, fail, zeroize, no illegal arg error. */
4117  for (i = 0; i < 256 ; i++) {
4118  memset(&pubkey, 0xfe, sizeof(pubkey));
4119  ecount = 0;
4120  shortkey[0] = i;
4121  VG_UNDEF(&shortkey[1], 1);
4122  VG_UNDEF(&pubkey, sizeof(pubkey));
4123  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
4124  VG_CHECK(&pubkey, sizeof(pubkey));
4125  CHECK(ecount == 0);
4126  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4127  CHECK(ecount == 1);
4128  }
4129  /* Length two claimed, fail, zeroize, no illegal arg error. */
4130  for (i = 0; i < 65536 ; i++) {
4131  memset(&pubkey, 0xfe, sizeof(pubkey));
4132  ecount = 0;
4133  shortkey[0] = i & 255;
4134  shortkey[1] = i >> 8;
4135  VG_UNDEF(&pubkey, sizeof(pubkey));
4136  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
4137  VG_CHECK(&pubkey, sizeof(pubkey));
4138  CHECK(ecount == 0);
4139  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4140  CHECK(ecount == 1);
4141  }
4142  memset(&pubkey, 0xfe, sizeof(pubkey));
4143  ecount = 0;
4144  VG_UNDEF(&pubkey, sizeof(pubkey));
4145  /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
4146  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
4147  VG_CHECK(&pubkey, sizeof(pubkey));
4148  CHECK(ecount == 0);
4149  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4150  CHECK(ecount == 1);
4151  /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
4152  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
4153  CHECK(ecount == 2);
4154  /* NULL input string. Illegal arg and zeroize output. */
4155  memset(&pubkey, 0xfe, sizeof(pubkey));
4156  ecount = 0;
4157  VG_UNDEF(&pubkey, sizeof(pubkey));
4158  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
4159  VG_CHECK(&pubkey, sizeof(pubkey));
4160  CHECK(ecount == 1);
4161  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4162  CHECK(ecount == 2);
4163  /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
4164  memset(&pubkey, 0xfe, sizeof(pubkey));
4165  ecount = 0;
4166  VG_UNDEF(&pubkey, sizeof(pubkey));
4167  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
4168  VG_CHECK(&pubkey, sizeof(pubkey));
4169  CHECK(ecount == 0);
4170  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4171  CHECK(ecount == 1);
4172  /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
4173  memset(&pubkey, 0xfe, sizeof(pubkey));
4174  ecount = 0;
4175  VG_UNDEF(&pubkey, sizeof(pubkey));
4176  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
4177  VG_CHECK(&pubkey, sizeof(pubkey));
4178  CHECK(ecount == 0);
4179  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4180  CHECK(ecount == 1);
4181  /* Valid parse. */
4182  memset(&pubkey, 0, sizeof(pubkey));
4183  ecount = 0;
4184  VG_UNDEF(&pubkey, sizeof(pubkey));
4185  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
4186  CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
4187  VG_CHECK(&pubkey, sizeof(pubkey));
4188  CHECK(ecount == 0);
4189  VG_UNDEF(&ge, sizeof(ge));
4190  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
4191  VG_CHECK(&ge.x, sizeof(ge.x));
4192  VG_CHECK(&ge.y, sizeof(ge.y));
4193  VG_CHECK(&ge.infinity, sizeof(ge.infinity));
4194  ge_equals_ge(&secp256k1_ge_const_g, &ge);
4195  CHECK(ecount == 0);
4196  /* secp256k1_ec_pubkey_serialize illegal args. */
4197  ecount = 0;
4198  len = 65;
4199  CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4200  CHECK(ecount == 1);
4201  CHECK(len == 0);
4202  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4203  CHECK(ecount == 2);
4204  len = 65;
4205  VG_UNDEF(sout, 65);
4206  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
4207  VG_CHECK(sout, 65);
4208  CHECK(ecount == 3);
4209  CHECK(len == 0);
4210  len = 65;
4211  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
4212  CHECK(ecount == 4);
4213  CHECK(len == 0);
4214  len = 65;
4215  VG_UNDEF(sout, 65);
4216  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
4217  VG_CHECK(sout, 65);
4218  CHECK(ecount == 4);
4219  CHECK(len == 65);
4220  /* Multiple illegal args. Should still set arg error only once. */
4221  ecount = 0;
4222  ecount2 = 11;
4223  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4224  CHECK(ecount == 1);
4225  /* Does the illegal arg callback actually change the behavior? */
4226  secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
4227  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4228  CHECK(ecount == 1);
4229  CHECK(ecount2 == 10);
4230  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4231  /* Try a bunch of prefabbed points with all possible encodings. */
4232  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
4233  ec_pubkey_parse_pointtest(valid[i], 1, 1);
4234  }
4235  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
4236  ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
4237  }
4238  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
4239  ec_pubkey_parse_pointtest(invalid[i], 0, 0);
4240  }
4241 }
4242 
4243 void run_eckey_edge_case_test(void) {
4244  const unsigned char orderc[32] = {
4245  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4246  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4247  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4248  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
4249  };
4250  const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
4251  unsigned char ctmp[33];
4252  unsigned char ctmp2[33];
4253  secp256k1_pubkey pubkey;
4254  secp256k1_pubkey pubkey2;
4255  secp256k1_pubkey pubkey_one;
4256  secp256k1_pubkey pubkey_negone;
4257  const secp256k1_pubkey *pubkeys[3];
4258  size_t len;
4259  int32_t ecount;
4260  /* Group order is too large, reject. */
4261  CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
4262  VG_UNDEF(&pubkey, sizeof(pubkey));
4263  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
4264  VG_CHECK(&pubkey, sizeof(pubkey));
4265  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4266  /* Maximum value is too large, reject. */
4267  memset(ctmp, 255, 32);
4268  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4269  memset(&pubkey, 1, sizeof(pubkey));
4270  VG_UNDEF(&pubkey, sizeof(pubkey));
4271  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4272  VG_CHECK(&pubkey, sizeof(pubkey));
4273  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4274  /* Zero is too small, reject. */
4275  memset(ctmp, 0, 32);
4276  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4277  memset(&pubkey, 1, sizeof(pubkey));
4278  VG_UNDEF(&pubkey, sizeof(pubkey));
4279  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4280  VG_CHECK(&pubkey, sizeof(pubkey));
4281  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4282  /* One must be accepted. */
4283  ctmp[31] = 0x01;
4284  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4285  memset(&pubkey, 0, sizeof(pubkey));
4286  VG_UNDEF(&pubkey, sizeof(pubkey));
4287  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4288  VG_CHECK(&pubkey, sizeof(pubkey));
4289  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4290  pubkey_one = pubkey;
4291  /* Group order + 1 is too large, reject. */
4292  memcpy(ctmp, orderc, 32);
4293  ctmp[31] = 0x42;
4294  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4295  memset(&pubkey, 1, sizeof(pubkey));
4296  VG_UNDEF(&pubkey, sizeof(pubkey));
4297  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4298  VG_CHECK(&pubkey, sizeof(pubkey));
4299  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4300  /* -1 must be accepted. */
4301  ctmp[31] = 0x40;
4302  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4303  memset(&pubkey, 0, sizeof(pubkey));
4304  VG_UNDEF(&pubkey, sizeof(pubkey));
4305  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4306  VG_CHECK(&pubkey, sizeof(pubkey));
4307  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4308  pubkey_negone = pubkey;
4309  /* Tweak of zero leaves the value unchanged. */
4310  memset(ctmp2, 0, 32);
4311  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
4312  CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
4313  memcpy(&pubkey2, &pubkey, sizeof(pubkey));
4314  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4315  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4316  /* Multiply tweak of zero zeroizes the output. */
4317  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4318  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4319  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
4320  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4321  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4322  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4323  seckey, the seckey is zeroized. */
4324  memcpy(ctmp, orderc, 32);
4325  memset(ctmp2, 0, 32);
4326  ctmp2[31] = 0x01;
4327  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
4328  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4329  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
4330  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4331  memcpy(ctmp, orderc, 32);
4332  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4333  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4334  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4335  tweak, the seckey is zeroized. */
4336  memcpy(ctmp, orderc, 32);
4337  ctmp[31] = 0x40;
4338  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
4339  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4340  memcpy(ctmp, orderc, 32);
4341  ctmp[31] = 0x40;
4342  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
4343  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4344  memcpy(ctmp, orderc, 32);
4345  ctmp[31] = 0x40;
4346  /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
4347  tweak, the pubkey is zeroized. */
4348  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
4349  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4350  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4351  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
4352  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4353  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4354  /* If the resulting key in secp256k1_ec_seckey_tweak_add and
4355  * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
4356  * case the pubkey is zeroized. */
4357  memcpy(ctmp, orderc, 32);
4358  ctmp[31] = 0x40;
4359  memset(ctmp2, 0, 32);
4360  ctmp2[31] = 1;
4361  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
4362  CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
4363  ctmp2[31] = 1;
4364  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4365  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4366  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4367  /* Tweak computation wraps and results in a key of 1. */
4368  ctmp2[31] = 2;
4369  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
4370  CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
4371  ctmp2[31] = 2;
4372  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4373  ctmp2[31] = 1;
4374  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
4375  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4376  /* Tweak mul * 2 = 1+1. */
4377  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4378  ctmp2[31] = 2;
4379  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
4380  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4381  /* Test argument errors. */
4382  ecount = 0;
4383  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4384  CHECK(ecount == 0);
4385  /* Zeroize pubkey on parse error. */
4386  memset(&pubkey, 0, 32);
4387  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4388  CHECK(ecount == 1);
4389  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4390  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4391  memset(&pubkey2, 0, 32);
4392  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
4393  CHECK(ecount == 2);
4394  CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
4395  /* Plain argument errors. */
4396  ecount = 0;
4397  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4398  CHECK(ecount == 0);
4399  CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
4400  CHECK(ecount == 1);
4401  ecount = 0;
4402  memset(ctmp2, 0, 32);
4403  ctmp2[31] = 4;
4404  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
4405  CHECK(ecount == 1);
4406  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
4407  CHECK(ecount == 2);
4408  ecount = 0;
4409  memset(ctmp2, 0, 32);
4410  ctmp2[31] = 4;
4411  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4412  CHECK(ecount == 1);
4413  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
4414  CHECK(ecount == 2);
4415  ecount = 0;
4416  memset(ctmp2, 0, 32);
4417  CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
4418  CHECK(ecount == 1);
4419  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
4420  CHECK(ecount == 2);
4421  ecount = 0;
4422  memset(ctmp2, 0, 32);
4423  ctmp2[31] = 1;
4424  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
4425  CHECK(ecount == 1);
4426  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
4427  CHECK(ecount == 2);
4428  ecount = 0;
4429  CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4430  CHECK(ecount == 1);
4431  memset(&pubkey, 1, sizeof(pubkey));
4432  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4433  CHECK(ecount == 2);
4434  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4435  /* secp256k1_ec_pubkey_combine tests. */
4436  ecount = 0;
4437  pubkeys[0] = &pubkey_one;
4438  VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4439  VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4440  VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4441  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4442  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4443  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4444  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4445  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4446  CHECK(ecount == 1);
4447  CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4448  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4449  CHECK(ecount == 2);
4450  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4451  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4452  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4453  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4454  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4455  CHECK(ecount == 3);
4456  pubkeys[0] = &pubkey_negone;
4457  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4458  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4459  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4460  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4461  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4462  CHECK(ecount == 3);
4463  len = 33;
4464  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4465  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4466  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4467  /* Result is infinity. */
4468  pubkeys[0] = &pubkey_one;
4469  pubkeys[1] = &pubkey_negone;
4470  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4471  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4472  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4473  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4474  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4475  CHECK(ecount == 3);
4476  /* Passes through infinity but comes out one. */
4477  pubkeys[2] = &pubkey_one;
4478  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4479  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4480  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4481  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4482  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4483  CHECK(ecount == 3);
4484  len = 33;
4485  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4486  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4487  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4488  /* Adds to two. */
4489  pubkeys[1] = &pubkey_one;
4490  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4491  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4492  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4493  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4494  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4495  CHECK(ecount == 3);
4496  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4497 }
4498 
4499 void run_eckey_negate_test(void) {
4500  unsigned char seckey[32];
4501  unsigned char seckey_tmp[32];
4502 
4503  random_scalar_order_b32(seckey);
4504  memcpy(seckey_tmp, seckey, 32);
4505 
4506  /* Verify negation changes the key and changes it back */
4507  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4508  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
4509  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4510  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4511 
4512  /* Check that privkey alias gives same result */
4513  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4514  CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
4515  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4516 
4517  /* Negating all 0s fails */
4518  memset(seckey, 0, 32);
4519  memset(seckey_tmp, 0, 32);
4520  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4521  /* Check that seckey is not modified */
4522  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4523 
4524  /* Negating an overflowing seckey fails and the seckey is zeroed. In this
4525  * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
4526  * doesn't just set seckey to a constant value in case of failure. */
4527  random_scalar_order_b32(seckey);
4528  memset(seckey, 0xFF, 16);
4529  memset(seckey_tmp, 0, 32);
4530  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4531  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4532 }
4533 
4534 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4535  secp256k1_scalar nonce;
4536  do {
4537  random_scalar_order_test(&nonce);
4538  } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
4539 }
4540 
4541 void test_ecdsa_sign_verify(void) {
4542  secp256k1_gej pubj;
4543  secp256k1_ge pub;
4544  secp256k1_scalar one;
4545  secp256k1_scalar msg, key;
4546  secp256k1_scalar sigr, sigs;
4547  int getrec;
4548  int recid;
4549  random_scalar_order_test(&msg);
4550  random_scalar_order_test(&key);
4551  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
4552  secp256k1_ge_set_gej(&pub, &pubj);
4553  getrec = secp256k1_testrand_bits(1);
4554  /* The specific way in which this conditional is written sidesteps a potential bug in clang.
4555  See the commit messages of the commit that introduced this comment for details. */
4556  if (getrec) {
4557  random_sign(&sigr, &sigs, &key, &msg, &recid);
4558  CHECK(recid >= 0 && recid < 4);
4559  } else {
4560  random_sign(&sigr, &sigs, &key, &msg, NULL);
4561  }
4562  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4563  secp256k1_scalar_set_int(&one, 1);
4564  secp256k1_scalar_add(&msg, &msg, &one);
4565  CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4566 }
4567 
4568 void run_ecdsa_sign_verify(void) {
4569  int i;
4570  for (i = 0; i < 10*count; i++) {
4571  test_ecdsa_sign_verify();
4572  }
4573 }
4574 
4576 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4577  (void)msg32;
4578  (void)key32;
4579  (void)algo16;
4580  memcpy(nonce32, data, 32);
4581  return (counter == 0);
4582 }
4583 
4584 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4585  /* Dummy nonce generator that has a fatal error on the first counter value. */
4586  if (counter == 0) {
4587  return 0;
4588  }
4589  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4590 }
4591 
4592 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4593  /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4594  if (counter < 3) {
4595  memset(nonce32, counter==0 ? 0 : 255, 32);
4596  if (counter == 2) {
4597  nonce32[31]--;
4598  }
4599  return 1;
4600  }
4601  if (counter < 5) {
4602  static const unsigned char order[] = {
4603  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4604  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4605  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4606  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4607  };
4608  memcpy(nonce32, order, 32);
4609  if (counter == 4) {
4610  nonce32[31]++;
4611  }
4612  return 1;
4613  }
4614  /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4615  /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4616  if (counter > 5) {
4617  return 0;
4618  }
4619  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4620 }
4621 
4622 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4623  static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4624  return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4625 }
4626 
4627 void test_ecdsa_end_to_end(void) {
4628  unsigned char extra[32] = {0x00};
4629  unsigned char privkey[32];
4630  unsigned char message[32];
4631  unsigned char privkey2[32];
4632  secp256k1_ecdsa_signature signature[6];
4633  secp256k1_scalar r, s;
4634  unsigned char sig[74];
4635  size_t siglen = 74;
4636  unsigned char pubkeyc[65];
4637  size_t pubkeyclen = 65;
4638  secp256k1_pubkey pubkey;
4639  secp256k1_pubkey pubkey_tmp;
4640  unsigned char seckey[300];
4641  size_t seckeylen = 300;
4642 
4643  /* Generate a random key and message. */
4644  {
4645  secp256k1_scalar msg, key;
4646  random_scalar_order_test(&msg);
4647  random_scalar_order_test(&key);
4648  secp256k1_scalar_get_b32(privkey, &key);
4649  secp256k1_scalar_get_b32(message, &msg);
4650  }
4651 
4652  /* Construct and verify corresponding public key. */
4653  CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4654  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4655 
4656  /* Verify exporting and importing public key. */
4657  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4658  memset(&pubkey, 0, sizeof(pubkey));
4659  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4660 
4661  /* Verify negation changes the key and changes it back */
4662  memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4663  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4664  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4665  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4666  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4667 
4668  /* Verify private key import and export. */
4669  CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
4670  CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4671  CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
4672 
4673  /* Optionally tweak the keys using addition. */
4674  if (secp256k1_testrand_int(3) == 0) {
4675  int ret1;
4676  int ret2;
4677  int ret3;
4678  unsigned char rnd[32];
4679  unsigned char privkey_tmp[32];
4680  secp256k1_pubkey pubkey2;
4681  secp256k1_testrand256_test(rnd);
4682  memcpy(privkey_tmp, privkey, 32);
4683  ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
4684  ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4685  /* Check that privkey alias gives same result */
4686  ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
4687  CHECK(ret1 == ret2);
4688  CHECK(ret2 == ret3);
4689  if (ret1 == 0) {
4690  return;
4691  }
4692  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4693  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4694  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4695  }
4696 
4697  /* Optionally tweak the keys using multiplication. */
4698  if (secp256k1_testrand_int(3) == 0) {
4699  int ret1;
4700  int ret2;
4701  int ret3;
4702  unsigned char rnd[32];
4703  unsigned char privkey_tmp[32];
4704  secp256k1_pubkey pubkey2;
4705  secp256k1_testrand256_test(rnd);
4706  memcpy(privkey_tmp, privkey, 32);
4707  ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
4708  ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4709  /* Check that privkey alias gives same result */
4710  ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
4711  CHECK(ret1 == ret2);
4712  CHECK(ret2 == ret3);
4713  if (ret1 == 0) {
4714  return;
4715  }
4716  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4717  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4718  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4719  }
4720 
4721  /* Sign. */
4722  CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4723  CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4724  CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4725  extra[31] = 1;
4726  CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4727  extra[31] = 0;
4728  extra[0] = 1;
4729  CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4730  CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4731  CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4732  CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4733  CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4734  CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4735  CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4736  CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4737  /* Verify. */
4738  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4739  CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4740  CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4741  CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4742  /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4743  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4744  secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4745  secp256k1_scalar_negate(&s, &s);
4746  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4747  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4748  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4749  CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4750  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4751  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4752  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4753  secp256k1_scalar_negate(&s, &s);
4754  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4755  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4756  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4757  CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
4758 
4759  /* Serialize/parse DER and verify again */
4760  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4761  memset(&signature[0], 0, sizeof(signature[0]));
4762  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4763  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4764  /* Serialize/destroy/parse DER and verify again. */
4765  siglen = 74;
4766  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4767  sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
4768  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4769  secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4770 }
4771 
4772 void test_random_pubkeys(void) {
4773  secp256k1_ge elem;
4774  secp256k1_ge elem2;
4775  unsigned char in[65];
4776  /* Generate some randomly sized pubkeys. */
4777  size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
4778  if (secp256k1_testrand_bits(2) == 0) {
4779  len = secp256k1_testrand_bits(6);
4780  }
4781  if (len == 65) {
4782  in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
4783  } else {
4784  in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
4785  }
4786  if (secp256k1_testrand_bits(3) == 0) {
4787  in[0] = secp256k1_testrand_bits(8);
4788  }
4789  if (len > 1) {
4790  secp256k1_testrand256(&in[1]);
4791  }
4792  if (len > 33) {
4793  secp256k1_testrand256(&in[33]);
4794  }
4795  if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4796  unsigned char out[65];
4797  unsigned char firstb;
4798  int res;
4799  size_t size = len;
4800  firstb = in[0];
4801  /* If the pubkey can be parsed, it should round-trip... */
4802  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4803  CHECK(size == len);
4804  CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
4805  /* ... except for the type of hybrid inputs. */
4806  if ((in[0] != 6) && (in[0] != 7)) {
4807  CHECK(in[0] == out[0]);
4808  }
4809  size = 65;
4810  CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4811  CHECK(size == 65);
4812  CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4813  ge_equals_ge(&elem,&elem2);
4814  /* Check that the X9.62 hybrid type is checked. */
4815  in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
4816  res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4817  if (firstb == 2 || firstb == 3) {
4818  if (in[0] == firstb + 4) {
4819  CHECK(res);
4820  } else {
4821  CHECK(!res);
4822  }
4823  }
4824  if (res) {
4825  ge_equals_ge(&elem,&elem2);
4826  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4827  CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
4828  }
4829  }
4830 }
4831 
4832 void run_random_pubkeys(void) {
4833  int i;
4834  for (i = 0; i < 10*count; i++) {
4835  test_random_pubkeys();
4836  }
4837 }
4838 
4839 void run_ecdsa_end_to_end(void) {
4840  int i;
4841  for (i = 0; i < 64*count; i++) {
4842  test_ecdsa_end_to_end();
4843  }
4844 }
4845 
4846 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4847  static const unsigned char zeroes[32] = {0};
4848 
4849  int ret = 0;
4850 
4851  secp256k1_ecdsa_signature sig_der;
4852  unsigned char roundtrip_der[2048];
4853  unsigned char compact_der[64];
4854  size_t len_der = 2048;
4855  int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4856 
4857  secp256k1_ecdsa_signature sig_der_lax;
4858  unsigned char roundtrip_der_lax[2048];
4859  unsigned char compact_der_lax[64];
4860  size_t len_der_lax = 2048;
4861  int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4862 
4863  parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4864  if (parsed_der) {
4865  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4866  valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
4867  }
4868  if (valid_der) {
4869  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4870  roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
4871  }
4872 
4873  parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4874  if (parsed_der_lax) {
4875  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4876  valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
4877  }
4878  if (valid_der_lax) {
4879  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4880  roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
4881  }
4882 
4883  if (certainly_der) {
4884  ret |= (!parsed_der) << 2;
4885  }
4886  if (certainly_not_der) {
4887  ret |= (parsed_der) << 17;
4888  }
4889  if (valid_der) {
4890  ret |= (!roundtrips_der) << 3;
4891  }
4892 
4893  if (valid_der) {
4894  ret |= (!roundtrips_der_lax) << 12;
4895  ret |= (len_der != len_der_lax) << 13;
4896  ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
4897  }
4898  ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4899  if (parsed_der) {
4900  ret |= (!parsed_der_lax) << 16;
4901  }
4902 
4903  return ret;
4904 }
4905 
4906 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4907  size_t i;
4908  for (i = 0; i < ptrlen; i++) {
4909  int shift = ptrlen - 1 - i;
4910  if (shift >= 4) {
4911  ptr[i] = 0;
4912  } else {
4913  ptr[i] = (val >> shift) & 0xFF;
4914  }
4915  }
4916 }
4917 
4918 static void damage_array(unsigned char *sig, size_t *len) {
4919  int pos;
4920  int action = secp256k1_testrand_bits(3);
4921  if (action < 1 && *len > 3) {
4922  /* Delete a byte. */
4923  pos = secp256k1_testrand_int(*len);
4924  memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4925  (*len)--;
4926  return;
4927  } else if (action < 2 && *len < 2048) {
4928  /* Insert a byte. */
4929  pos = secp256k1_testrand_int(1 + *len);
4930  memmove(sig + pos + 1, sig + pos, *len - pos);
4931  sig[pos] = secp256k1_testrand_bits(8);
4932  (*len)++;
4933  return;
4934  } else if (action < 4) {
4935  /* Modify a byte. */
4936  sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
4937  return;
4938  } else { /* action < 8 */
4939  /* Modify a bit. */
4940  sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
4941  return;
4942  }
4943 }
4944 
4945 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4946  int der;
4947  int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4948  size_t tlen, elen, glen;
4949  int indet;
4950  int n;
4951 
4952  *len = 0;
4953  der = secp256k1_testrand_bits(2) == 0;
4954  *certainly_der = der;
4955  *certainly_not_der = 0;
4956  indet = der ? 0 : secp256k1_testrand_int(10) == 0;
4957 
4958  for (n = 0; n < 2; n++) {
4959  /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4960  nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
4961  /* The length of the number in bytes (the first byte of which will always be nonzero) */
4962  nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_int(8) / 8;
4963  CHECK(nlen[n] <= 232);
4964  /* The top bit of the number. */
4965  nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
4966  /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4967  nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
4968  /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4969  nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_int(8) / 8);
4970  if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4971  *certainly_not_der = 1;
4972  }
4973  CHECK(nlen[n] + nzlen[n] <= 300);
4974  /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4975  nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4976  if (!der) {
4977  /* nlenlen[n] max 127 bytes */
4978  int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
4979  nlenlen[n] += add;
4980  if (add != 0) {
4981  *certainly_not_der = 1;
4982  }
4983  }
4984  CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4985  }
4986 
4987  /* The total length of the data to go, so far */
4988  tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4989  CHECK(tlen <= 856);
4990 
4991  /* The length of the garbage inside the tuple. */
4992  elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_int(8) / 8;
4993  if (elen != 0) {
4994  *certainly_not_der = 1;
4995  }
4996  tlen += elen;
4997  CHECK(tlen <= 980);
4998 
4999  /* The length of the garbage after the end of the tuple. */
5000  glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_int(8) / 8;
5001  if (glen != 0) {
5002  *certainly_not_der = 1;
5003  }
5004  CHECK(tlen + glen <= 990);
5005 
5006  /* Write the tuple header. */
5007  sig[(*len)++] = 0x30;
5008  if (indet) {
5009  /* Indeterminate length */
5010  sig[(*len)++] = 0x80;
5011  *certainly_not_der = 1;
5012  } else {
5013  int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
5014  if (!der) {
5015  int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
5016  tlenlen += add;
5017  if (add != 0) {
5018  *certainly_not_der = 1;
5019  }
5020  }
5021  if (tlenlen == 0) {
5022  /* Short length notation */
5023  sig[(*len)++] = tlen;
5024  } else {
5025  /* Long length notation */
5026  sig[(*len)++] = 128 + tlenlen;
5027  assign_big_endian(sig + *len, tlenlen, tlen);
5028  *len += tlenlen;
5029  }
5030  tlen += tlenlen;
5031  }
5032  tlen += 2;
5033  CHECK(tlen + glen <= 1119);
5034 
5035  for (n = 0; n < 2; n++) {
5036  /* Write the integer header. */
5037  sig[(*len)++] = 0x02;
5038  if (nlenlen[n] == 0) {
5039  /* Short length notation */
5040  sig[(*len)++] = nlen[n] + nzlen[n];
5041  } else {
5042  /* Long length notation. */
5043  sig[(*len)++] = 128 + nlenlen[n];
5044  assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
5045  *len += nlenlen[n];
5046  }
5047  /* Write zero padding */
5048  while (nzlen[n] > 0) {
5049  sig[(*len)++] = 0x00;
5050  nzlen[n]--;
5051  }
5052  if (nlen[n] == 32 && !nlow[n]) {
5053  /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
5054  int i;
5055  for (i = 0; i < 16; i++) {
5056  sig[(*len)++] = 0xFF;
5057  }
5058  nlen[n] -= 16;
5059  }
5060  /* Write first byte of number */
5061  if (nlen[n] > 0) {
5062  sig[(*len)++] = nhbyte[n];
5063  nlen[n]--;
5064  }
5065  /* Generate remaining random bytes of number */
5066  secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
5067  *len += nlen[n];
5068  nlen[n] = 0;
5069  }
5070 
5071  /* Generate random garbage inside tuple. */
5072  secp256k1_testrand_bytes_test(sig + *len, elen);
5073  *len += elen;
5074 
5075  /* Generate end-of-contents bytes. */
5076  if (indet) {
5077  sig[(*len)++] = 0;
5078  sig[(*len)++] = 0;
5079  tlen += 2;
5080  }
5081  CHECK(tlen + glen <= 1121);
5082 
5083  /* Generate random garbage outside tuple. */
5084  secp256k1_testrand_bytes_test(sig + *len, glen);
5085  *len += glen;
5086  tlen += glen;
5087  CHECK(tlen <= 1121);
5088  CHECK(tlen == *len);
5089 }
5090 
5091 void run_ecdsa_der_parse(void) {
5092  int i,j;
5093  for (i = 0; i < 200 * count; i++) {
5094  unsigned char buffer[2048];
5095  size_t buflen = 0;
5096  int certainly_der = 0;
5097  int certainly_not_der = 0;
5098  random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
5099  CHECK(buflen <= 2048);
5100  for (j = 0; j < 16; j++) {
5101  int ret = 0;
5102  if (j > 0) {
5103  damage_array(buffer, &buflen);
5104  /* We don't know anything anymore about the DERness of the result */
5105  certainly_der = 0;
5106  certainly_not_der = 0;
5107  }
5108  ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
5109  if (ret != 0) {
5110  size_t k;
5111  fprintf(stderr, "Failure %x on ", ret);
5112  for (k = 0; k < buflen; k++) {
5113  fprintf(stderr, "%02x ", buffer[k]);
5114  }
5115  fprintf(stderr, "\n");
5116  }
5117  CHECK(ret == 0);
5118  }
5119  }
5120 }
5121 
5122 /* Tests several edge cases. */
5123 void test_ecdsa_edge_cases(void) {
5124  int t;
5125  secp256k1_ecdsa_signature sig;
5126 
5127  /* Test the case where ECDSA recomputes a point that is infinity. */
5128  {
5129  secp256k1_gej keyj;
5130  secp256k1_ge key;
5131  secp256k1_scalar msg;
5132  secp256k1_scalar sr, ss;
5133  secp256k1_scalar_set_int(&ss, 1);
5134  secp256k1_scalar_negate(&ss, &ss);
5135  secp256k1_scalar_inverse(&ss, &ss);
5136  secp256k1_scalar_set_int(&sr, 1);
5137  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
5138  secp256k1_ge_set_gej(&key, &keyj);
5139  msg = ss;
5140  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5141  }
5142 
5143  /* Verify signature with r of zero fails. */
5144  {
5145  const unsigned char pubkey_mods_zero[33] = {
5146  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5147  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5148  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5149  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5150  0x41
5151  };
5152  secp256k1_ge key;
5153  secp256k1_scalar msg;
5154  secp256k1_scalar sr, ss;
5155  secp256k1_scalar_set_int(&ss, 1);
5156  secp256k1_scalar_set_int(&msg, 0);
5157  secp256k1_scalar_set_int(&sr, 0);
5158  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
5159  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5160  }
5161 
5162  /* Verify signature with s of zero fails. */
5163  {
5164  const unsigned char pubkey[33] = {
5165  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5166  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5167  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5168  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5169  0x01
5170  };
5171  secp256k1_ge key;
5172  secp256k1_scalar msg;
5173  secp256k1_scalar sr, ss;
5174  secp256k1_scalar_set_int(&ss, 0);
5175  secp256k1_scalar_set_int(&msg, 0);
5176  secp256k1_scalar_set_int(&sr, 1);
5177  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5178  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5179  }
5180 
5181  /* Verify signature with message 0 passes. */
5182  {
5183  const unsigned char pubkey[33] = {
5184  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5185  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5186  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5187  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5188  0x02
5189  };
5190  const unsigned char pubkey2[33] = {
5191  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5192  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5193  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5194  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5195  0x43
5196  };
5197  secp256k1_ge key;
5198  secp256k1_ge key2;
5199  secp256k1_scalar msg;
5200  secp256k1_scalar sr, ss;
5201  secp256k1_scalar_set_int(&ss, 2);
5202  secp256k1_scalar_set_int(&msg, 0);
5203  secp256k1_scalar_set_int(&sr, 2);
5204  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5205  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5206  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5207  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5208  secp256k1_scalar_negate(&ss, &ss);
5209  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5210  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5211  secp256k1_scalar_set_int(&ss, 1);
5212  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5213  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5214  }
5215 
5216  /* Verify signature with message 1 passes. */
5217  {
5218  const unsigned char pubkey[33] = {
5219  0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
5220  0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
5221  0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
5222  0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
5223  0x25
5224  };
5225  const unsigned char pubkey2[33] = {
5226  0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
5227  0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
5228  0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
5229  0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
5230  0x62
5231  };
5232  const unsigned char csr[32] = {
5233  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5234  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5235  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5236  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
5237  };
5238  secp256k1_ge key;
5239  secp256k1_ge key2;
5240  secp256k1_scalar msg;
5241  secp256k1_scalar sr, ss;
5242  secp256k1_scalar_set_int(&ss, 1);
5243  secp256k1_scalar_set_int(&msg, 1);
5244  secp256k1_scalar_set_b32(&sr, csr, NULL);
5245  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5246  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5247  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5248  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5249  secp256k1_scalar_negate(&ss, &ss);
5250  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5251  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5252  secp256k1_scalar_set_int(&ss, 2);
5253  secp256k1_scalar_inverse_var(&ss, &ss);
5254  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5255  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5256  }
5257 
5258  /* Verify signature with message -1 passes. */
5259  {
5260  const unsigned char pubkey[33] = {
5261  0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
5262  0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
5263  0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
5264  0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
5265  0xf1
5266  };
5267  const unsigned char csr[32] = {
5268  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5269  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5270  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5271  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
5272  };
5273  secp256k1_ge key;
5274  secp256k1_scalar msg;
5275  secp256k1_scalar sr, ss;
5276  secp256k1_scalar_set_int(&ss, 1);
5277  secp256k1_scalar_set_int(&msg, 1);
5278  secp256k1_scalar_negate(&msg, &msg);
5279  secp256k1_scalar_set_b32(&sr, csr, NULL);
5280  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5281  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5282  secp256k1_scalar_negate(&ss, &ss);
5283  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5284  secp256k1_scalar_set_int(&ss, 3);
5285  secp256k1_scalar_inverse_var(&ss, &ss);
5286  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5287  }
5288 
5289  /* Signature where s would be zero. */
5290  {
5291  secp256k1_pubkey pubkey;
5292  size_t siglen;
5293  int32_t ecount;
5294  unsigned char signature[72];
5295  static const unsigned char nonce[32] = {
5296  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5297  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5298  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5299  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5300  };
5301  static const unsigned char nonce2[32] = {
5302  0xFF,0x