Bitcoin ABC  0.24.7
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /***********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5  ***********************************************************************/
6 
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10 
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 
15 #include <time.h>
16 
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
21 #include "util.h"
22 
23 #ifdef ENABLE_OPENSSL_TESTS
24 #include "openssl/bn.h"
25 #include "openssl/ec.h"
26 #include "openssl/ecdsa.h"
27 #include "openssl/obj_mac.h"
28 # if OPENSSL_VERSION_NUMBER < 0x10100000L
29 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
30 # endif
31 #endif
32 
33 #include "contrib/lax_der_parsing.c"
34 #include "contrib/lax_der_privatekey_parsing.c"
35 
36 #include "modinv32_impl.h"
37 #ifdef SECP256K1_WIDEMUL_INT128
38 #include "modinv64_impl.h"
39 #endif
40 
41 static int count = 64;
42 static secp256k1_context *ctx = NULL;
43 
44 static void counting_illegal_callback_fn(const char* str, void* data) {
45  /* Dummy callback function that just counts. */
46  int32_t *p;
47  (void)str;
48  p = data;
49  (*p)++;
50 }
51 
52 static void uncounting_illegal_callback_fn(const char* str, void* data) {
53  /* Dummy callback function that just counts (backwards). */
54  int32_t *p;
55  (void)str;
56  p = data;
57  (*p)--;
58 }
59 
60 void random_field_element_test(secp256k1_fe *fe) {
61  do {
62  unsigned char b32[32];
63  secp256k1_testrand256_test(b32);
64  if (secp256k1_fe_set_b32(fe, b32)) {
65  break;
66  }
67  } while(1);
68 }
69 
70 void random_field_element_magnitude(secp256k1_fe *fe) {
71  secp256k1_fe zero;
72  int n = secp256k1_testrand_int(9);
73  secp256k1_fe_normalize(fe);
74  if (n == 0) {
75  return;
76  }
77  secp256k1_fe_clear(&zero);
78  secp256k1_fe_negate(&zero, &zero, 0);
79  secp256k1_fe_mul_int(&zero, n - 1);
80  secp256k1_fe_add(fe, &zero);
81 #ifdef VERIFY
82  CHECK(fe->magnitude == n);
83 #endif
84 }
85 
86 void random_group_element_test(secp256k1_ge *ge) {
87  secp256k1_fe fe;
88  do {
89  random_field_element_test(&fe);
90  if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
91  secp256k1_fe_normalize(&ge->y);
92  break;
93  }
94  } while(1);
95  ge->infinity = 0;
96 }
97 
98 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
99  secp256k1_fe z2, z3;
100  do {
101  random_field_element_test(&gej->z);
102  if (!secp256k1_fe_is_zero(&gej->z)) {
103  break;
104  }
105  } while(1);
106  secp256k1_fe_sqr(&z2, &gej->z);
107  secp256k1_fe_mul(&z3, &z2, &gej->z);
108  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
109  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
110  gej->infinity = ge->infinity;
111 }
112 
113 void random_scalar_order_test(secp256k1_scalar *num) {
114  do {
115  unsigned char b32[32];
116  int overflow = 0;
117  secp256k1_testrand256_test(b32);
118  secp256k1_scalar_set_b32(num, b32, &overflow);
119  if (overflow || secp256k1_scalar_is_zero(num)) {
120  continue;
121  }
122  break;
123  } while(1);
124 }
125 
126 void random_scalar_order(secp256k1_scalar *num) {
127  do {
128  unsigned char b32[32];
129  int overflow = 0;
130  secp256k1_testrand256(b32);
131  secp256k1_scalar_set_b32(num, b32, &overflow);
132  if (overflow || secp256k1_scalar_is_zero(num)) {
133  continue;
134  }
135  break;
136  } while(1);
137 }
138 
139 void random_scalar_order_b32(unsigned char *b32) {
140  secp256k1_scalar num;
141  random_scalar_order(&num);
142  secp256k1_scalar_get_b32(b32, &num);
143 }
144 
145 void run_context_tests(int use_prealloc) {
146  secp256k1_pubkey pubkey;
147  secp256k1_pubkey zero_pubkey;
148  secp256k1_ecdsa_signature sig;
149  unsigned char ctmp[32];
150  int32_t ecount;
151  int32_t ecount2;
152  secp256k1_context *none;
153  secp256k1_context *sign;
154  secp256k1_context *vrfy;
155  secp256k1_context *both;
156  void *none_prealloc = NULL;
157  void *sign_prealloc = NULL;
158  void *vrfy_prealloc = NULL;
159  void *both_prealloc = NULL;
160 
161  secp256k1_gej pubj;
162  secp256k1_ge pub;
163  secp256k1_scalar msg, key, nonce;
164  secp256k1_scalar sigr, sigs;
165 
166  if (use_prealloc) {
167  none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
168  sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
169  vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
170  both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
171  CHECK(none_prealloc != NULL);
172  CHECK(sign_prealloc != NULL);
173  CHECK(vrfy_prealloc != NULL);
174  CHECK(both_prealloc != NULL);
175  none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
176  sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
177  vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
178  both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
179  } else {
180  none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
181  sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
182  vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
183  both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
184  }
185 
186  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
187 
188  ecount = 0;
189  ecount2 = 10;
190  secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
191  secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
192  /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
193  secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL);
194  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
195  CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
196 
197  /* check if sizes for cloning are consistent */
198  CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
199  CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
200  CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
201  CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
202 
203  /*** clone and destroy all of them to make sure cloning was complete ***/
204  {
205  secp256k1_context *ctx_tmp;
206 
207  if (use_prealloc) {
208  /* clone into a non-preallocated context and then again into a new preallocated one. */
209  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
210  free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
211  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
212 
213  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
214  free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
215  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
216 
217  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
218  free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
219  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
220 
221  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
222  free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
223  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
224  } else {
225  /* clone into a preallocated context and then again into a new non-preallocated one. */
226  void *prealloc_tmp;
227 
228  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
229  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
230  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
231  free(prealloc_tmp);
232 
233  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
234  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
235  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
236  free(prealloc_tmp);
237 
238  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
239  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
240  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
241  free(prealloc_tmp);
242 
243  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
244  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
245  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
246  free(prealloc_tmp);
247  }
248  }
249 
250  /* Verify that the error callback makes it across the clone. */
251  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
252  CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
253  /* And that it resets back to default. */
254  secp256k1_context_set_error_callback(sign, NULL, NULL);
255  CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
256 
257  /*** attempt to use them ***/
258  random_scalar_order_test(&msg);
259  random_scalar_order_test(&key);
260  secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
261  secp256k1_ge_set_gej(&pub, &pubj);
262 
263  /* Verify context-type checking illegal-argument errors. */
264  memset(ctmp, 1, 32);
265  CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
266  CHECK(ecount == 1);
267  VG_UNDEF(&pubkey, sizeof(pubkey));
268  CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
269  VG_CHECK(&pubkey, sizeof(pubkey));
270  CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
271  CHECK(ecount == 2);
272  VG_UNDEF(&sig, sizeof(sig));
273  CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
274  VG_CHECK(&sig, sizeof(sig));
275  CHECK(ecount2 == 10);
276  CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
277  CHECK(ecount2 == 11);
278  CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
279  CHECK(ecount == 2);
280  CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
281  CHECK(ecount2 == 12);
282  CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
283  CHECK(ecount == 2);
284  CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
285  CHECK(ecount2 == 13);
286  CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
287  CHECK(ecount == 2);
288  CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
289  CHECK(ecount == 2);
290  CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
291  CHECK(ecount2 == 14);
292  CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
293  CHECK(ecount == 3);
294  CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
295  CHECK(ecount == 3);
296  CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
297  CHECK(ecount == 3);
298  CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
299  CHECK(ecount == 3);
300  CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
301  CHECK(ecount2 == 14);
302  CHECK(secp256k1_context_randomize(sign, NULL) == 1);
303  CHECK(ecount2 == 14);
304  secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
305  secp256k1_context_set_illegal_callback(sign, NULL, NULL);
306 
307  /* obtain a working nonce */
308  do {
309  random_scalar_order_test(&nonce);
310  } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
311 
312  /* try signing */
313  CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
314  CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
315 
316  /* try verifying */
317  CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
318  CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
319 
320  /* cleanup */
321  if (use_prealloc) {
322  secp256k1_context_preallocated_destroy(none);
323  secp256k1_context_preallocated_destroy(sign);
324  secp256k1_context_preallocated_destroy(vrfy);
325  secp256k1_context_preallocated_destroy(both);
326  free(none_prealloc);
327  free(sign_prealloc);
328  free(vrfy_prealloc);
329  free(both_prealloc);
330  } else {
331  secp256k1_context_destroy(none);
332  secp256k1_context_destroy(sign);
333  secp256k1_context_destroy(vrfy);
334  secp256k1_context_destroy(both);
335  }
336  /* Defined as no-op. */
337  secp256k1_context_destroy(NULL);
338  secp256k1_context_preallocated_destroy(NULL);
339 
340 }
341 
342 void run_scratch_tests(void) {
343  const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
344 
345  int32_t ecount = 0;
346  size_t checkpoint;
347  size_t checkpoint_2;
348  secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
349  secp256k1_scratch_space *scratch;
350  secp256k1_scratch_space local_scratch;
351 
352  /* Test public API */
353  secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
354  secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
355 
356  scratch = secp256k1_scratch_space_create(none, 1000);
357  CHECK(scratch != NULL);
358  CHECK(ecount == 0);
359 
360  /* Test internal API */
361  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
362  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
363  CHECK(scratch->alloc_size == 0);
364  CHECK(scratch->alloc_size % ALIGNMENT == 0);
365 
366  /* Allocating 500 bytes succeeds */
367  checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
368  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
369  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
370  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
371  CHECK(scratch->alloc_size != 0);
372  CHECK(scratch->alloc_size % ALIGNMENT == 0);
373 
374  /* Allocating another 501 bytes fails */
375  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
376  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
377  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
378  CHECK(scratch->alloc_size != 0);
379  CHECK(scratch->alloc_size % ALIGNMENT == 0);
380 
381  /* ...but it succeeds once we apply the checkpoint to undo it */
382  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
383  CHECK(scratch->alloc_size == 0);
384  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
385  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
386  CHECK(scratch->alloc_size != 0);
387 
388  /* try to apply a bad checkpoint */
389  checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
390  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
391  CHECK(ecount == 0);
392  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
393  CHECK(ecount == 1);
394  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
395  CHECK(ecount == 2);
396 
397  /* try to use badly initialized scratch space */
398  secp256k1_scratch_space_destroy(none, scratch);
399  memset(&local_scratch, 0, sizeof(local_scratch));
400  scratch = &local_scratch;
401  CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
402  CHECK(ecount == 3);
403  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
404  CHECK(ecount == 4);
405  secp256k1_scratch_space_destroy(none, scratch);
406  CHECK(ecount == 5);
407 
408  /* Test that large integers do not wrap around in a bad way */
409  scratch = secp256k1_scratch_space_create(none, 1000);
410  /* Try max allocation with a large number of objects. Only makes sense if
411  * ALIGNMENT is greater than 1 because otherwise the objects take no extra
412  * space. */
413  CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
414  /* Try allocating SIZE_MAX to test wrap around which only happens if
415  * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
416  * space is too small. */
417  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
418  secp256k1_scratch_space_destroy(none, scratch);
419 
420  /* cleanup */
421  secp256k1_scratch_space_destroy(none, NULL); /* no-op */
422  secp256k1_context_destroy(none);
423 }
424 
425 void run_ctz_tests(void) {
426  static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
427  static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
428  int shift;
429  unsigned i;
430  for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
431  for (shift = 0; shift < 32; ++shift) {
432  CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
433  CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
434  }
435  }
436  for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
437  for (shift = 0; shift < 64; ++shift) {
438  CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
439  CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
440  }
441  }
442 }
443 
444 /***** HASH TESTS *****/
445 
446 void run_sha256_tests(void) {
447  static const char *inputs[8] = {
448  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
449  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
450  "For this sample, this 63-byte string will be used as input data",
451  "This is exactly 64 bytes long, not counting the terminating byte"
452  };
453  static const unsigned char outputs[8][32] = {
454  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
455  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
456  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
457  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
458  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
459  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
460  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
461  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
462  };
463  int i;
464  for (i = 0; i < 8; i++) {
465  unsigned char out[32];
466  secp256k1_sha256 hasher;
467  secp256k1_sha256_initialize(&hasher);
468  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
469  secp256k1_sha256_finalize(&hasher, out);
470  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
471  if (strlen(inputs[i]) > 0) {
472  int split = secp256k1_testrand_int(strlen(inputs[i]));
473  secp256k1_sha256_initialize(&hasher);
474  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
475  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
476  secp256k1_sha256_finalize(&hasher, out);
477  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
478  }
479  }
480 }
481 
482 void run_hmac_sha256_tests(void) {
483  static const char *keys[6] = {
484  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
485  "\x4a\x65\x66\x65",
486  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
487  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
488  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
489  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
490  };
491  static const char *inputs[6] = {
492  "\x48\x69\x20\x54\x68\x65\x72\x65",
493  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
494  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
495  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
496  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
497  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
498  };
499  static const unsigned char outputs[6][32] = {
500  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
501  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
502  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
503  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
504  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
505  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
506  };
507  int i;
508  for (i = 0; i < 6; i++) {
509  secp256k1_hmac_sha256 hasher;
510  unsigned char out[32];
511  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
512  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
513  secp256k1_hmac_sha256_finalize(&hasher, out);
514  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
515  if (strlen(inputs[i]) > 0) {
516  int split = secp256k1_testrand_int(strlen(inputs[i]));
517  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
518  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
519  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
520  secp256k1_hmac_sha256_finalize(&hasher, out);
521  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
522  }
523  }
524 }
525 
526 void run_rfc6979_hmac_sha256_tests(void) {
527  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
528  static const unsigned char out1[3][32] = {
529  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
530  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
531  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
532  };
533 
534  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
535  static const unsigned char out2[3][32] = {
536  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
537  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
538  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
539  };
540 
541  secp256k1_rfc6979_hmac_sha256 rng;
542  unsigned char out[32];
543  int i;
544 
545  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
546  for (i = 0; i < 3; i++) {
547  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
548  CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
549  }
550  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
551 
552  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
553  for (i = 0; i < 3; i++) {
554  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
555  CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
556  }
557  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
558 
559  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
560  for (i = 0; i < 3; i++) {
561  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
562  CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
563  }
564  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
565 }
566 
567 /***** RANDOM TESTS *****/
568 
569 void test_rand_bits(int rand32, int bits) {
570  /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
571  * get a false negative chance below once in a billion */
572  static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
573  /* We try multiplying the results with various odd numbers, which shouldn't
574  * influence the uniform distribution modulo a power of 2. */
575  static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
576  /* We only select up to 6 bits from the output to analyse */
577  unsigned int usebits = bits > 6 ? 6 : bits;
578  unsigned int maxshift = bits - usebits;
579  /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
580  number, track all observed outcomes, one per bit in a uint64_t. */
581  uint64_t x[6][27] = {{0}};
582  unsigned int i, shift, m;
583  /* Multiply the output of all rand calls with the odd number m, which
584  should not change the uniformity of its distribution. */
585  for (i = 0; i < rounds[usebits]; i++) {
586  uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
587  CHECK((((uint64_t)r) >> bits) == 0);
588  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
589  uint32_t rm = r * mults[m];
590  for (shift = 0; shift <= maxshift; shift++) {
591  x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
592  }
593  }
594  }
595  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
596  for (shift = 0; shift <= maxshift; shift++) {
597  /* Test that the lower usebits bits of x[shift] are 1 */
598  CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
599  }
600  }
601 }
602 
603 /* Subrange must be a whole divisor of range, and at most 64 */
604 void test_rand_int(uint32_t range, uint32_t subrange) {
605  /* (1-1/subrange)^rounds < 1/10^9 */
606  int rounds = (subrange * 2073) / 100;
607  int i;
608  uint64_t x = 0;
609  CHECK((range % subrange) == 0);
610  for (i = 0; i < rounds; i++) {
611  uint32_t r = secp256k1_testrand_int(range);
612  CHECK(r < range);
613  r = r % subrange;
614  x |= (((uint64_t)1) << r);
615  }
616  /* Test that the lower subrange bits of x are 1. */
617  CHECK(((~x) << (64 - subrange)) == 0);
618 }
619 
620 void run_rand_bits(void) {
621  size_t b;
622  test_rand_bits(1, 32);
623  for (b = 1; b <= 32; b++) {
624  test_rand_bits(0, b);
625  }
626 }
627 
628 void run_rand_int(void) {
629  static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
630  static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
631  unsigned int m, s;
632  for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
633  for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
634  test_rand_int(ms[m] * ss[s], ss[s]);
635  }
636  }
637 }
638 
639 /***** MODINV TESTS *****/
640 
641 /* Compute the modular inverse of (odd) x mod 2^64. */
642 uint64_t modinv2p64(uint64_t x) {
643  /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
644  * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
645  * why. Start with L=0, for which it is true for every odd x that
646  * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
647  int l;
648  uint64_t w = 1;
649  CHECK(x & 1);
650  for (l = 0; l < 6; ++l) w *= (2 - w*x);
651  return w;
652 }
653 
654 /* compute out = (a*b) mod m; if b=NULL, treat b=1.
655  *
656  * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
657  * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
658 void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
659  uint16_t mul[32];
660  uint64_t c = 0;
661  int i, j;
662  int m_bitlen = 0;
663  int mul_bitlen = 0;
664 
665  if (b != NULL) {
666  /* Compute the product of a and b, and put it in mul. */
667  for (i = 0; i < 32; ++i) {
668  for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
669  c += (uint64_t)a[j] * b[i - j];
670  }
671  mul[i] = c & 0xFFFF;
672  c >>= 16;
673  }
674  CHECK(c == 0);
675 
676  /* compute the highest set bit in mul */
677  for (i = 511; i >= 0; --i) {
678  if ((mul[i >> 4] >> (i & 15)) & 1) {
679  mul_bitlen = i;
680  break;
681  }
682  }
683  } else {
684  /* if b==NULL, set mul=a. */
685  memcpy(mul, a, 32);
686  memset(mul + 16, 0, 32);
687  /* compute the highest set bit in mul */
688  for (i = 255; i >= 0; --i) {
689  if ((mul[i >> 4] >> (i & 15)) & 1) {
690  mul_bitlen = i;
691  break;
692  }
693  }
694  }
695 
696  /* Compute the highest set bit in m. */
697  for (i = 255; i >= 0; --i) {
698  if ((m[i >> 4] >> (i & 15)) & 1) {
699  m_bitlen = i;
700  break;
701  }
702  }
703 
704  /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
705  for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
706  uint16_t mul2[32];
707  int64_t cs;
708 
709  /* Compute mul2 = mul - m<<i. */
710  cs = 0; /* accumulator */
711  for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
712  /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
713  uint16_t sub = 0;
714  int p;
715  for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
716  int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
717  if (bitpos >= 0 && bitpos < 256) {
718  sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
719  }
720  }
721  /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
722  cs += mul[j];
723  cs -= sub;
724  mul2[j] = (cs & 0xFFFF);
725  cs >>= 16;
726  }
727  /* If remainder of subtraction is 0, set mul = mul2. */
728  if (cs == 0) {
729  memcpy(mul, mul2, sizeof(mul));
730  }
731  }
732  /* Sanity check: test that all limbs higher than m's highest are zero */
733  for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
734  CHECK(mul[i] == 0);
735  }
736  memcpy(out, mul, 32);
737 }
738 
739 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
740 void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
741  int i;
742  memset(out->v, 0, sizeof(out->v));
743  for (i = 0; i < 256; ++i) {
744  out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
745  }
746 }
747 
748 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
749 void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
750  int i;
751  memset(out, 0, 32);
752  for (i = 0; i < 256; ++i) {
753  out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
754  }
755 }
756 
757 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
758 void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
759  int i;
760  for (i = 0; i < 16; ++i) {
761  int pos = secp256k1_testrand_int(8);
762  if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
763  x->v[pos] -= 0x40000000;
764  x->v[pos + 1] += 1;
765  } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
766  x->v[pos] += 0x40000000;
767  x->v[pos + 1] -= 1;
768  }
769  }
770 }
771 
772 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
773 void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
774  uint16_t tmp[16];
775  secp256k1_modinv32_signed30 x;
776  secp256k1_modinv32_modinfo m;
777  int i, vartime, nonzero;
778 
779  uint16_to_signed30(&x, in);
780  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
781  uint16_to_signed30(&m.modulus, mod);
782  mutate_sign_signed30(&m.modulus);
783 
784  /* compute 1/modulus mod 2^30 */
785  m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
786  CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
787 
788  for (vartime = 0; vartime < 2; ++vartime) {
789  /* compute inverse */
790  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
791 
792  /* produce output */
793  signed30_to_uint16(out, &x);
794 
795  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
796  mulmod256(tmp, out, in, mod);
797  CHECK(tmp[0] == nonzero);
798  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
799 
800  /* invert again */
801  (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
802 
803  /* check if the result is equal to the input */
804  signed30_to_uint16(tmp, &x);
805  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
806  }
807 }
808 
809 #ifdef SECP256K1_WIDEMUL_INT128
810 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
811 void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
812  int i;
813  memset(out->v, 0, sizeof(out->v));
814  for (i = 0; i < 256; ++i) {
815  out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
816  }
817 }
818 
819 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
820 void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
821  int i;
822  memset(out, 0, 32);
823  for (i = 0; i < 256; ++i) {
824  out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
825  }
826 }
827 
828 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
829 void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
830  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
831  int i;
832  for (i = 0; i < 8; ++i) {
833  int pos = secp256k1_testrand_int(4);
834  if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
835  x->v[pos] -= (M62 + 1);
836  x->v[pos + 1] += 1;
837  } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
838  x->v[pos] += (M62 + 1);
839  x->v[pos + 1] -= 1;
840  }
841  }
842 }
843 
844 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
845 void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
846  static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
847  uint16_t tmp[16];
848  secp256k1_modinv64_signed62 x;
849  secp256k1_modinv64_modinfo m;
850  int i, vartime, nonzero;
851 
852  uint16_to_signed62(&x, in);
853  nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
854  uint16_to_signed62(&m.modulus, mod);
855  mutate_sign_signed62(&m.modulus);
856 
857  /* compute 1/modulus mod 2^62 */
858  m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
859  CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
860 
861  for (vartime = 0; vartime < 2; ++vartime) {
862  /* compute inverse */
863  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
864 
865  /* produce output */
866  signed62_to_uint16(out, &x);
867 
868  /* check if the inverse times the input is 1 (mod m), unless x is 0. */
869  mulmod256(tmp, out, in, mod);
870  CHECK(tmp[0] == nonzero);
871  for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
872 
873  /* invert again */
874  (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
875 
876  /* check if the result is equal to the input */
877  signed62_to_uint16(tmp, &x);
878  for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
879  }
880 }
881 #endif
882 
883 /* test if a and b are coprime */
884 int coprime(const uint16_t* a, const uint16_t* b) {
885  uint16_t x[16], y[16], t[16];
886  int i;
887  int iszero;
888  memcpy(x, a, 32);
889  memcpy(y, b, 32);
890 
891  /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
892  while (1) {
893  iszero = 1;
894  for (i = 0; i < 16; ++i) {
895  if (x[i] != 0) {
896  iszero = 0;
897  break;
898  }
899  }
900  if (iszero) break;
901  mulmod256(t, y, NULL, x);
902  memcpy(y, x, 32);
903  memcpy(x, t, 32);
904  }
905 
906  /* return whether y=1 */
907  if (y[0] != 1) return 0;
908  for (i = 1; i < 16; ++i) {
909  if (y[i] != 0) return 0;
910  }
911  return 1;
912 }
913 
914 void run_modinv_tests(void) {
915  /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
916  static const uint16_t CASES[][3][16] = {
917  /* Test case known to need 713 divsteps */
918  {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
919  0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
920  {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
921  0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
922  {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
923  0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
924  /* Test case known to need 589 divsteps, reaching delta=-140 and
925  delta=141. */
926  {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
927  0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
928  {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
929  0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
930  {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
931  0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
932  /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
933  {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
934  0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
935  {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
936  0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
937  {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
938  0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
939  /* Test case with the group order as modulus, needing 635 divsteps. */
940  {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
941  0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
942  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
943  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
944  {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
945  0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
946  /* Test case with the field size as modulus, needing 637 divsteps. */
947  {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
948  0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
949  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
950  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
951  {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
952  0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
953  /* Test case with the field size as modulus, needing 935 divsteps with
954  broken eta handling. */
955  {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
956  0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
957  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
958  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
959  {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
960  0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
961  /* Test case with the group size as modulus, needing 981 divsteps with
962  broken eta handling. */
963  {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
964  0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
965  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
966  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
967  {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
968  0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
969  /* Test case with the field size as modulus, input = 0. */
970  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
971  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
972  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
973  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
974  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
975  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
976  /* Test case with the field size as modulus, input = 1. */
977  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
978  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
979  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
980  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
981  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
982  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
983  /* Test case with the field size as modulus, input = 2. */
984  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
985  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
986  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
987  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
988  {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
989  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
990  /* Test case with the field size as modulus, input = field - 1. */
991  {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
992  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
993  {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
994  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
995  {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
996  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
997  /* Test case with the group size as modulus, input = 0. */
998  {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
999  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1000  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1001  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1002  {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1003  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1004  /* Test case with the group size as modulus, input = 1. */
1005  {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1006  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1007  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1008  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1009  {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1010  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1011  /* Test case with the group size as modulus, input = 2. */
1012  {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1013  0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1014  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1015  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1016  {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1017  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1018  /* Test case with the group size as modulus, input = group - 1. */
1019  {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1020  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1021  {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1022  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1023  {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1024  0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}}
1025  };
1026 
1027  int i, j, ok;
1028 
1029  /* Test known inputs/outputs */
1030  for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1031  uint16_t out[16];
1032  test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1033  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1034 #ifdef SECP256K1_WIDEMUL_INT128
1035  test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1036  for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1037 #endif
1038  }
1039 
1040  for (i = 0; i < 100 * count; ++i) {
1041  /* 256-bit numbers in 16-uint16_t's notation */
1042  static const uint16_t ZERO[16] = {0};
1043  uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1044  uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1045  uint16_t id[16]; /* the inverse of xd mod md */
1046 
1047  /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1048  do {
1049  /* generate random xd and md (with many subsequent 0s and 1s) */
1050  secp256k1_testrand256_test((unsigned char*)xd);
1051  secp256k1_testrand256_test((unsigned char*)md);
1052  md[0] |= 1; /* modulus must be odd */
1053  /* If modulus is 1, find another one. */
1054  ok = md[0] != 1;
1055  for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1056  mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1057  } while (!(ok && coprime(xd, md)));
1058 
1059  test_modinv32_uint16(id, xd, md);
1060 #ifdef SECP256K1_WIDEMUL_INT128
1061  test_modinv64_uint16(id, xd, md);
1062 #endif
1063 
1064  /* In a few cases, also test with input=0 */
1065  if (i < count) {
1066  test_modinv32_uint16(id, ZERO, md);
1067 #ifdef SECP256K1_WIDEMUL_INT128
1068  test_modinv64_uint16(id, ZERO, md);
1069 #endif
1070  }
1071  }
1072 }
1073 
1074 /***** SCALAR TESTS *****/
1075 
1076 
1077 void scalar_test(void) {
1078  secp256k1_scalar s;
1079  secp256k1_scalar s1;
1080  secp256k1_scalar s2;
1081  unsigned char c[32];
1082 
1083  /* Set 's' to a random scalar, with value 'snum'. */
1084  random_scalar_order_test(&s);
1085 
1086  /* Set 's1' to a random scalar, with value 's1num'. */
1087  random_scalar_order_test(&s1);
1088 
1089  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
1090  random_scalar_order_test(&s2);
1091  secp256k1_scalar_get_b32(c, &s2);
1092 
1093  {
1094  int i;
1095  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
1096  secp256k1_scalar n;
1097  secp256k1_scalar_set_int(&n, 0);
1098  for (i = 0; i < 256; i += 4) {
1099  secp256k1_scalar t;
1100  int j;
1101  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
1102  for (j = 0; j < 4; j++) {
1103  secp256k1_scalar_add(&n, &n, &n);
1104  }
1105  secp256k1_scalar_add(&n, &n, &t);
1106  }
1107  CHECK(secp256k1_scalar_eq(&n, &s));
1108  }
1109 
1110  {
1111  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
1112  secp256k1_scalar n;
1113  int i = 0;
1114  secp256k1_scalar_set_int(&n, 0);
1115  while (i < 256) {
1116  secp256k1_scalar t;
1117  int j;
1118  int now = secp256k1_testrand_int(15) + 1;
1119  if (now + i > 256) {
1120  now = 256 - i;
1121  }
1122  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
1123  for (j = 0; j < now; j++) {
1124  secp256k1_scalar_add(&n, &n, &n);
1125  }
1126  secp256k1_scalar_add(&n, &n, &t);
1127  i += now;
1128  }
1129  CHECK(secp256k1_scalar_eq(&n, &s));
1130  }
1131 
1132  {
1133  /* test secp256k1_scalar_shr_int */
1134  secp256k1_scalar r;
1135  int i;
1136  random_scalar_order_test(&r);
1137  for (i = 0; i < 100; ++i) {
1138  int low;
1139  int shift = 1 + secp256k1_testrand_int(15);
1140  int expected = r.d[0] % (1 << shift);
1141  low = secp256k1_scalar_shr_int(&r, shift);
1142  CHECK(expected == low);
1143  }
1144  }
1145 
1146  {
1147  /* Test commutativity of add. */
1148  secp256k1_scalar r1, r2;
1149  secp256k1_scalar_add(&r1, &s1, &s2);
1150  secp256k1_scalar_add(&r2, &s2, &s1);
1151  CHECK(secp256k1_scalar_eq(&r1, &r2));
1152  }
1153 
1154  {
1155  secp256k1_scalar r1, r2;
1156  secp256k1_scalar b;
1157  int i;
1158  /* Test add_bit. */
1159  int bit = secp256k1_testrand_bits(8);
1160  secp256k1_scalar_set_int(&b, 1);
1161  CHECK(secp256k1_scalar_is_one(&b));
1162  for (i = 0; i < bit; i++) {
1163  secp256k1_scalar_add(&b, &b, &b);
1164  }
1165  r1 = s1;
1166  r2 = s1;
1167  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1168  /* No overflow happened. */
1169  secp256k1_scalar_cadd_bit(&r2, bit, 1);
1170  CHECK(secp256k1_scalar_eq(&r1, &r2));
1171  /* cadd is a noop when flag is zero */
1172  secp256k1_scalar_cadd_bit(&r2, bit, 0);
1173  CHECK(secp256k1_scalar_eq(&r1, &r2));
1174  }
1175  }
1176 
1177  {
1178  /* Test commutativity of mul. */
1179  secp256k1_scalar r1, r2;
1180  secp256k1_scalar_mul(&r1, &s1, &s2);
1181  secp256k1_scalar_mul(&r2, &s2, &s1);
1182  CHECK(secp256k1_scalar_eq(&r1, &r2));
1183  }
1184 
1185  {
1186  /* Test associativity of add. */
1187  secp256k1_scalar r1, r2;
1188  secp256k1_scalar_add(&r1, &s1, &s2);
1189  secp256k1_scalar_add(&r1, &r1, &s);
1190  secp256k1_scalar_add(&r2, &s2, &s);
1191  secp256k1_scalar_add(&r2, &s1, &r2);
1192  CHECK(secp256k1_scalar_eq(&r1, &r2));
1193  }
1194 
1195  {
1196  /* Test associativity of mul. */
1197  secp256k1_scalar r1, r2;
1198  secp256k1_scalar_mul(&r1, &s1, &s2);
1199  secp256k1_scalar_mul(&r1, &r1, &s);
1200  secp256k1_scalar_mul(&r2, &s2, &s);
1201  secp256k1_scalar_mul(&r2, &s1, &r2);
1202  CHECK(secp256k1_scalar_eq(&r1, &r2));
1203  }
1204 
1205  {
1206  /* Test distributitivity of mul over add. */
1207  secp256k1_scalar r1, r2, t;
1208  secp256k1_scalar_add(&r1, &s1, &s2);
1209  secp256k1_scalar_mul(&r1, &r1, &s);
1210  secp256k1_scalar_mul(&r2, &s1, &s);
1211  secp256k1_scalar_mul(&t, &s2, &s);
1212  secp256k1_scalar_add(&r2, &r2, &t);
1213  CHECK(secp256k1_scalar_eq(&r1, &r2));
1214  }
1215 
1216  {
1217  /* Test multiplicative identity. */
1218  secp256k1_scalar r1, v1;
1219  secp256k1_scalar_set_int(&v1,1);
1220  secp256k1_scalar_mul(&r1, &s1, &v1);
1221  CHECK(secp256k1_scalar_eq(&r1, &s1));
1222  }
1223 
1224  {
1225  /* Test additive identity. */
1226  secp256k1_scalar r1, v0;
1227  secp256k1_scalar_set_int(&v0,0);
1228  secp256k1_scalar_add(&r1, &s1, &v0);
1229  CHECK(secp256k1_scalar_eq(&r1, &s1));
1230  }
1231 
1232  {
1233  /* Test zero product property. */
1234  secp256k1_scalar r1, v0;
1235  secp256k1_scalar_set_int(&v0,0);
1236  secp256k1_scalar_mul(&r1, &s1, &v0);
1237  CHECK(secp256k1_scalar_eq(&r1, &v0));
1238  }
1239 
1240 }
1241 
1242 void run_scalar_set_b32_seckey_tests(void) {
1243  unsigned char b32[32];
1244  secp256k1_scalar s1;
1245  secp256k1_scalar s2;
1246 
1247  /* Usually set_b32 and set_b32_seckey give the same result */
1248  random_scalar_order_b32(b32);
1249  secp256k1_scalar_set_b32(&s1, b32, NULL);
1250  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1251  CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1252 
1253  memset(b32, 0, sizeof(b32));
1254  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1255  memset(b32, 0xFF, sizeof(b32));
1256  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1257 }
1258 
1259 void run_scalar_tests(void) {
1260  int i;
1261  for (i = 0; i < 128 * count; i++) {
1262  scalar_test();
1263  }
1264  for (i = 0; i < count; i++) {
1265  run_scalar_set_b32_seckey_tests();
1266  }
1267 
1268  {
1269  /* (-1)+1 should be zero. */
1270  secp256k1_scalar s, o;
1271  secp256k1_scalar_set_int(&s, 1);
1272  CHECK(secp256k1_scalar_is_one(&s));
1273  secp256k1_scalar_negate(&o, &s);
1274  secp256k1_scalar_add(&o, &o, &s);
1275  CHECK(secp256k1_scalar_is_zero(&o));
1276  secp256k1_scalar_negate(&o, &o);
1277  CHECK(secp256k1_scalar_is_zero(&o));
1278  }
1279 
1280  {
1281  /* Does check_overflow check catch all ones? */
1282  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1283  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1284  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1285  );
1286  CHECK(secp256k1_scalar_check_overflow(&overflowed));
1287  }
1288 
1289  {
1290  /* Static test vectors.
1291  * These were reduced from ~10^12 random vectors based on comparison-decision
1292  * and edge-case coverage on 32-bit and 64-bit implementations.
1293  * The responses were generated with Sage 5.9.
1294  */
1295  secp256k1_scalar x;
1296  secp256k1_scalar y;
1297  secp256k1_scalar z;
1298  secp256k1_scalar zz;
1299  secp256k1_scalar one;
1300  secp256k1_scalar r1;
1301  secp256k1_scalar r2;
1302  secp256k1_scalar zzv;
1303  int overflow;
1304  unsigned char chal[33][2][32] = {
1305  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1306  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1307  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1308  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1309  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1310  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1311  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1312  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1313  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1314  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1315  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1316  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1317  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1318  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1319  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1320  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1321  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1322  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1323  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1324  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1325  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1326  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1327  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1328  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1329  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1330  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1331  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1332  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1333  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1334  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1335  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1336  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1337  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1338  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1339  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1340  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1341  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1342  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1343  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1344  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1345  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1346  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1347  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1348  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1349  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1350  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1351  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1352  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1353  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1354  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1355  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1356  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1357  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1358  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1359  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1360  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1361  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1362  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1363  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1364  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1365  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1366  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1367  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1368  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1369  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1370  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1371  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1372  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1373  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1374  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1375  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1376  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1377  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1378  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1379  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1380  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1381  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1382  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1383  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1384  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1385  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1386  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1387  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1388  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1389  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1390  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1391  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1392  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1393  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1394  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1395  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1396  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1397  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1398  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1399  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1400  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1401  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1402  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1403  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1404  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1405  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1406  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1407  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1408  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1409  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1410  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1411  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1412  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1413  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1414  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1415  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1416  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1417  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1418  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1419  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1420  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1421  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1422  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1423  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1424  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1425  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1426  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1427  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1428  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1429  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1430  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1431  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1432  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1433  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1434  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1435  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1436  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1437  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1438  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1439  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1440  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1441  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1442  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1443  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1444  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1445  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1446  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1447  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1448  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1449  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1450  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1451  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1452  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1453  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1454  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1455  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1456  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1457  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1458  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1459  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1460  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1461  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1462  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1463  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1464  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1465  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1466  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1467  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1468  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1469  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1470  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1471  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1472  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1473  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1474  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1475  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1476  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1477  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1478  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1479  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1480  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1481  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1482  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1483  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1484  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1485  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1486  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1487  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1488  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1489  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1490  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1491  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1492  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1493  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1494  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1495  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1496  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1497  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1498  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1499  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1500  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1501  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1502  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1503  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1504  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1505  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1506  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1507  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1508  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1509  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1510  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1511  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1512  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1513  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1514  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1515  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1516  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1517  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1518  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1519  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1520  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1521  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1522  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1523  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1524  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1525  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1526  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1527  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1528  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1529  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1530  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1531  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1532  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1533  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1534  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1535  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1536  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1537  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1538  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1539  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1540  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1541  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1542  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1543  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1544  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1545  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1546  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1547  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1548  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1549  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1550  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1551  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1552  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1553  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1554  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1555  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1556  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1557  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1558  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1559  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1560  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1561  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1562  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1563  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1564  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1565  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1566  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1567  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1568  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1569  };
1570  unsigned char res[33][2][32] = {
1571  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1572  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1573  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1574  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1575  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1576  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1577  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1578  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1579  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1580  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1581  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1582  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1583  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1584  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1585  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1586  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1587  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1588  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1589  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1590  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1591  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1592  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1593  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1594  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1595  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1596  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1597  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1598  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1599  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1600  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1601  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1602  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1603  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1604  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1605  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1606  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1607  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1608  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1609  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1610  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1611  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1612  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1613  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1614  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1615  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1616  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1617  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1618  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1619  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1620  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1621  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1622  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1623  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1624  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1625  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1626  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1627  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1628  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1629  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1630  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1631  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1632  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1633  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1634  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1635  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1636  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1637  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1638  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1639  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1640  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1641  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1642  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1643  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1644  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1645  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1646  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1647  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1648  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1649  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1650  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1651  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1652  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1653  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1654  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1655  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1656  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1657  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1658  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1659  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1660  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1661  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1662  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1663  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1664  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1665  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1666  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1667  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1668  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1669  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1670  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1671  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1672  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1673  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1674  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1675  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1676  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1677  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1678  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1679  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1680  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1681  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1682  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1683  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1684  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1685  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1686  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1687  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1688  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1689  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1690  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1691  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1692  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1693  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1694  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1695  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1696  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1697  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1698  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1699  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1700  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1701  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1702  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1703  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1704  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1705  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1706  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1707  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1708  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1709  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1710  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1711  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1712  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1713  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1714  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1715  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1716  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1717  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1718  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1719  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1720  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1721  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1722  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1723  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1724  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1725  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1726  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1727  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1728  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1729  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1730  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1731  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1732  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1733  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1734  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1735  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1736  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1737  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1738  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1739  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1740  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1741  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1742  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1743  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1744  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1745  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1746  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1747  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1748  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1749  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1750  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1751  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1752  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1753  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1754  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1755  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1756  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1757  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1758  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1759  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1760  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1761  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1762  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1763  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1764  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1765  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1766  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1767  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1768  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1769  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1770  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1771  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1772  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1773  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1774  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1775  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1776  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1777  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1778  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1779  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1780  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1781  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1782  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1783  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1784  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1785  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1786  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1787  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1788  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1789  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1790  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1791  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1792  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1793  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1794  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1795  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1796  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1797  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1798  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1799  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1800  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1801  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1802  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1803  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1804  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1805  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1806  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1807  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1808  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1809  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1810  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1811  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1812  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1813  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1814  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1815  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1816  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1817  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1818  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1819  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1820  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1821  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1822  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1823  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1824  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1825  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1826  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1827  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1828  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1829  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1830  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1831  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1832  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1833  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1834  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1835  };
1836  secp256k1_scalar_set_int(&one, 1);
1837  for (i = 0; i < 33; i++) {
1838  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1839  CHECK(!overflow);
1840  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1841  CHECK(!overflow);
1842  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1843  CHECK(!overflow);
1844  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1845  CHECK(!overflow);
1846  secp256k1_scalar_mul(&z, &x, &y);
1847  CHECK(!secp256k1_scalar_check_overflow(&z));
1848  CHECK(secp256k1_scalar_eq(&r1, &z));
1849  if (!secp256k1_scalar_is_zero(&y)) {
1850  secp256k1_scalar_inverse(&zz, &y);
1851  CHECK(!secp256k1_scalar_check_overflow(&zz));
1852  secp256k1_scalar_inverse_var(&zzv, &y);
1853  CHECK(secp256k1_scalar_eq(&zzv, &zz));
1854  secp256k1_scalar_mul(&z, &z, &zz);
1855  CHECK(!secp256k1_scalar_check_overflow(&z));
1856  CHECK(secp256k1_scalar_eq(&x, &z));
1857  secp256k1_scalar_mul(&zz, &zz, &y);
1858  CHECK(!secp256k1_scalar_check_overflow(&zz));
1859  CHECK(secp256k1_scalar_eq(&one, &zz));
1860  }
1861  }
1862  }
1863 }
1864 
1865 /***** FIELD TESTS *****/
1866 
1867 void random_fe(secp256k1_fe *x) {
1868  unsigned char bin[32];
1869  do {
1870  secp256k1_testrand256(bin);
1871  if (secp256k1_fe_set_b32(x, bin)) {
1872  return;
1873  }
1874  } while(1);
1875 }
1876 
1877 void random_fe_test(secp256k1_fe *x) {
1878  unsigned char bin[32];
1879  do {
1880  secp256k1_testrand256_test(bin);
1881  if (secp256k1_fe_set_b32(x, bin)) {
1882  return;
1883  }
1884  } while(1);
1885 }
1886 
1887 void random_fe_non_zero(secp256k1_fe *nz) {
1888  int tries = 10;
1889  while (--tries >= 0) {
1890  random_fe(nz);
1891  secp256k1_fe_normalize(nz);
1892  if (!secp256k1_fe_is_zero(nz)) {
1893  break;
1894  }
1895  }
1896  /* Infinitesimal probability of spurious failure here */
1897  CHECK(tries >= 0);
1898 }
1899 
1900 void random_fe_non_square(secp256k1_fe *ns) {
1901  secp256k1_fe r;
1902  random_fe_non_zero(ns);
1903  if (secp256k1_fe_sqrt(&r, ns)) {
1904  secp256k1_fe_negate(ns, ns, 1);
1905  }
1906 }
1907 
1908 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1909  secp256k1_fe an = *a;
1910  secp256k1_fe bn = *b;
1911  secp256k1_fe_normalize_weak(&an);
1912  secp256k1_fe_normalize_var(&bn);
1913  return secp256k1_fe_equal_var(&an, &bn);
1914 }
1915 
1916 void run_field_convert(void) {
1917  static const unsigned char b32[32] = {
1918  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1919  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1920  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1921  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1922  };
1923  static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1924  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1925  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1926  );
1927  static const secp256k1_fe fe = SECP256K1_FE_CONST(
1928  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1929  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1930  );
1931  secp256k1_fe fe2;
1932  unsigned char b322[32];
1933  secp256k1_fe_storage fes2;
1934  /* Check conversions to fe. */
1935  CHECK(secp256k1_fe_set_b32(&fe2, b32));
1936  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1937  secp256k1_fe_from_storage(&fe2, &fes);
1938  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1939  /* Check conversion from fe. */
1940  secp256k1_fe_get_b32(b322, &fe);
1941  CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
1942  secp256k1_fe_to_storage(&fes2, &fe);
1943  CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
1944 }
1945 
1946 int fe_secp256k1_memcmp_var(const secp256k1_fe *a, const secp256k1_fe *b) {
1947  secp256k1_fe t = *b;
1948 #ifdef VERIFY
1949  t.magnitude = a->magnitude;
1950  t.normalized = a->normalized;
1951 #endif
1952  return secp256k1_memcmp_var(a, &t, sizeof(secp256k1_fe));
1953 }
1954 
1955 void run_field_misc(void) {
1956  secp256k1_fe x;
1957  secp256k1_fe y;
1958  secp256k1_fe z;
1959  secp256k1_fe q;
1960  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1961  int i, j;
1962  for (i = 0; i < 5*count; i++) {
1963  secp256k1_fe_storage xs, ys, zs;
1964  random_fe(&x);
1965  random_fe_non_zero(&y);
1966  /* Test the fe equality and comparison operations. */
1967  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1968  CHECK(secp256k1_fe_equal_var(&x, &x));
1969  z = x;
1970  secp256k1_fe_add(&z,&y);
1971  /* Test fe conditional move; z is not normalized here. */
1972  q = x;
1973  secp256k1_fe_cmov(&x, &z, 0);
1974 #ifdef VERIFY
1975  CHECK(x.normalized && x.magnitude == 1);
1976 #endif
1977  secp256k1_fe_cmov(&x, &x, 1);
1978  CHECK(fe_secp256k1_memcmp_var(&x, &z) != 0);
1979  CHECK(fe_secp256k1_memcmp_var(&x, &q) == 0);
1980  secp256k1_fe_cmov(&q, &z, 1);
1981 #ifdef VERIFY
1982  CHECK(!q.normalized && q.magnitude == z.magnitude);
1983 #endif
1984  CHECK(fe_secp256k1_memcmp_var(&q, &z) == 0);
1985  secp256k1_fe_normalize_var(&x);
1986  secp256k1_fe_normalize_var(&z);
1987  CHECK(!secp256k1_fe_equal_var(&x, &z));
1988  secp256k1_fe_normalize_var(&q);
1989  secp256k1_fe_cmov(&q, &z, (i&1));
1990 #ifdef VERIFY
1991  CHECK(q.normalized && q.magnitude == 1);
1992 #endif
1993  for (j = 0; j < 6; j++) {
1994  secp256k1_fe_negate(&z, &z, j+1);
1995  secp256k1_fe_normalize_var(&q);
1996  secp256k1_fe_cmov(&q, &z, (j&1));
1997 #ifdef VERIFY
1998  CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
1999 #endif
2000  }
2001  secp256k1_fe_normalize_var(&z);
2002  /* Test storage conversion and conditional moves. */
2003  secp256k1_fe_to_storage(&xs, &x);
2004  secp256k1_fe_to_storage(&ys, &y);
2005  secp256k1_fe_to_storage(&zs, &z);
2006  secp256k1_fe_storage_cmov(&zs, &xs, 0);
2007  secp256k1_fe_storage_cmov(&zs, &zs, 1);
2008  CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
2009  secp256k1_fe_storage_cmov(&ys, &xs, 1);
2010  CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
2011  secp256k1_fe_from_storage(&x, &xs);
2012  secp256k1_fe_from_storage(&y, &ys);
2013  secp256k1_fe_from_storage(&z, &zs);
2014  /* Test that mul_int, mul, and add agree. */
2015  secp256k1_fe_add(&y, &x);
2016  secp256k1_fe_add(&y, &x);
2017  z = x;
2018  secp256k1_fe_mul_int(&z, 3);
2019  CHECK(check_fe_equal(&y, &z));
2020  secp256k1_fe_add(&y, &x);
2021  secp256k1_fe_add(&z, &x);
2022  CHECK(check_fe_equal(&z, &y));
2023  z = x;
2024  secp256k1_fe_mul_int(&z, 5);
2025  secp256k1_fe_mul(&q, &x, &fe5);
2026  CHECK(check_fe_equal(&z, &q));
2027  secp256k1_fe_negate(&x, &x, 1);
2028  secp256k1_fe_add(&z, &x);
2029  secp256k1_fe_add(&q, &x);
2030  CHECK(check_fe_equal(&y, &z));
2031  CHECK(check_fe_equal(&q, &y));
2032  }
2033 }
2034 
2035 void run_sqr(void) {
2036  secp256k1_fe x, s;
2037 
2038  {
2039  int i;
2040  secp256k1_fe_set_int(&x, 1);
2041  secp256k1_fe_negate(&x, &x, 1);
2042 
2043  for (i = 1; i <= 512; ++i) {
2044  secp256k1_fe_mul_int(&x, 2);
2045  secp256k1_fe_normalize(&x);
2046  secp256k1_fe_sqr(&s, &x);
2047  }
2048  }
2049 }
2050 
2051 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2052  secp256k1_fe r1, r2;
2053  int v = secp256k1_fe_sqrt(&r1, a);
2054  CHECK((v == 0) == (k == NULL));
2055 
2056  if (k != NULL) {
2057  /* Check that the returned root is +/- the given known answer */
2058  secp256k1_fe_negate(&r2, &r1, 1);
2059  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2060  secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
2061  CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
2062  }
2063 }
2064 
2065 void run_sqrt(void) {
2066  secp256k1_fe ns, x, s, t;
2067  int i;
2068 
2069  /* Check sqrt(0) is 0 */
2070  secp256k1_fe_set_int(&x, 0);
2071  secp256k1_fe_sqr(&s, &x);
2072  test_sqrt(&s, &x);
2073 
2074  /* Check sqrt of small squares (and their negatives) */
2075  for (i = 1; i <= 100; i++) {
2076  secp256k1_fe_set_int(&x, i);
2077  secp256k1_fe_sqr(&s, &x);
2078  test_sqrt(&s, &x);
2079  secp256k1_fe_negate(&t, &s, 1);
2080  test_sqrt(&t, NULL);
2081  }
2082 
2083  /* Consistency checks for large random values */
2084  for (i = 0; i < 10; i++) {
2085  int j;
2086  random_fe_non_square(&ns);
2087  for (j = 0; j < count; j++) {
2088  random_fe(&x);
2089  secp256k1_fe_sqr(&s, &x);
2090  test_sqrt(&s, &x);
2091  secp256k1_fe_negate(&t, &s, 1);
2092  test_sqrt(&t, NULL);
2093  secp256k1_fe_mul(&t, &s, &ns);
2094  test_sqrt(&t, NULL);
2095  }
2096  }
2097 }
2098 
2099 /***** FIELD/SCALAR INVERSE TESTS *****/
2100 
2101 static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
2102  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
2103  0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
2104 );
2105 
2106 static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
2107  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
2108  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
2109 );
2110 
2111 /* These tests test the following identities:
2112  *
2113  * for x==0: 1/x == 0
2114  * for x!=0: x*(1/x) == 1
2115  * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
2116  */
2117 
2118 void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
2119 {
2120  secp256k1_scalar l, r, t;
2121 
2122  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&l, x); /* l = 1/x */
2123  if (out) *out = l;
2124  if (secp256k1_scalar_is_zero(x)) {
2125  CHECK(secp256k1_scalar_is_zero(&l));
2126  return;
2127  }
2128  secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
2129  CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
2130  secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
2131  if (secp256k1_scalar_is_zero(&r)) return;
2132  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&r, &r); /* r = 1/(x-1) */
2133  secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
2134  (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&l, &l); /* l = 1/(1/x-1) */
2135  secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
2136  secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2137  CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
2138 }
2139 
2140 void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
2141 {
2142  secp256k1_fe l, r, t;
2143 
2144  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
2145  if (out) *out = l;
2146  t = *x; /* t = x */
2147  if (secp256k1_fe_normalizes_to_zero_var(&t)) {
2148  CHECK(secp256k1_fe_normalizes_to_zero(&l));
2149  return;
2150  }
2151  secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
2152  secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
2153  CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
2154  r = *x; /* r = x */
2155  secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
2156  if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
2157  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
2158  secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
2159  (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
2160  secp256k1_fe_add(&l, &secp256k1_fe_one); /* l = 1/(1/x-1)+1 */
2161  secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2162  CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
2163 }
2164 
2165 void run_inverse_tests(void)
2166 {
2167  /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
2168  static const secp256k1_fe fe_cases[][2] = {
2169  /* 0 */
2170  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2171  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2172  /* 1 */
2173  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2174  SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2175  /* -1 */
2176  {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
2177  SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
2178  /* 2 */
2179  {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2180  SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
2181  /* 2**128 */
2182  {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2183  SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
2184  /* Input known to need 637 divsteps */
2185  {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
2186  SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)}
2187  };
2188  /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
2189  static const secp256k1_scalar scalar_cases[][2] = {
2190  /* 0 */
2191  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2192  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2193  /* 1 */
2194  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2195  SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2196  /* -1 */
2197  {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
2198  SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
2199  /* 2 */
2200  {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2201  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
2202  /* 2**128 */
2203  {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2204  SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
2205  /* Input known to need 635 divsteps */
2206  {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
2207  SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)}
2208  };
2209  int i, var, testrand;
2210  unsigned char b32[32];
2211  secp256k1_fe x_fe;
2212  secp256k1_scalar x_scalar;
2213  memset(b32, 0, sizeof(b32));
2214  /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
2215  for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
2216  for (var = 0; var <= 1; ++var) {
2217  test_inverse_field(&x_fe, &fe_cases[i][0], var);
2218  check_fe_equal(&x_fe, &fe_cases[i][1]);
2219  test_inverse_field(&x_fe, &fe_cases[i][1], var);
2220  check_fe_equal(&x_fe, &fe_cases[i][0]);
2221  }
2222  }
2223  for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
2224  for (var = 0; var <= 1; ++var) {
2225  test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
2226  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
2227  test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
2228  CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
2229  }
2230  }
2231  /* Test inputs 0..999 and their respective negations. */
2232  for (i = 0; i < 1000; ++i) {
2233  b32[31] = i & 0xff;
2234  b32[30] = (i >> 8) & 0xff;
2235  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2236  secp256k1_fe_set_b32(&x_fe, b32);
2237  for (var = 0; var <= 1; ++var) {
2238  test_inverse_scalar(NULL, &x_scalar, var);
2239  test_inverse_field(NULL, &x_fe, var);
2240  }
2241  secp256k1_scalar_negate(&x_scalar, &x_scalar);
2242  secp256k1_fe_negate(&x_fe, &x_fe, 1);
2243  for (var = 0; var <= 1; ++var) {
2244  test_inverse_scalar(NULL, &x_scalar, var);
2245  test_inverse_field(NULL, &x_fe, var);
2246  }
2247  }
2248  /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
2249  for (testrand = 0; testrand <= 1; ++testrand) {
2250  for (i = 0; i < 64 * count; ++i) {
2251  (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32);
2252  secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2253  secp256k1_fe_set_b32(&x_fe, b32);
2254  for (var = 0; var <= 1; ++var) {
2255  test_inverse_scalar(NULL, &x_scalar, var);
2256  test_inverse_field(NULL, &x_fe, var);
2257  }
2258  }
2259  }
2260 }
2261 
2262 /***** GROUP TESTS *****/
2263 
2264 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
2265  CHECK(a->infinity == b->infinity);
2266  if (a->infinity) {
2267  return;
2268  }
2269  CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2270  CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2271 }
2272 
2273 /* This compares jacobian points including their Z, not just their geometric meaning. */
2274 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2275  secp256k1_gej a2;
2276  secp256k1_gej b2;
2277  int ret = 1;
2278  ret &= a->infinity == b->infinity;
2279  if (ret && !a->infinity) {
2280  a2 = *a;
2281  b2 = *b;
2282  secp256k1_fe_normalize(&a2.x);
2283  secp256k1_fe_normalize(&a2.y);
2284  secp256k1_fe_normalize(&a2.z);
2285  secp256k1_fe_normalize(&b2.x);
2286  secp256k1_fe_normalize(&b2.y);
2287  secp256k1_fe_normalize(&b2.z);
2288  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2289  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2290  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2291  }
2292  return ret;
2293 }
2294 
2295 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2296  secp256k1_fe z2s;
2297  secp256k1_fe u1, u2, s1, s2;
2298  CHECK(a->infinity == b->infinity);
2299  if (a->infinity) {
2300  return;
2301  }
2302  /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
2303  secp256k1_fe_sqr(&z2s, &b->z);
2304  secp256k1_fe_mul(&u1, &a->x, &z2s);
2305  u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2306  secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2307  s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2308  CHECK(secp256k1_fe_equal_var(&u1, &u2));
2309  CHECK(secp256k1_fe_equal_var(&s1, &s2));
2310 }
2311 
2312 void test_ge(void) {
2313  int i, i1;
2314  int runs = 6;
2315  /* 25 points are used:
2316  * - infinity
2317  * - for each of four random points p1 p2 p3 p4, we add the point, its
2318  * negation, and then those two again but with randomized Z coordinate.
2319  * - The same is then done for lambda*p1 and lambda^2*p1.
2320  */
2321  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2322  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2323  secp256k1_fe zf;
2324  secp256k1_fe zfi2, zfi3;
2325 
2326  secp256k1_gej_set_infinity(&gej[0]);
2327  secp256k1_ge_clear(&ge[0]);
2328  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2329  for (i = 0; i < runs; i++) {
2330  int j;
2331  secp256k1_ge g;
2332  random_group_element_test(&g);
2333  if (i >= runs - 2) {
2334  secp256k1_ge_mul_lambda(&g, &ge[1]);
2335  }
2336  if (i >= runs - 1) {
2337  secp256k1_ge_mul_lambda(&g, &g);
2338  }
2339  ge[1 + 4 * i] = g;
2340  ge[2 + 4 * i] = g;
2341  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2342  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2343  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2344  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2345  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2346  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2347  for (j = 0; j < 4; j++) {
2348  random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2349  random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2350  random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2351  random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2352  random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2353  }
2354  }
2355 
2356  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2357  do {
2358  random_field_element_test(&zf);
2359  } while(secp256k1_fe_is_zero(&zf));
2360  random_field_element_magnitude(&zf);
2361  secp256k1_fe_inv_var(&zfi3, &zf);
2362  secp256k1_fe_sqr(&zfi2, &zfi3);
2363  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2364 
2365  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2366  int i2;
2367  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2368  /* Compute reference result using gej + gej (var). */
2369  secp256k1_gej refj, resj;
2370  secp256k1_ge ref;
2371  secp256k1_fe zr;
2372  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2373  /* Check Z ratio. */
2374  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2375  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2376  CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2377  }
2378  secp256k1_ge_set_gej_var(&ref, &refj);
2379 
2380  /* Test gej + ge with Z ratio result (var). */
2381  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2382  ge_equals_gej(&ref, &resj);
2383  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2384  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2385  CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2386  }
2387 
2388  /* Test gej + ge (var, with additional Z factor). */
2389  {
2390  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2391  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2392  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2393  random_field_element_magnitude(&ge2_zfi.x);
2394  random_field_element_magnitude(&ge2_zfi.y);
2395  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2396  ge_equals_gej(&ref, &resj);
2397  }
2398 
2399  /* Test gej + ge (const). */
2400  if (i2 != 0) {
2401  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2402  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2403  ge_equals_gej(&ref, &resj);
2404  }
2405 
2406  /* Test doubling (var). */
2407  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2408  secp256k1_fe zr2;
2409  /* Normal doubling with Z ratio result. */
2410  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2411  ge_equals_gej(&ref, &resj);
2412  /* Check Z ratio. */
2413  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2414  CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2415  /* Normal doubling. */
2416  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2417  ge_equals_gej(&ref, &resj);
2418  /* Constant-time doubling. */
2419  secp256k1_gej_double(&resj, &gej[i2]);
2420  ge_equals_gej(&ref, &resj);
2421  }
2422 
2423  /* Test adding opposites. */
2424  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2425  CHECK(secp256k1_ge_is_infinity(&ref));
2426  }
2427 
2428  /* Test adding infinity. */
2429  if (i1 == 0) {
2430  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2431  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2432  ge_equals_gej(&ref, &gej[i2]);
2433  }
2434  if (i2 == 0) {
2435  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2436  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2437  ge_equals_gej(&ref, &gej[i1]);
2438  }
2439  }
2440  }
2441 
2442  /* Test adding all points together in random order equals infinity. */
2443  {
2444  secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2445  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2446  for (i = 0; i < 4 * runs + 1; i++) {
2447  gej_shuffled[i] = gej[i];
2448  }
2449  for (i = 0; i < 4 * runs + 1; i++) {
2450  int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
2451  if (swap != i) {
2452  secp256k1_gej t = gej_shuffled[i];
2453  gej_shuffled[i] = gej_shuffled[swap];
2454  gej_shuffled[swap] = t;
2455  }
2456  }
2457  for (i = 0; i < 4 * runs + 1; i++) {
2458  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2459  }
2460  CHECK(secp256k1_gej_is_infinity(&sum));
2461  free(gej_shuffled);
2462  }
2463 
2464  /* Test batch gej -> ge conversion without known z ratios. */
2465  {
2466  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2467  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2468  for (i = 0; i < 4 * runs + 1; i++) {
2469  secp256k1_fe s;
2470  random_fe_non_zero(&s);
2471  secp256k1_gej_rescale(&gej[i], &s);
2472  ge_equals_gej(&ge_set_all[i], &gej[i]);
2473  }
2474  free(ge_set_all);
2475  }
2476 
2477  /* Test batch gej -> ge conversion with many infinities. */
2478  for (i = 0; i < 4 * runs + 1; i++) {
2479  random_group_element_test(&ge[i]);
2480  /* randomly set half the points to infinity */
2481  if(secp256k1_fe_is_odd(&ge[i].x)) {
2482  secp256k1_ge_set_infinity(&ge[i]);
2483  }
2484  secp256k1_gej_set_ge(&gej[i], &ge[i]);
2485  }
2486  /* batch invert */
2487  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2488  /* check result */
2489  for (i = 0; i < 4 * runs + 1; i++) {
2490  ge_equals_gej(&ge[i], &gej[i]);
2491  }
2492 
2493  free(ge);
2494  free(gej);
2495 }
2496 
2497 
2498 void test_intialized_inf(void) {
2499  secp256k1_ge p;
2500  secp256k1_gej pj, npj, infj1, infj2, infj3;
2501  secp256k1_fe zinv;
2502 
2503  /* Test that adding P+(-P) results in a fully initalized infinity*/
2504  random_group_element_test(&p);
2505  secp256k1_gej_set_ge(&pj, &p);
2506  secp256k1_gej_neg(&npj, &pj);
2507 
2508  secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
2509  CHECK(secp256k1_gej_is_infinity(&infj1));
2510  CHECK(secp256k1_fe_is_zero(&infj1.x));
2511  CHECK(secp256k1_fe_is_zero(&infj1.y));
2512  CHECK(secp256k1_fe_is_zero(&infj1.z));
2513 
2514  secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
2515  CHECK(secp256k1_gej_is_infinity(&infj2));
2516  CHECK(secp256k1_fe_is_zero(&infj2.x));
2517  CHECK(secp256k1_fe_is_zero(&infj2.y));
2518  CHECK(secp256k1_fe_is_zero(&infj2.z));
2519 
2520  secp256k1_fe_set_int(&zinv, 1);
2521  secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
2522  CHECK(secp256k1_gej_is_infinity(&infj3));
2523  CHECK(secp256k1_fe_is_zero(&infj3.x));
2524  CHECK(secp256k1_fe_is_zero(&infj3.y));
2525  CHECK(secp256k1_fe_is_zero(&infj3.z));
2526 
2527 
2528 }
2529 
2530 void test_add_neg_y_diff_x(void) {
2531  /* The point of this test is to check that we can add two points
2532  * whose y-coordinates are negatives of each other but whose x
2533  * coordinates differ. If the x-coordinates were the same, these
2534  * points would be negatives of each other and their sum is
2535  * infinity. This is cool because it "covers up" any degeneracy
2536  * in the addition algorithm that would cause the xy coordinates
2537  * of the sum to be wrong (since infinity has no xy coordinates).
2538  * HOWEVER, if the x-coordinates are different, infinity is the
2539  * wrong answer, and such degeneracies are exposed. This is the
2540  * root of https://github.com/bitcoin-core/secp256k1/issues/257
2541  * which this test is a regression test for.
2542  *
2543  * These points were generated in sage as
2544  * # secp256k1 params
2545  * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2546  * C = EllipticCurve ([F (0), F (7)])
2547  * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2548  * N = FiniteField(G.order())
2549  *
2550  * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2551  * x = polygen(N)
2552  * lam = (1 - x^3).roots()[1][0]
2553  *
2554  * # random "bad pair"
2555  * P = C.random_element()
2556  * Q = -int(lam) * P
2557  * print " P: %x %x" % P.xy()
2558  * print " Q: %x %x" % Q.xy()
2559  * print "P + Q: %x %x" % (P + Q).xy()
2560  */
2561  secp256k1_gej aj = SECP256K1_GEJ_CONST(
2562  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2563  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2564  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2565  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2566  );
2567  secp256k1_gej bj = SECP256K1_GEJ_CONST(
2568  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2569  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2570  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2571  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2572  );
2573  secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2574  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2575  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2576  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2577  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2578  );
2579  secp256k1_ge b;
2580  secp256k1_gej resj;
2581  secp256k1_ge res;
2582  secp256k1_ge_set_gej(&b, &bj);
2583 
2584  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2585  secp256k1_ge_set_gej(&res, &resj);
2586  ge_equals_gej(&res, &sumj);
2587 
2588  secp256k1_gej_add_ge(&resj, &aj, &b);
2589  secp256k1_ge_set_gej(&res, &resj);
2590  ge_equals_gej(&res, &sumj);
2591 
2592  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2593  secp256k1_ge_set_gej(&res, &resj);
2594  ge_equals_gej(&res, &sumj);
2595 }
2596 
2597 void run_ge(void) {
2598  int i;
2599  for (i = 0; i < count * 32; i++) {
2600  test_ge();
2601  }
2602  test_add_neg_y_diff_x();
2603  test_intialized_inf();
2604 }
2605 
2606 void test_ec_combine(void) {
2607  secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2608  secp256k1_pubkey data[6];
2609  const secp256k1_pubkey* d[6];
2610  secp256k1_pubkey sd;
2611  secp256k1_pubkey sd2;
2612  secp256k1_gej Qj;
2613  secp256k1_ge Q;
2614  int i;
2615  for (i = 1; i <= 6; i++) {
2616  secp256k1_scalar s;
2617  random_scalar_order_test(&s);
2618  secp256k1_scalar_add(&sum, &sum, &s);
2619  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2620  secp256k1_ge_set_gej(&Q, &Qj);
2621  secp256k1_pubkey_save(&data[i - 1], &Q);
2622  d[i - 1] = &data[i - 1];
2623  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2624  secp256k1_ge_set_gej(&Q, &Qj);
2625  secp256k1_pubkey_save(&sd, &Q);
2626  CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2627  CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
2628  }
2629 }
2630 
2631 void run_ec_combine(void) {
2632  int i;
2633  for (i = 0; i < count * 8; i++) {
2634  test_ec_combine();
2635  }
2636 }
2637 
2638 void test_group_decompress(const secp256k1_fe* x) {
2639  /* The input itself, normalized. */
2640  secp256k1_fe fex = *x;
2641  secp256k1_fe fez;
2642  /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2643  secp256k1_ge ge_quad, ge_even, ge_odd;
2644  secp256k1_gej gej_quad;
2645  /* Return values of the above calls. */
2646  int res_quad, res_even, res_odd;
2647 
2648  secp256k1_fe_normalize_var(&fex);
2649 
2650  res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2651  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2652  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2653 
2654  CHECK(res_quad == res_even);
2655  CHECK(res_quad == res_odd);
2656 
2657  if (res_quad) {
2658  secp256k1_fe_normalize_var(&ge_quad.x);
2659  secp256k1_fe_normalize_var(&ge_odd.x);
2660  secp256k1_fe_normalize_var(&ge_even.x);
2661  secp256k1_fe_normalize_var(&ge_quad.y);
2662  secp256k1_fe_normalize_var(&ge_odd.y);
2663  secp256k1_fe_normalize_var(&ge_even.y);
2664 
2665  /* No infinity allowed. */
2666  CHECK(!ge_quad.infinity);
2667  CHECK(!ge_even.infinity);
2668  CHECK(!ge_odd.infinity);
2669 
2670  /* Check that the x coordinates check out. */
2671  CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2672  CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2673  CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2674 
2675  /* Check that the Y coordinate result in ge_quad is a square. */
2676  CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2677 
2678  /* Check odd/even Y in ge_odd, ge_even. */
2679  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2680  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2681 
2682  /* Check secp256k1_gej_has_quad_y_var. */
2683  secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2684  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2685  do {
2686  random_fe_test(&fez);
2687  } while (secp256k1_fe_is_zero(&fez));
2688  secp256k1_gej_rescale(&gej_quad, &fez);
2689  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2690  secp256k1_gej_neg(&gej_quad, &gej_quad);
2691  CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2692  do {
2693  random_fe_test(&fez);
2694  } while (secp256k1_fe_is_zero(&fez));
2695  secp256k1_gej_rescale(&gej_quad, &fez);
2696  CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2697  secp256k1_gej_neg(&gej_quad, &gej_quad);
2698  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2699  }
2700 }
2701 
2702 void run_group_decompress(void) {
2703  int i;
2704  for (i = 0; i < count * 4; i++) {
2705  secp256k1_fe fe;
2706  random_fe_test(&fe);
2707  test_group_decompress(&fe);
2708  }
2709 }
2710 
2711 /***** ECMULT TESTS *****/
2712 
2713 void run_ecmult_chain(void) {
2714  /* random starting point A (on the curve) */
2715  secp256k1_gej a = SECP256K1_GEJ_CONST(
2716  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2717  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2718  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2719  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2720  );
2721  /* two random initial factors xn and gn */
2722  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2723  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2724  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2725  );
2726  secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2727  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2728  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2729  );
2730  /* two small multipliers to be applied to xn and gn in every iteration: */
2731  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2732  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2733  /* accumulators with the resulting coefficients to A and G */
2734  secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2735  secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2736  /* actual points */
2737  secp256k1_gej x;
2738  secp256k1_gej x2;
2739  int i;
2740 
2741  /* the point being computed */
2742  x = a;
2743  for (i = 0; i < 200*count; i++) {
2744  /* in each iteration, compute X = xn*X + gn*G; */
2745  secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2746  /* also compute ae and ge: the actual accumulated factors for A and G */
2747  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2748  secp256k1_scalar_mul(&ae, &ae, &xn);
2749  secp256k1_scalar_mul(&ge, &ge, &xn);
2750  secp256k1_scalar_add(&ge, &ge, &gn);
2751  /* modify xn and gn */
2752  secp256k1_scalar_mul(&xn, &xn, &xf);
2753  secp256k1_scalar_mul(&gn, &gn, &gf);
2754 
2755  /* verify */
2756  if (i == 19999) {
2757  /* expected result after 19999 iterations */
2758  secp256k1_gej rp = SECP256K1_GEJ_CONST(
2759  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2760  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2761  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2762  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2763  );
2764 
2765  secp256k1_gej_neg(&rp, &rp);
2766  secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2767  CHECK(secp256k1_gej_is_infinity(&rp));
2768  }
2769  }
2770  /* redo the computation, but directly with the resulting ae and ge coefficients: */
2771  secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2772  secp256k1_gej_neg(&x2, &x2);
2773  secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2774  CHECK(secp256k1_gej_is_infinity(&x2));
2775 }
2776 
2777 void test_point_times_order(const secp256k1_gej *point) {
2778  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2779  secp256k1_scalar x;
2780  secp256k1_scalar nx;
2781  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2782  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2783  secp256k1_gej res1, res2;
2784  secp256k1_ge res3;
2785  unsigned char pub[65];
2786  size_t psize = 65;
2787  random_scalar_order_test(&x);
2788  secp256k1_scalar_negate(&nx, &x);
2789  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2790  secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2791  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2792  CHECK(secp256k1_gej_is_infinity(&res1));
2793  secp256k1_ge_set_gej(&res3, &res1);
2794  CHECK(secp256k1_ge_is_infinity(&res3));
2795  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2796  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2797  psize = 65;
2798  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2799  /* check zero/one edge cases */
2800  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2801  secp256k1_ge_set_gej(&res3, &res1);
2802  CHECK(secp256k1_ge_is_infinity(&res3));
2803  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2804  secp256k1_ge_set_gej(&res3, &res1);
2805  ge_equals_gej(&res3, point);
2806  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2807  secp256k1_ge_set_gej(&res3, &res1);
2808  ge_equals_ge(&res3, &secp256k1_ge_const_g);
2809 }
2810 
2811 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
2812  *
2813  * They are computed as:
2814  * - For a in [-2, -1, 0, 1, 2]:
2815  * - For b in [-3, -1, 1, 3]:
2816  * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
2817  */
2818 static const secp256k1_scalar scalars_near_split_bounds[20] = {
2819  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
2820  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
2821  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
2822  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
2823  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
2824  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
2825  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
2826  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
2827  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
2828  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
2829  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
2830  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
2831  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
2832  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
2833  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
2834  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
2835  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
2836  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
2837  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
2838  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
2839 };
2840 
2841 void test_ecmult_target(const secp256k1_scalar* target, int mode) {
2842  /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
2843  secp256k1_scalar n1, n2;
2844  secp256k1_ge p;
2845  secp256k1_gej pj, p1j, p2j, ptj;
2846  static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2847 
2848  /* Generate random n1,n2 such that n1+n2 = -target. */
2849  random_scalar_order_test(&n1);
2850  secp256k1_scalar_add(&n2, &n1, target);
2851  secp256k1_scalar_negate(&n2, &n2);
2852 
2853  /* Generate a random input point. */
2854  if (mode != 0) {
2855  random_group_element_test(&p);
2856  secp256k1_gej_set_ge(&pj, &p);
2857  }
2858 
2859  /* EC multiplications */
2860  if (mode == 0) {
2861  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
2862  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
2863  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
2864  } else if (mode == 1) {
2865  secp256k1_ecmult(&ctx->ecmult_ctx, &p1j, &pj, &n1, &zero);
2866  secp256k1_ecmult(&ctx->ecmult_ctx, &p2j, &pj, &n2, &zero);
2867  secp256k1_ecmult(&ctx->ecmult_ctx, &ptj, &pj, target, &zero);
2868  } else {
2869  secp256k1_ecmult_const(&p1j, &p, &n1, 256);
2870  secp256k1_ecmult_const(&p2j, &p, &n2, 256);
2871  secp256k1_ecmult_const(&ptj, &p, target, 256);
2872  }
2873 
2874  /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
2875  secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
2876  secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
2877  CHECK(secp256k1_gej_is_infinity(&ptj));
2878 }
2879 
2880 void run_ecmult_near_split_bound(void) {
2881  int i;
2882  unsigned j;
2883  for (i = 0; i < 4*count; ++i) {
2884  for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
2885  test_ecmult_target(&scalars_near_split_bounds[j], 0);
2886  test_ecmult_target(&scalars_near_split_bounds[j], 1);
2887  test_ecmult_target(&scalars_near_split_bounds[j], 2);
2888  }
2889  }
2890 }
2891 
2892 void run_point_times_order(void) {
2893  int i;
2894  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2895  static const secp256k1_fe xr = SECP256K1_FE_CONST(
2896  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2897  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2898  );
2899  for (i = 0; i < 500; i++) {
2900  secp256k1_ge p;
2901  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2902  secp256k1_gej j;
2903  CHECK(secp256k1_ge_is_valid_var(&p));
2904  secp256k1_gej_set_ge(&j, &p);
2905  test_point_times_order(&j);
2906  }
2907  secp256k1_fe_sqr(&x, &x);
2908  }
2909  secp256k1_fe_normalize_var(&x);
2910  CHECK(secp256k1_fe_equal_var(&x, &xr));
2911 }
2912 
2913 void ecmult_const_random_mult(void) {
2914  /* random starting point A (on the curve) */
2915  secp256k1_ge a = SECP256K1_GE_CONST(
2916  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2917  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2918  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2919  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2920  );
2921  /* random initial factor xn */
2922  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2923  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2924  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2925  );
2926  /* expected xn * A (from sage) */
2927  secp256k1_ge expected_b = SECP256K1_GE_CONST(
2928  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2929  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2930  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2931  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2932  );
2933  secp256k1_gej b;
2934  secp256k1_ecmult_const(&b, &a, &xn, 256);
2935 
2936  CHECK(secp256k1_ge_is_valid_var(&a));
2937  ge_equals_gej(&expected_b, &b);
2938 }
2939 
2940 void ecmult_const_commutativity(void) {
2941  secp256k1_scalar a;
2942  secp256k1_scalar b;
2943  secp256k1_gej res1;
2944  secp256k1_gej res2;
2945  secp256k1_ge mid1;
2946  secp256k1_ge mid2;
2947  random_scalar_order_test(&a);
2948  random_scalar_order_test(&b);
2949 
2950  secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2951  secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2952  secp256k1_ge_set_gej(&mid1, &res1);
2953  secp256k1_ge_set_gej(&mid2, &res2);
2954  secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2955  secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2956  secp256k1_ge_set_gej(&mid1, &res1);
2957  secp256k1_ge_set_gej(&mid2, &res2);
2958  ge_equals_ge(&mid1, &mid2);
2959 }
2960 
2961 void ecmult_const_mult_zero_one(void) {
2962  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2963  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2964  secp256k1_scalar negone;
2965  secp256k1_gej res1;
2966  secp256k1_ge res2;
2967  secp256k1_ge point;
2968  secp256k1_scalar_negate(&negone, &one);
2969 
2970  random_group_element_test(&point);
2971  secp256k1_ecmult_const(&res1, &point, &zero, 3);
2972  secp256k1_ge_set_gej(&res2, &res1);
2973  CHECK(secp256k1_ge_is_infinity(&res2));
2974  secp256k1_ecmult_const(&res1, &point, &one, 2);
2975  secp256k1_ge_set_gej(&res2, &res1);
2976  ge_equals_ge(&res2, &point);
2977  secp256k1_ecmult_const(&res1, &point, &negone, 256);
2978  secp256k1_gej_neg(&res1, &res1);
2979  secp256k1_ge_set_gej(&res2, &res1);
2980  ge_equals_ge(&res2, &point);
2981 }
2982 
2983 void ecmult_const_chain_multiply(void) {
2984  /* Check known result (randomly generated test problem from sage) */
2985  const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2986  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2987  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2988  );
2989  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2990  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2991  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2992  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2993  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2994  );
2995  secp256k1_gej point;
2996  secp256k1_ge res;
2997  int i;
2998 
2999  secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
3000  for (i = 0; i < 100; ++i) {
3001  secp256k1_ge tmp;
3002  secp256k1_ge_set_gej(&tmp, &point);
3003  secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
3004  }
3005  secp256k1_ge_set_gej(&res, &point);
3006  ge_equals_gej(&res, &expected_point);
3007 }
3008 
3009 void run_ecmult_const_tests(void) {
3010  ecmult_const_mult_zero_one();
3011  ecmult_const_random_mult();
3012  ecmult_const_commutativity();
3013  ecmult_const_chain_multiply();
3014 }
3015 
3016 typedef struct {
3017  secp256k1_scalar *sc;
3018  secp256k1_ge *pt;
3019 } ecmult_multi_data;
3020 
3021 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3022  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
3023  *sc = data->sc[idx];
3024  *pt = data->pt[idx];
3025  return 1;
3026 }
3027 
3028 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3029  (void)sc;
3030  (void)pt;
3031  (void)idx;
3032  (void)cbdata;
3033  return 0;
3034 }
3035 
3036 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
3037  int ncount;
3038  secp256k1_scalar szero;
3039  secp256k1_scalar sc[32];
3040  secp256k1_ge pt[32];
3041  secp256k1_gej r;
3042  secp256k1_gej r2;
3043  ecmult_multi_data data;
3044 
3045  data.sc = sc;
3046  data.pt = pt;
3047  secp256k1_scalar_set_int(&szero, 0);
3048 
3049  /* No points to multiply */
3050  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
3051 
3052  /* Check 1- and 2-point multiplies against ecmult */
3053  for (ncount = 0; ncount < count; ncount++) {
3054  secp256k1_ge ptg;
3055  secp256k1_gej ptgj;
3056  random_scalar_order(&sc[0]);
3057  random_scalar_order(&sc[1]);
3058 
3059  random_group_element_test(&ptg);
3060  secp256k1_gej_set_ge(&ptgj, &ptg);
3061  pt[0] = ptg;
3062  pt[1] = secp256k1_ge_const_g;
3063 
3064  /* only G scalar */
3065  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
3066  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
3067  secp256k1_gej_neg(&r2, &r2);
3068  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3069  CHECK(secp256k1_gej_is_infinity(&r));
3070 
3071  /* 1-point */
3072  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
3073  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
3074  secp256k1_gej_neg(&r2, &r2);
3075  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3076  CHECK(secp256k1_gej_is_infinity(&r));
3077 
3078  /* Try to multiply 1 point, but callback returns false */
3079  CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
3080 
3081  /* 2-point */
3082  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
3083  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
3084  secp256k1_gej_neg(&r2, &r2);
3085  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3086  CHECK(secp256k1_gej_is_infinity(&r));
3087 
3088  /* 2-point with G scalar */
3089  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
3090  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
3091  secp256k1_gej_neg(&r2, &r2);
3092  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3093  CHECK(secp256k1_gej_is_infinity(&r));
3094  }
3095 
3096  /* Check infinite outputs of various forms */
3097  for (ncount = 0; ncount < count; ncount++) {
3098  secp256k1_ge ptg;
3099  size_t i, j;
3100  size_t sizes[] = { 2, 10, 32 };
3101 
3102  for (j = 0; j < 3; j++) {
3103  for (i = 0; i < 32; i++) {
3104  random_scalar_order(&sc[i]);
3105  secp256k1_ge_set_infinity(&pt[i]);
3106  }
3107  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3108  CHECK(secp256k1_gej_is_infinity(&r));
3109  }
3110 
3111  for (j = 0; j < 3; j++) {
3112  for (i = 0; i < 32; i++) {
3113  random_group_element_test(&ptg);
3114  pt[i] = ptg;
3115  secp256k1_scalar_set_int(&sc[i], 0);
3116  }
3117  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3118  CHECK(secp256k1_gej_is_infinity(&r));
3119  }
3120 
3121  for (j = 0; j < 3; j++) {
3122  random_group_element_test(&ptg);
3123  for (i = 0; i < 16; i++) {
3124  random_scalar_order(&sc[2*i]);
3125  secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
3126  pt[2 * i] = ptg;
3127  pt[2 * i + 1] = ptg;
3128  }
3129 
3130  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3131  CHECK(secp256k1_gej_is_infinity(&r));
3132 
3133  random_scalar_order(&sc[0]);
3134  for (i = 0; i < 16; i++) {
3135  random_group_element_test(&ptg);
3136 
3137  sc[2*i] = sc[0];
3138  sc[2*i+1] = sc[0];
3139  pt[2 * i] = ptg;
3140  secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
3141  }
3142 
3143  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3144  CHECK(secp256k1_gej_is_infinity(&r));
3145  }
3146 
3147  random_group_element_test(&ptg);
3148  secp256k1_scalar_set_int(&sc[0], 0);
3149  pt[0] = ptg;
3150  for (i = 1; i < 32; i++) {
3151  pt[i] = ptg;
3152 
3153  random_scalar_order(&sc[i]);
3154  secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
3155  secp256k1_scalar_negate(&sc[i], &sc[i]);
3156  }
3157 
3158  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
3159  CHECK(secp256k1_gej_is_infinity(&r));
3160  }
3161 
3162  /* Check random points, constant scalar */
3163  for (ncount = 0; ncount < count; ncount++) {
3164  size_t i;
3165  secp256k1_gej_set_infinity(&r);
3166 
3167  random_scalar_order(&sc[0]);
3168  for (i = 0; i < 20; i++) {
3169  secp256k1_ge ptg;
3170  sc[i] = sc[0];
3171  random_group_element_test(&ptg);
3172  pt[i] = ptg;
3173  secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
3174  }
3175 
3176  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
3177  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3178  secp256k1_gej_neg(&r2, &r2);
3179  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3180  CHECK(secp256k1_gej_is_infinity(&r));
3181  }
3182 
3183  /* Check random scalars, constant point */
3184  for (ncount = 0; ncount < count; ncount++) {
3185  size_t i;
3186  secp256k1_ge ptg;
3187  secp256k1_gej p0j;
3188  secp256k1_scalar rs;
3189  secp256k1_scalar_set_int(&rs, 0);
3190 
3191  random_group_element_test(&ptg);
3192  for (i = 0; i < 20; i++) {
3193  random_scalar_order(&sc[i]);
3194  pt[i] = ptg;
3195  secp256k1_scalar_add(&rs, &rs, &sc[i]);
3196  }
3197 
3198  secp256k1_gej_set_ge(&p0j, &pt[0]);
3199  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
3200  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3201  secp256k1_gej_neg(&r2, &r2);
3202  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3203  CHECK(secp256k1_gej_is_infinity(&r));
3204  }
3205 
3206  /* Sanity check that zero scalars don't cause problems */
3207  for (ncount = 0; ncount < 20; ncount++) {
3208  random_scalar_order(&sc[ncount]);
3209  random_group_element_test(&pt[ncount]);
3210  }
3211  secp256k1_scalar_clear(&sc[0]);
3212  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3213  secp256k1_scalar_clear(&sc[1]);
3214  secp256k1_scalar_clear(&sc[2]);
3215  secp256k1_scalar_clear(&sc[3]);
3216  secp256k1_scalar_clear(&sc[4]);
3217  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
3218  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
3219  CHECK(secp256k1_gej_is_infinity(&r));
3220 
3221  /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
3222  {
3223  const size_t TOP = 8;
3224  size_t s0i, s1i;
3225  size_t t0i, t1i;
3226  secp256k1_ge ptg;
3227  secp256k1_gej ptgj;
3228 
3229  random_group_element_test(&ptg);
3230  secp256k1_gej_set_ge(&ptgj, &ptg);
3231 
3232  for(t0i = 0; t0i < TOP; t0i++) {
3233  for(t1i = 0; t1i < TOP; t1i++) {
3234  secp256k1_gej t0p, t1p;
3235  secp256k1_scalar t0, t1;
3236 
3237  secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
3238  secp256k1_scalar_cond_negate(&t0, t0i & 1);
3239  secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
3240  secp256k1_scalar_cond_negate(&t1, t1i & 1);
3241 
3242  secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
3243  secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
3244 
3245  for(s0i = 0; s0i < TOP; s0i++) {
3246  for(s1i = 0; s1i < TOP; s1i++) {
3247  secp256k1_scalar tmp1, tmp2;
3248  secp256k1_gej expected, actual;
3249 
3250  secp256k1_ge_set_gej(&pt[0], &t0p);
3251  secp256k1_ge_set_gej(&pt[1], &t1p);
3252 
3253  secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
3254  secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
3255  secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
3256  secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
3257 
3258  secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
3259  secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
3260  secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
3261 
3262  secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
3263  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
3264  secp256k1_gej_neg(&expected, &expected);
3265  secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
3266  CHECK(secp256k1_gej_is_infinity(&actual));
3267  }
3268  }
3269  }
3270  }
3271  }
3272 }
3273 
3274 void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
3275  secp256k1_scalar szero;
3276  secp256k1_scalar sc;
3277  secp256k1_ge pt;
3278  secp256k1_gej r;
3279  ecmult_multi_data data;
3280  secp256k1_scratch *scratch_empty;
3281 
3282  random_group_element_test(&pt);
3283  random_scalar_order(&sc);
3284  data.sc = &sc;
3285  data.pt = &pt;
3286  secp256k1_scalar_set_int(&szero, 0);
3287 
3288  /* Try to multiply 1 point, but scratch space is empty.*/
3289  scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
3290  CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
3291  secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
3292 }
3293 
3294 void test_secp256k1_pippenger_bucket_window_inv(void) {
3295  int i;
3296 
3297  CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
3298  for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
3299  /* Bucket_window of 8 is not used with endo */
3300  if (i == 8) {
3301  continue;
3302  }
3303  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
3304  if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
3305  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
3306  }
3307  }
3308 }
3309 
3314 void test_ecmult_multi_pippenger_max_points(void) {
3315  size_t scratch_size = secp256k1_testrand_int(256);
3316  size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
3317  secp256k1_scratch *scratch;
3318  size_t n_points_supported;
3319  int bucket_window = 0;
3320 
3321  for(; scratch_size < max_size; scratch_size+=256) {
3322  size_t i;
3323  size_t total_alloc;
3324  size_t checkpoint;
3325  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
3326  CHECK(scratch != NULL);
3327  checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
3328  n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
3329  if (n_points_supported == 0) {
3330  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3331  continue;
3332  }
3333  bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
3334  /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
3335  total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
3336  for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
3337  CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
3338  total_alloc--;
3339  }
3340  CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
3341  secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
3342  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3343  }
3344  CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
3345 }
3346 
3347 void test_ecmult_multi_batch_size_helper(void) {
3348  size_t n_batches, n_batch_points, max_n_batch_points, n;
3349 
3350  max_n_batch_points = 0;
3351  n = 1;
3352  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3353 
3354  max_n_batch_points = 1;
3355  n = 0;
3356  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3357  CHECK(n_batches == 0);
3358  CHECK(n_batch_points == 0);
3359 
3360  max_n_batch_points = 2;
3361  n = 5;
3362  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3363  CHECK(n_batches == 3);
3364  CHECK(n_batch_points == 2);
3365 
3366  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3367  n = ECMULT_MAX_POINTS_PER_BATCH;
3368  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3369  CHECK(n_batches == 1);
3370  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3371 
3372  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3373  n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3374  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3375  CHECK(n_batches == 2);
3376  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3377 
3378  max_n_batch_points = 1;
3379  n = SIZE_MAX;
3380  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3381  CHECK(n_batches == SIZE_MAX);
3382  CHECK(n_batch_points == 1);
3383 
3384  max_n_batch_points = 2;
3385  n = SIZE_MAX;
3386  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3387  CHECK(n_batches == SIZE_MAX/2 + 1);
3388  CHECK(n_batch_points == 2);
3389 }
3390 
3395 void test_ecmult_multi_batching(void) {
3396  static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
3397  secp256k1_scalar scG;
3398  secp256k1_scalar szero;
3399  secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3400  secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3401  secp256k1_gej r;
3402  secp256k1_gej r2;
3403  ecmult_multi_data data;
3404  int i;
3405  secp256k1_scratch *scratch;
3406 
3407  secp256k1_gej_set_infinity(&r2);
3408  secp256k1_scalar_set_int(&szero, 0);
3409 
3410  /* Get random scalars and group elements and compute result */
3411  random_scalar_order(&scG);
3412  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3413  for(i = 0; i < n_points; i++) {
3414  secp256k1_ge ptg;
3415  secp256k1_gej ptgj;
3416  random_group_element_test(&ptg);
3417  secp256k1_gej_set_ge(&ptgj, &ptg);
3418  pt[i] = ptg;
3419  random_scalar_order(&sc[i]);
3420  secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3421  secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
3422  }
3423  data.sc = sc;
3424  data.pt = pt;
3425  secp256k1_gej_neg(&r2, &r2);
3426 
3427  /* Test with empty scratch space. It should compute the correct result using
3428  * ecmult_mult_simple algorithm which doesn't require a scratch space. */
3429  scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
3430  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3431  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3432  CHECK(secp256k1_gej_is_infinity(&r));
3433  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3434 
3435  /* Test with space for 1 point in pippenger. That's not enough because
3436  * ecmult_multi selects strauss which requires more memory. It should
3437  * therefore select the simple algorithm. */
3438  scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3439  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3440  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3441  CHECK(secp256k1_gej_is_infinity(&r));
3442  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3443 
3444  for(i = 1; i <= n_points; i++) {
3445  if (i > ECMULT_PIPPENGER_THRESHOLD) {
3446  int bucket_window = secp256k1_pippenger_bucket_window(i);
3447  size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
3448  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3449  } else {
3450  size_t scratch_size = secp256k1_strauss_scratch_size(i);
3451  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3452  }
3453  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3454  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3455  CHECK(secp256k1_gej_is_infinity(&r));
3456  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3457  }
3458  free(sc);
3459  free(pt);
3460 }
3461 
3462 void run_ecmult_multi_tests(void) {
3463  secp256k1_scratch *scratch;
3464 
3465  test_secp256k1_pippenger_bucket_window_inv();
3466  test_ecmult_multi_pippenger_max_points();
3467  scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
3468  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3469  test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
3470  test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
3471  test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
3472  test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
3473  test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
3474  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3475 
3476  /* Run test_ecmult_multi with space for exactly one point */
3477  scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3478  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3479  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3480 
3481  test_ecmult_multi_batch_size_helper();
3482  test_ecmult_multi_batching();
3483 }
3484 
3485 void test_wnaf(const secp256k1_scalar *number, int w) {
3486  secp256k1_scalar x, two, t;
3487  int wnaf[256];
3488  int zeroes = -1;
3489  int i;
3490  int bits;
3491  secp256k1_scalar_set_int(&x, 0);
3492  secp256k1_scalar_set_int(&two, 2);
3493  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
3494  CHECK(bits <= 256);
3495  for (i = bits-1; i >= 0; i--) {
3496  int v = wnaf[i];
3497  secp256k1_scalar_mul(&x, &x, &two);
3498  if (v) {
3499  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3500  zeroes=0;
3501  CHECK((v & 1) == 1); /* check non-zero elements are odd */
3502  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3503  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3504  } else {
3505  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3506  zeroes++;
3507  }
3508  if (v >= 0) {
3509  secp256k1_scalar_set_int(&t, v);
3510  } else {
3511  secp256k1_scalar_set_int(&t, -v);
3512  secp256k1_scalar_negate(&t, &t);
3513  }
3514  secp256k1_scalar_add(&x, &x, &t);
3515  }
3516  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3517 }
3518 
3519 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3520  secp256k1_scalar neg1 = *number;
3521  secp256k1_scalar neg2 = *number;
3522  int sign1 = 1;
3523  int sign2 = 1;
3524 
3525  if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3526  secp256k1_scalar_negate(&neg1, &neg1);
3527  sign1 = -1;
3528  }
3529  sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3530  CHECK(sign1 == sign2);
3531  CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3532 }
3533 
3534 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3535  secp256k1_scalar x, shift;
3536  int wnaf[256] = {0};
3537  int i;
3538  int skew;
3539  int bits = 256;
3540  secp256k1_scalar num = *number;
3541  secp256k1_scalar scalar_skew;
3542 
3543  secp256k1_scalar_set_int(&x, 0);
3544  secp256k1_scalar_set_int(&shift, 1 << w);
3545  for (i = 0; i < 16; ++i) {
3546  secp256k1_scalar_shr_int(&num, 8);
3547  }
3548  bits = 128;
3549  skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
3550 
3551  for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3552  secp256k1_scalar t;
3553  int v = wnaf[i];
3554  CHECK(v != 0); /* check nonzero */
3555  CHECK(v & 1); /* check parity */
3556  CHECK(v > -(1 << w)); /* check range above */
3557  CHECK(v < (1 << w)); /* check range below */
3558 
3559  secp256k1_scalar_mul(&x, &x, &shift);
3560  if (v >= 0) {
3561  secp256k1_scalar_set_int(&t, v);
3562  } else {
3563  secp256k1_scalar_set_int(&t, -v);
3564  secp256k1_scalar_negate(&t, &t);
3565  }
3566  secp256k1_scalar_add(&x, &x, &t);
3567  }
3568  /* Skew num because when encoding numbers as odd we use an offset */
3569  secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
3570  secp256k1_scalar_add(&num, &num, &scalar_skew);
3571  CHECK(secp256k1_scalar_eq(&x, &num));
3572 }
3573 
3574 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3575  secp256k1_scalar x, shift;
3576  int wnaf[256] = {0};
3577  int i;
3578  int skew;
3579  secp256k1_scalar num = *number;
3580 
3581  secp256k1_scalar_set_int(&x, 0);
3582  secp256k1_scalar_set_int(&shift, 1 << w);
3583  for (i = 0; i < 16; ++i) {
3584  secp256k1_scalar_shr_int(&num, 8);
3585  }
3586  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3587 
3588  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3589  secp256k1_scalar t;
3590  int v = wnaf[i];
3591  CHECK(v == 0 || v & 1); /* check parity */
3592  CHECK(v > -(1 << w)); /* check range above */
3593  CHECK(v < (1 << w)); /* check range below */
3594 
3595  secp256k1_scalar_mul(&x, &x, &shift);
3596  if (v >= 0) {
3597  secp256k1_scalar_set_int(&t, v);
3598  } else {
3599  secp256k1_scalar_set_int(&t, -v);
3600  secp256k1_scalar_negate(&t, &t);
3601  }
3602  secp256k1_scalar_add(&x, &x, &t);
3603  }
3604  /* If skew is 1 then add 1 to num */
3605  secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3606  CHECK(secp256k1_scalar_eq(&x, &num));
3607 }
3608 
3609 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3610  * rest is 0.*/
3611 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3612  int i;
3613  for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3614  CHECK(wnaf[i] == 0);
3615  }
3616  for (i = 7; i >= 0; --i) {
3617  CHECK(wnaf[i] == wnaf_expected[i]);
3618  }
3619 }
3620 
3621 void test_fixed_wnaf_small(void) {
3622  int w = 4;
3623  int wnaf[256] = {0};
3624  int i;
3625  int skew;
3626  secp256k1_scalar num;
3627 
3628  secp256k1_scalar_set_int(&num, 0);
3629  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3630  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3631  int v = wnaf[i];
3632  CHECK(v == 0);
3633  }
3634  CHECK(skew == 0);
3635 
3636  secp256k1_scalar_set_int(&num, 1);
3637  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3638  for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3639  int v = wnaf[i];
3640  CHECK(v == 0);
3641  }
3642  CHECK(wnaf[0] == 1);
3643  CHECK(skew == 0);
3644 
3645  {
3646  int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3647  secp256k1_scalar_set_int(&num, 0xffffffff);
3648  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3649  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3650  CHECK(skew == 0);
3651  }
3652  {
3653  int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3654  secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3655  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3656  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3657  CHECK(skew == 1);
3658  }
3659  {
3660  int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3661  secp256k1_scalar_set_int(&num, 0x01010101);
3662  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3663  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3664  CHECK(skew == 0);
3665  }
3666  {
3667  int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3668  secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3669  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3670  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3671  CHECK(skew == 0);
3672  }
3673 }
3674 
3675 void run_wnaf(void) {
3676  int i;
3677  secp256k1_scalar n = {{0}};
3678 
3679  test_constant_wnaf(&n, 4);
3680  /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3681  * have easier-to-diagnose failure modes */
3682  n.d[0] = 1;
3683  test_constant_wnaf(&n, 4);
3684  n.d[0] = 2;
3685  test_constant_wnaf(&n, 4);
3686  /* Test -1, because it's a special case in wnaf_const */
3687  n = secp256k1_scalar_one;
3688  secp256k1_scalar_negate(&n, &n);
3689  test_constant_wnaf(&n, 4);
3690 
3691  /* Test -2, which may not lead to overflows in wnaf_const */
3692  secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
3693  secp256k1_scalar_negate(&n, &n);
3694  test_constant_wnaf(&n, 4);
3695 
3696  /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
3697  as corner cases of negation handling in wnaf_const */
3698  secp256k1_scalar_inverse(&n, &n);
3699  test_constant_wnaf(&n, 4);
3700 
3701  secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
3702  test_constant_wnaf(&n, 4);
3703 
3704  /* Test 0 for fixed wnaf */
3705  test_fixed_wnaf_small();
3706  /* Random tests */
3707  for (i = 0; i < count; i++) {
3708  random_scalar_order(&n);
3709  test_wnaf(&n, 4+(i%10));
3710  test_constant_wnaf_negate(&n);
3711  test_constant_wnaf(&n, 4 + (i % 10));
3712  test_fixed_wnaf(&n, 4 + (i % 10));
3713  }
3714  secp256k1_scalar_set_int(&n, 0);
3715  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3716  CHECK(secp256k1_scalar_is_zero(&n));
3717  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3718  CHECK(secp256k1_scalar_is_zero(&n));
3719 }
3720 
3721 void test_ecmult_constants(void) {
3722  /* Test ecmult_gen() for [0..36) and [order-36..0). */
3723  secp256k1_scalar x;
3724  secp256k1_gej r;
3725  secp256k1_ge ng;
3726  int i;
3727  int j;
3728  secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3729  for (i = 0; i < 36; i++ ) {
3730  secp256k1_scalar_set_int(&x, i);
3731  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3732  for (j = 0; j < i; j++) {
3733  if (j == i - 1) {
3734  ge_equals_gej(&secp256k1_ge_const_g, &r);
3735  }
3736  secp256k1_gej_add_ge(&r, &r, &ng);
3737  }
3738  CHECK(secp256k1_gej_is_infinity(&r));
3739  }
3740  for (i = 1; i <= 36; i++ ) {
3741  secp256k1_scalar_set_int(&x, i);
3742  secp256k1_scalar_negate(&x, &x);
3743  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3744  for (j = 0; j < i; j++) {
3745  if (j == i - 1) {
3746  ge_equals_gej(&ng, &r);
3747  }
3748  secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3749  }
3750  CHECK(secp256k1_gej_is_infinity(&r));
3751  }
3752 }
3753 
3754 void run_ecmult_constants(void) {
3755  test_ecmult_constants();
3756 }
3757 
3758 void test_ecmult_gen_blind(void) {
3759  /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3760  secp256k1_scalar key;
3761  secp256k1_scalar b;
3762  unsigned char seed32[32];
3763  secp256k1_gej pgej;
3764  secp256k1_gej pgej2;
3765  secp256k1_gej i;
3766  secp256k1_ge pge;
3767  random_scalar_order_test(&key);
3768  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3769  secp256k1_testrand256(seed32);
3770  b = ctx->ecmult_gen_ctx.blind;
3771  i = ctx->ecmult_gen_ctx.initial;
3772  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3773  CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3774  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3775  CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3776  CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3777  secp256k1_ge_set_gej(&pge, &pgej);
3778  ge_equals_gej(&pge, &pgej2);
3779 }
3780 
3781 void test_ecmult_gen_blind_reset(void) {
3782  /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3783  secp256k1_scalar b;
3784  secp256k1_gej initial;
3785  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3786  b = ctx->ecmult_gen_ctx.blind;
3787  initial = ctx->ecmult_gen_ctx.initial;
3788  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3789  CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3790  CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3791 }
3792 
3793 void run_ecmult_gen_blind(void) {
3794  int i;
3795  test_ecmult_gen_blind_reset();
3796  for (i = 0; i < 10; i++) {
3797  test_ecmult_gen_blind();
3798  }
3799 }
3800 
3801 /***** ENDOMORPHISH TESTS *****/
3802 void test_scalar_split(const secp256k1_scalar* full) {
3803  secp256k1_scalar s, s1, slam;
3804  const unsigned char zero[32] = {0};
3805  unsigned char tmp[32];
3806 
3807  secp256k1_scalar_split_lambda(&s1, &slam, full);
3808 
3809  /* check slam*lambda + s1 == full */
3810  secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
3811  secp256k1_scalar_add(&s, &s, &s1);
3812  CHECK(secp256k1_scalar_eq(&s, full));
3813 
3814  /* check that both are <= 128 bits in size */
3815  if (secp256k1_scalar_is_high(&s1)) {
3816  secp256k1_scalar_negate(&s1, &s1);
3817  }
3818  if (secp256k1_scalar_is_high(&slam)) {
3819  secp256k1_scalar_negate(&slam, &slam);
3820  }
3821 
3822  secp256k1_scalar_get_b32(tmp, &s1);
3823  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3824  secp256k1_scalar_get_b32(tmp, &slam);
3825  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3826 }
3827 
3828 
3829 void run_endomorphism_tests(void) {
3830  unsigned i;
3831  static secp256k1_scalar s;
3832  test_scalar_split(&secp256k1_scalar_zero);
3833  test_scalar_split(&secp256k1_scalar_one);
3834  secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
3835  test_scalar_split(&s);
3836  test_scalar_split(&secp256k1_const_lambda);
3837  secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
3838  test_scalar_split(&s);
3839 
3840  for (i = 0; i < 100U * count; ++i) {
3841  secp256k1_scalar full;
3842  random_scalar_order_test(&full);
3843  test_scalar_split(&full);
3844  }
3845  for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
3846  test_scalar_split(&scalars_near_split_bounds[i]);
3847  }
3848 }
3849 
3850 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3851  unsigned char pubkeyc[65];
3852  secp256k1_pubkey pubkey;
3853  secp256k1_ge ge;
3854  size_t pubkeyclen;
3855  int32_t ecount;
3856  ecount = 0;
3857  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3858  for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3859  /* Smaller sizes are tested exhaustively elsewhere. */
3860  int32_t i;
3861  memcpy(&pubkeyc[1], input, 64);
3862  VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3863  for (i = 0; i < 256; i++) {
3864  /* Try all type bytes. */
3865  int xpass;
3866  int ypass;
3867  int ysign;
3868  pubkeyc[0] = i;
3869  /* What sign does this point have? */
3870  ysign = (input[63] & 1) + 2;
3871  /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3872  xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3873  /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3874  ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3875  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3876  if (xpass || ypass) {
3877  /* These cases must parse. */
3878  unsigned char pubkeyo[65];
3879  size_t outl;
3880  memset(&pubkey, 0, sizeof(pubkey));
3881  VG_UNDEF(&pubkey, sizeof(pubkey));
3882  ecount = 0;
3883  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3884  VG_CHECK(&pubkey, sizeof(pubkey));
3885  outl = 65;
3886  VG_UNDEF(pubkeyo, 65);
3887  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3888  VG_CHECK(pubkeyo, outl);
3889  CHECK(outl == 33);
3890  CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3891  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3892  if (ypass) {
3893  /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3894  CHECK(pubkeyo[0] == ysign);
3895  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3896  memset(&pubkey, 0, sizeof(pubkey));
3897  VG_UNDEF(&pubkey, sizeof(pubkey));
3898  secp256k1_pubkey_save(&pubkey, &ge);
3899  VG_CHECK(&pubkey, sizeof(pubkey));
3900  outl = 65;
3901  VG_UNDEF(pubkeyo, 65);
3902  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3903  VG_CHECK(pubkeyo, outl);
3904  CHECK(outl == 65);
3905  CHECK(pubkeyo[0] == 4);
3906  CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
3907  }
3908  CHECK(ecount == 0);
3909  } else {
3910  /* These cases must fail to parse. */
3911  memset(&pubkey, 0xfe, sizeof(pubkey));
3912  ecount = 0;
3913  VG_UNDEF(&pubkey, sizeof(pubkey));
3914  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3915  VG_CHECK(&pubkey, sizeof(pubkey));
3916  CHECK(ecount == 0);
3917  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3918  CHECK(ecount == 1);
3919  }
3920  }
3921  }
3922  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3923 }
3924 
3925 void run_ec_pubkey_parse_test(void) {
3926 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3927  const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3928  {
3929  /* Point with leading and trailing zeros in x and y serialization. */
3930  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3931  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3932  0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3933  0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3934  },
3935  {
3936  /* Point with x equal to a 3rd root of unity.*/
3937  0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3938  0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3939  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3940  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3941  },
3942  {
3943  /* Point with largest x. (1/2) */
3944  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3945  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3946  0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3947  0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3948  },
3949  {
3950  /* Point with largest x. (2/2) */
3951  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3952  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3953  0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3954  0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3955  },
3956  {
3957  /* Point with smallest x. (1/2) */
3958  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3959  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3960  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3961  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3962  },
3963  {
3964  /* Point with smallest x. (2/2) */
3965  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3966  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3967  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3968  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3969  },
3970  {
3971  /* Point with largest y. (1/3) */
3972  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3973  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3974  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3975  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3976  },
3977  {
3978  /* Point with largest y. (2/3) */
3979  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3980  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3981  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3982  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3983  },
3984  {
3985  /* Point with largest y. (3/3) */
3986  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3987  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3988  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3989  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3990  },
3991  {
3992  /* Point with smallest y. (1/3) */
3993  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3994  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3995  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3996  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3997  },
3998  {
3999  /* Point with smallest y. (2/3) */
4000  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4001  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4002  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4003  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4004  },
4005  {
4006  /* Point with smallest y. (3/3) */
4007  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4008  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4009  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4010  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
4011  }
4012  };
4013 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
4014  const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
4015  {
4016  /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
4017  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4018  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4019  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4020  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4021  },
4022  {
4023  /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
4024  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4025  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4026  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4027  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4028  },
4029  {
4030  /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
4031  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4032  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4033  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4034  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4035  },
4036  {
4037  /* x on curve, y is from y^2 = x^3 + 8. */
4038  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4039  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4040  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4041  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
4042  }
4043  };
4044 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
4045  const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
4046  {
4047  /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
4048  0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
4049  0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
4050  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4051  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4052  },
4053  {
4054  /* Valid if x overflow ignored (x = 1 mod p). */
4055  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4056  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4057  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4058  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4059  },
4060  {
4061  /* Valid if x overflow ignored (x = 1 mod p). */
4062  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4063  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4064  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
4065  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
4066  },
4067  {
4068  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4069  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4070  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4071  0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
4072  0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
4073  },
4074  {
4075  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4076  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4077  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4078  0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
4079  0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
4080  },
4081  {
4082  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4083  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4084  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4085  0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
4086  0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
4087  },
4088  {
4089  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4090  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4091  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4092  0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
4093  0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
4094  }
4095  };
4096  const unsigned char pubkeyc[66] = {
4097  /* Serialization of G. */
4098  0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
4099  0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
4100  0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
4101  0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
4102  0xB8, 0x00
4103  };
4104  unsigned char sout[65];
4105  unsigned char shortkey[2];
4106  secp256k1_ge ge;
4107  secp256k1_pubkey pubkey;
4108  size_t len;
4109  int32_t i;
4110  int32_t ecount;
4111  int32_t ecount2;
4112  ecount = 0;
4113  /* Nothing should be reading this far into pubkeyc. */
4114  VG_UNDEF(&pubkeyc[65], 1);
4115  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4116  /* Zero length claimed, fail, zeroize, no illegal arg error. */
4117  memset(&pubkey, 0xfe, sizeof(pubkey));
4118  ecount = 0;
4119  VG_UNDEF(shortkey, 2);
4120  VG_UNDEF(&pubkey, sizeof(pubkey));
4121  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
4122  VG_CHECK(&pubkey, sizeof(pubkey));
4123  CHECK(ecount == 0);
4124  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4125  CHECK(ecount == 1);
4126  /* Length one claimed, fail, zeroize, no illegal arg error. */
4127  for (i = 0; i < 256 ; i++) {
4128  memset(&pubkey, 0xfe, sizeof(pubkey));
4129  ecount = 0;
4130  shortkey[0] = i;
4131  VG_UNDEF(&shortkey[1], 1);
4132  VG_UNDEF(&pubkey, sizeof(pubkey));
4133  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
4134  VG_CHECK(&pubkey, sizeof(pubkey));
4135  CHECK(ecount == 0);
4136  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4137  CHECK(ecount == 1);
4138  }
4139  /* Length two claimed, fail, zeroize, no illegal arg error. */
4140  for (i = 0; i < 65536 ; i++) {
4141  memset(&pubkey, 0xfe, sizeof(pubkey));
4142  ecount = 0;
4143  shortkey[0] = i & 255;
4144  shortkey[1] = i >> 8;
4145  VG_UNDEF(&pubkey, sizeof(pubkey));
4146  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
4147  VG_CHECK(&pubkey, sizeof(pubkey));
4148  CHECK(ecount == 0);
4149  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4150  CHECK(ecount == 1);
4151  }
4152  memset(&pubkey, 0xfe, sizeof(pubkey));
4153  ecount = 0;
4154  VG_UNDEF(&pubkey, sizeof(pubkey));
4155  /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
4156  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
4157  VG_CHECK(&pubkey, sizeof(pubkey));
4158  CHECK(ecount == 0);
4159  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4160  CHECK(ecount == 1);
4161  /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
4162  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
4163  CHECK(ecount == 2);
4164  /* NULL input string. Illegal arg and zeroize output. */
4165  memset(&pubkey, 0xfe, sizeof(pubkey));
4166  ecount = 0;
4167  VG_UNDEF(&pubkey, sizeof(pubkey));
4168  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
4169  VG_CHECK(&pubkey, sizeof(pubkey));
4170  CHECK(ecount == 1);
4171  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4172  CHECK(ecount == 2);
4173  /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
4174  memset(&pubkey, 0xfe, sizeof(pubkey));
4175  ecount = 0;
4176  VG_UNDEF(&pubkey, sizeof(pubkey));
4177  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
4178  VG_CHECK(&pubkey, sizeof(pubkey));
4179  CHECK(ecount == 0);
4180  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4181  CHECK(ecount == 1);
4182  /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
4183  memset(&pubkey, 0xfe, sizeof(pubkey));
4184  ecount = 0;
4185  VG_UNDEF(&pubkey, sizeof(pubkey));
4186  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
4187  VG_CHECK(&pubkey, sizeof(pubkey));
4188  CHECK(ecount == 0);
4189  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4190  CHECK(ecount == 1);
4191  /* Valid parse. */
4192  memset(&pubkey, 0, sizeof(pubkey));
4193  ecount = 0;
4194  VG_UNDEF(&pubkey, sizeof(pubkey));
4195  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
4196  CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
4197  VG_CHECK(&pubkey, sizeof(pubkey));
4198  CHECK(ecount == 0);
4199  VG_UNDEF(&ge, sizeof(ge));
4200  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
4201  VG_CHECK(&ge.x, sizeof(ge.x));
4202  VG_CHECK(&ge.y, sizeof(ge.y));
4203  VG_CHECK(&ge.infinity, sizeof(ge.infinity));
4204  ge_equals_ge(&secp256k1_ge_const_g, &ge);
4205  CHECK(ecount == 0);
4206  /* secp256k1_ec_pubkey_serialize illegal args. */
4207  ecount = 0;
4208  len = 65;
4209  CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4210  CHECK(ecount == 1);
4211  CHECK(len == 0);
4212  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4213  CHECK(ecount == 2);
4214  len = 65;
4215  VG_UNDEF(sout, 65);
4216  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
4217  VG_CHECK(sout, 65);
4218  CHECK(ecount == 3);
4219  CHECK(len == 0);
4220  len = 65;
4221  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
4222  CHECK(ecount == 4);
4223  CHECK(len == 0);
4224  len = 65;
4225  VG_UNDEF(sout, 65);
4226  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
4227  VG_CHECK(sout, 65);
4228  CHECK(ecount == 4);
4229  CHECK(len == 65);
4230  /* Multiple illegal args. Should still set arg error only once. */
4231  ecount = 0;
4232  ecount2 = 11;
4233  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4234  CHECK(ecount == 1);
4235  /* Does the illegal arg callback actually change the behavior? */
4236  secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
4237  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4238  CHECK(ecount == 1);
4239  CHECK(ecount2 == 10);
4240  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4241  /* Try a bunch of prefabbed points with all possible encodings. */
4242  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
4243  ec_pubkey_parse_pointtest(valid[i], 1, 1);
4244  }
4245  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
4246  ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
4247  }
4248  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
4249  ec_pubkey_parse_pointtest(invalid[i], 0, 0);
4250  }
4251 }
4252 
4253 void run_eckey_edge_case_test(void) {
4254  const unsigned char orderc[32] = {
4255  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4256  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4257  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4258  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
4259  };
4260  const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
4261  unsigned char ctmp[33];
4262  unsigned char ctmp2[33];
4263  secp256k1_pubkey pubkey;
4264  secp256k1_pubkey pubkey2;
4265  secp256k1_pubkey pubkey_one;
4266  secp256k1_pubkey pubkey_negone;
4267  const secp256k1_pubkey *pubkeys[3];
4268  size_t len;
4269  int32_t ecount;
4270  /* Group order is too large, reject. */
4271  CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
4272  VG_UNDEF(&pubkey, sizeof(pubkey));
4273  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
4274  VG_CHECK(&pubkey, sizeof(pubkey));
4275  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4276  /* Maximum value is too large, reject. */
4277  memset(ctmp, 255, 32);
4278  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4279  memset(&pubkey, 1, sizeof(pubkey));
4280  VG_UNDEF(&pubkey, sizeof(pubkey));
4281  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4282  VG_CHECK(&pubkey, sizeof(pubkey));
4283  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4284  /* Zero is too small, reject. */
4285  memset(ctmp, 0, 32);
4286  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4287  memset(&pubkey, 1, sizeof(pubkey));
4288  VG_UNDEF(&pubkey, sizeof(pubkey));
4289  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4290  VG_CHECK(&pubkey, sizeof(pubkey));
4291  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4292  /* One must be accepted. */
4293  ctmp[31] = 0x01;
4294  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4295  memset(&pubkey, 0, sizeof(pubkey));
4296  VG_UNDEF(&pubkey, sizeof(pubkey));
4297  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4298  VG_CHECK(&pubkey, sizeof(pubkey));
4299  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4300  pubkey_one = pubkey;
4301  /* Group order + 1 is too large, reject. */
4302  memcpy(ctmp, orderc, 32);
4303  ctmp[31] = 0x42;
4304  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4305  memset(&pubkey, 1, sizeof(pubkey));
4306  VG_UNDEF(&pubkey, sizeof(pubkey));
4307  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4308  VG_CHECK(&pubkey, sizeof(pubkey));
4309  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4310  /* -1 must be accepted. */
4311  ctmp[31] = 0x40;
4312  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4313  memset(&pubkey, 0, sizeof(pubkey));
4314  VG_UNDEF(&pubkey, sizeof(pubkey));
4315  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4316  VG_CHECK(&pubkey, sizeof(pubkey));
4317  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4318  pubkey_negone = pubkey;
4319  /* Tweak of zero leaves the value unchanged. */
4320  memset(ctmp2, 0, 32);
4321  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
4322  CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
4323  memcpy(&pubkey2, &pubkey, sizeof(pubkey));
4324  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4325  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4326  /* Multiply tweak of zero zeroizes the output. */
4327  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4328  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4329  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
4330  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4331  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4332  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4333  seckey, the seckey is zeroized. */
4334  memcpy(ctmp, orderc, 32);
4335  memset(ctmp2, 0, 32);
4336  ctmp2[31] = 0x01;
4337  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
4338  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4339  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
4340  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4341  memcpy(ctmp, orderc, 32);
4342  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4343  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4344  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4345  tweak, the seckey is zeroized. */
4346  memcpy(ctmp, orderc, 32);
4347  ctmp[31] = 0x40;
4348  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
4349  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4350  memcpy(ctmp, orderc, 32);
4351  ctmp[31] = 0x40;
4352  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
4353  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4354  memcpy(ctmp, orderc, 32);
4355  ctmp[31] = 0x40;
4356  /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
4357  tweak, the pubkey is zeroized. */
4358  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
4359  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4360  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4361  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
4362  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4363  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4364  /* If the resulting key in secp256k1_ec_seckey_tweak_add and
4365  * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
4366  * case the pubkey is zeroized. */
4367  memcpy(ctmp, orderc, 32);
4368  ctmp[31] = 0x40;
4369  memset(ctmp2, 0, 32);
4370  ctmp2[31] = 1;
4371  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
4372  CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
4373  ctmp2[31] = 1;
4374  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4375  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4376  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4377  /* Tweak computation wraps and results in a key of 1. */
4378  ctmp2[31] = 2;
4379  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
4380  CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
4381  ctmp2[31] = 2;
4382  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4383  ctmp2[31] = 1;
4384  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
4385  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4386  /* Tweak mul * 2 = 1+1. */
4387  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4388  ctmp2[31] = 2;
4389  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
4390  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4391  /* Test argument errors. */
4392  ecount = 0;
4393  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4394  CHECK(ecount == 0);
4395  /* Zeroize pubkey on parse error. */
4396  memset(&pubkey, 0, 32);
4397  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4398  CHECK(ecount == 1);
4399  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4400  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4401  memset(&pubkey2, 0, 32);
4402  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
4403  CHECK(ecount == 2);
4404  CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
4405  /* Plain argument errors. */
4406  ecount = 0;
4407  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4408  CHECK(ecount == 0);
4409  CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
4410  CHECK(ecount == 1);
4411  ecount = 0;
4412  memset(ctmp2, 0, 32);
4413  ctmp2[31] = 4;
4414  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
4415  CHECK(ecount == 1);
4416  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
4417  CHECK(ecount == 2);
4418  ecount = 0;
4419  memset(ctmp2, 0, 32);
4420  ctmp2[31] = 4;
4421  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4422  CHECK(ecount == 1);
4423  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
4424  CHECK(ecount == 2);
4425  ecount = 0;
4426  memset(ctmp2, 0, 32);
4427  CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
4428  CHECK(ecount == 1);
4429  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
4430  CHECK(ecount == 2);
4431  ecount = 0;
4432  memset(ctmp2, 0, 32);
4433  ctmp2[31] = 1;
4434  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
4435  CHECK(ecount == 1);
4436  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
4437  CHECK(ecount == 2);
4438  ecount = 0;
4439  CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4440  CHECK(ecount == 1);
4441  memset(&pubkey, 1, sizeof(pubkey));
4442  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4443  CHECK(ecount == 2);
4444  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4445  /* secp256k1_ec_pubkey_combine tests. */
4446  ecount = 0;
4447  pubkeys[0] = &pubkey_one;
4448  VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4449  VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4450  VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4451  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4452  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4453  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4454  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4455  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4456  CHECK(ecount == 1);
4457  CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4458  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4459  CHECK(ecount == 2);
4460  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4461  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4462  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4463  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4464  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4465  CHECK(ecount == 3);
4466  pubkeys[0] = &pubkey_negone;
4467  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4468  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4469  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4470  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4471  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4472  CHECK(ecount == 3);
4473  len = 33;
4474  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4475  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4476  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4477  /* Result is infinity. */
4478  pubkeys[0] = &pubkey_one;
4479  pubkeys[1] = &pubkey_negone;
4480  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4481  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4482  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4483  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4484  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4485  CHECK(ecount == 3);
4486  /* Passes through infinity but comes out one. */
4487  pubkeys[2] = &pubkey_one;
4488  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4489  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4490  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4491  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4492  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4493  CHECK(ecount == 3);
4494  len = 33;
4495  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4496  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4497  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4498  /* Adds to two. */
4499  pubkeys[1] = &pubkey_one;
4500  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4501  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4502  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4503  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4504  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4505  CHECK(ecount == 3);
4506  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4507 }
4508 
4509 void run_eckey_negate_test(void) {
4510  unsigned char seckey[32];
4511  unsigned char seckey_tmp[32];
4512 
4513  random_scalar_order_b32(seckey);
4514  memcpy(seckey_tmp, seckey, 32);
4515 
4516  /* Verify negation changes the key and changes it back */
4517  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4518  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
4519  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4520  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4521 
4522  /* Check that privkey alias gives same result */
4523  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4524  CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
4525  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4526 
4527  /* Negating all 0s fails */
4528  memset(seckey, 0, 32);
4529  memset(seckey_tmp, 0, 32);
4530  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4531  /* Check that seckey is not modified */
4532  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4533 
4534  /* Negating an overflowing seckey fails and the seckey is zeroed. In this
4535  * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
4536  * doesn't just set seckey to a constant value in case of failure. */
4537  random_scalar_order_b32(seckey);
4538  memset(seckey, 0xFF, 16);
4539  memset(seckey_tmp, 0, 32);
4540  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4541  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4542 }
4543 
4544 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4545  secp256k1_scalar nonce;
4546  do {
4547  random_scalar_order_test(&nonce);
4548  } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
4549 }
4550 
4551 void test_ecdsa_sign_verify(void) {
4552  secp256k1_gej pubj;
4553  secp256k1_ge pub;
4554  secp256k1_scalar one;
4555  secp256k1_scalar msg, key;
4556  secp256k1_scalar sigr, sigs;
4557  int getrec;
4558  /* Initialize recid to suppress a false positive -Wconditional-uninitialized in clang.
4559  VG_UNDEF ensures that valgrind will still treat the variable as uninitialized. */
4560  int recid = -1; VG_UNDEF(&recid, sizeof(recid));
4561  random_scalar_order_test(&msg);
4562  random_scalar_order_test(&key);
4563  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
4564  secp256k1_ge_set_gej(&pub, &pubj);
4565  getrec = secp256k1_testrand_bits(1);
4566  random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
4567  if (getrec) {
4568  CHECK(recid >= 0 && recid < 4);
4569  }
4570  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4571  secp256k1_scalar_set_int(&one, 1);
4572  secp256k1_scalar_add(&msg, &msg, &one);
4573  CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4574 }
4575 
4576 void run_ecdsa_sign_verify(void) {
4577  int i;
4578  for (i = 0; i < 10*count; i++) {
4579  test_ecdsa_sign_verify();
4580  }
4581 }
4582 
4584 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4585  (void)msg32;
4586  (void)key32;
4587  (void)algo16;
4588  memcpy(nonce32, data, 32);
4589  return (counter == 0);
4590 }
4591 
4592 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4593  /* Dummy nonce generator that has a fatal error on the first counter value. */
4594  if (counter == 0) {
4595  return 0;
4596  }
4597  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4598 }
4599 
4600 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4601  /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4602  if (counter < 3) {
4603  memset(nonce32, counter==0 ? 0 : 255, 32);
4604  if (counter == 2) {
4605  nonce32[31]--;
4606  }
4607  return 1;
4608  }
4609  if (counter < 5) {
4610  static const unsigned char order[] = {
4611  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4612  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4613  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4614  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4615  };
4616  memcpy(nonce32, order, 32);
4617  if (counter == 4) {
4618  nonce32[31]++;
4619  }
4620  return 1;
4621  }
4622  /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4623  /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4624  if (counter > 5) {
4625  return 0;
4626  }
4627  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4628 }
4629 
4630 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4631  static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4632  return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4633 }
4634 
4635 void test_ecdsa_end_to_end(void) {
4636  unsigned char extra[32] = {0x00};
4637  unsigned char privkey[32];
4638  unsigned char message[32];
4639  unsigned char privkey2[32];
4640  secp256k1_ecdsa_signature signature[6];
4641  secp256k1_scalar r, s;
4642  unsigned char sig[74];
4643  size_t siglen = 74;
4644  unsigned char pubkeyc[65];
4645  size_t pubkeyclen = 65;
4646  secp256k1_pubkey pubkey;
4647  secp256k1_pubkey pubkey_tmp;
4648  unsigned char seckey[300];
4649  size_t seckeylen = 300;
4650 
4651  /* Generate a random key and message. */
4652  {
4653  secp256k1_scalar msg, key;
4654  random_scalar_order_test(&msg);
4655  random_scalar_order_test(&key);
4656  secp256k1_scalar_get_b32(privkey, &key);
4657  secp256k1_scalar_get_b32(message, &msg);
4658  }
4659 
4660  /* Construct and verify corresponding public key. */
4661  CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4662  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4663 
4664  /* Verify exporting and importing public key. */
4665  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4666  memset(&pubkey, 0, sizeof(pubkey));
4667  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4668 
4669  /* Verify negation changes the key and changes it back */
4670  memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4671  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4672  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4673  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4674  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4675 
4676  /* Verify private key import and export. */
4677  CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
4678  CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4679  CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
4680 
4681  /* Optionally tweak the keys using addition. */
4682  if (secp256k1_testrand_int(3) == 0) {
4683  int ret1;
4684  int ret2;
4685  int ret3;
4686  unsigned char rnd[32];
4687  unsigned char privkey_tmp[32];
4688  secp256k1_pubkey pubkey2;
4689  secp256k1_testrand256_test(rnd);
4690  memcpy(privkey_tmp, privkey, 32);
4691  ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
4692  ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4693  /* Check that privkey alias gives same result */
4694  ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
4695  CHECK(ret1 == ret2);
4696  CHECK(ret2 == ret3);
4697  if (ret1 == 0) {
4698  return;
4699  }
4700  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4701  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4702  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4703  }
4704 
4705  /* Optionally tweak the keys using multiplication. */
4706  if (secp256k1_testrand_int(3) == 0) {
4707  int ret1;
4708  int ret2;
4709  int ret3;
4710  unsigned char rnd[32];
4711  unsigned char privkey_tmp[32];
4712  secp256k1_pubkey pubkey2;
4713  secp256k1_testrand256_test(rnd);
4714  memcpy(privkey_tmp, privkey, 32);
4715  ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
4716  ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4717  /* Check that privkey alias gives same result */
4718  ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
4719  CHECK(ret1 == ret2);
4720  CHECK(ret2 == ret3);
4721  if (ret1 == 0) {
4722  return;
4723  }
4724  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4725  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4726  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4727  }
4728 
4729  /* Sign. */
4730  CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4731  CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4732  CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4733  extra[31] = 1;
4734  CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4735  extra[31] = 0;
4736  extra[0] = 1;
4737  CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4738  CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4739  CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4740  CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4741  CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4742  CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4743  CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4744  CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4745  /* Verify. */
4746  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4747  CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4748  CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4749  CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4750  /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4751  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4752  secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4753  secp256k1_scalar_negate(&s, &s);
4754  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4755  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4756  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4757  CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4758  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4759  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4760  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4761  secp256k1_scalar_negate(&s, &s);
4762  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4763  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4764  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4765  CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
4766 
4767  /* Serialize/parse DER and verify again */
4768  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4769  memset(&signature[0], 0, sizeof(signature[0]));
4770  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4771  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4772  /* Serialize/destroy/parse DER and verify again. */
4773  siglen = 74;
4774  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4775  sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
4776  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4777  secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4778 }
4779 
4780 void test_random_pubkeys(void) {
4781  secp256k1_ge elem;
4782  secp256k1_ge elem2;
4783  unsigned char in[65];
4784  /* Generate some randomly sized pubkeys. */
4785  size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
4786  if (secp256k1_testrand_bits(2) == 0) {
4787  len = secp256k1_testrand_bits(6);
4788  }
4789  if (len == 65) {
4790  in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
4791  } else {
4792  in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
4793  }
4794  if (secp256k1_testrand_bits(3) == 0) {
4795  in[0] = secp256k1_testrand_bits(8);
4796  }
4797  if (len > 1) {
4798  secp256k1_testrand256(&in[1]);
4799  }
4800  if (len > 33) {
4801  secp256k1_testrand256(&in[33]);
4802  }
4803  if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4804  unsigned char out[65];
4805  unsigned char firstb;
4806  int res;
4807  size_t size = len;
4808  firstb = in[0];
4809  /* If the pubkey can be parsed, it should round-trip... */
4810  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4811  CHECK(size == len);
4812  CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
4813  /* ... except for the type of hybrid inputs. */
4814  if ((in[0] != 6) && (in[0] != 7)) {
4815  CHECK(in[0] == out[0]);
4816  }
4817  size = 65;
4818  CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4819  CHECK(size == 65);
4820  CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4821  ge_equals_ge(&elem,&elem2);
4822  /* Check that the X9.62 hybrid type is checked. */
4823  in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
4824  res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4825  if (firstb == 2 || firstb == 3) {
4826  if (in[0] == firstb + 4) {
4827  CHECK(res);
4828  } else {
4829  CHECK(!res);
4830  }
4831  }
4832  if (res) {
4833  ge_equals_ge(&elem,&elem2);
4834  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4835  CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
4836  }
4837  }
4838 }
4839 
4840 void run_random_pubkeys(void) {
4841  int i;
4842  for (i = 0; i < 10*count; i++) {
4843  test_random_pubkeys();
4844  }
4845 }
4846 
4847 void run_ecdsa_end_to_end(void) {
4848  int i;
4849  for (i = 0; i < 64*count; i++) {
4850  test_ecdsa_end_to_end();
4851  }
4852 }
4853 
4854 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4855  static const unsigned char zeroes[32] = {0};
4856 #ifdef ENABLE_OPENSSL_TESTS
4857  static const unsigned char max_scalar[32] = {
4858  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4859  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4860  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4861  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4862  };
4863 #endif
4864 
4865  int ret = 0;
4866 
4867  secp256k1_ecdsa_signature sig_der;
4868  unsigned char roundtrip_der[2048];
4869  unsigned char compact_der[64];
4870  size_t len_der = 2048;
4871  int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4872 
4873  secp256k1_ecdsa_signature sig_der_lax;
4874  unsigned char roundtrip_der_lax[2048];
4875  unsigned char compact_der_lax[64];
4876  size_t len_der_lax = 2048;
4877  int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4878 
4879 #ifdef ENABLE_OPENSSL_TESTS
4880  ECDSA_SIG *sig_openssl;
4881  const BIGNUM *r = NULL, *s = NULL;
4882  const unsigned char *sigptr;
4883  unsigned char roundtrip_openssl[2048];
4884  int len_openssl = 2048;
4885  int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4886 #endif
4887 
4888  parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4889  if (parsed_der) {
4890  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4891  valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
4892  }
4893  if (valid_der) {
4894  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4895  roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
4896  }
4897 
4898  parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4899  if (parsed_der_lax) {
4900  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4901  valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
4902  }
4903  if (valid_der_lax) {
4904  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4905  roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
4906  }
4907 
4908  if (certainly_der) {
4909  ret |= (!parsed_der) << 2;
4910  }
4911  if (certainly_not_der) {
4912  ret |= (parsed_der) << 17;
4913  }
4914  if (valid_der) {
4915  ret |= (!roundtrips_der) << 3;
4916  }
4917 
4918  if (valid_der) {
4919  ret |= (!roundtrips_der_lax) << 12;
4920  ret |= (len_der != len_der_lax) << 13;
4921  ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
4922  }
4923  ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4924  if (parsed_der) {
4925  ret |= (!parsed_der_lax) << 16;
4926  }
4927 
4928 #ifdef ENABLE_OPENSSL_TESTS
4929  sig_openssl = ECDSA_SIG_new();
4930  sigptr = sig;
4931  parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4932  if (parsed_openssl) {
4933  ECDSA_SIG_get0(sig_openssl, &r, &s);
4934  valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4935  if (valid_openssl) {
4936  unsigned char tmp[32] = {0};
4937  BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4938  valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
4939  }
4940  if (valid_openssl) {
4941  unsigned char tmp[32] = {0};
4942  BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4943  valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
4944  }
4945  }
4946  len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4947  if (len_openssl <= 2048) {
4948  unsigned char *ptr = roundtrip_openssl;
4949  CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4950  roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (secp256k1_memcmp_var(roundtrip_openssl, sig, siglen) == 0);
4951  } else {
4952  len_openssl = 0;
4953  }
4954  ECDSA_SIG_free(sig_openssl);
4955 
4956  ret |= (parsed_der && !parsed_openssl) << 4;
4957  ret |= (valid_der && !valid_openssl) << 5;
4958  ret |= (roundtrips_openssl && !parsed_der) << 6;
4959  ret |= (roundtrips_der != roundtrips_openssl) << 7;
4960  if (roundtrips_openssl) {
4961  ret |= (len_der != (size_t)len_openssl) << 8;
4962  ret |= ((len_der != (size_t)len_openssl) || (secp256k1_memcmp_var(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9;
4963  }
4964 #endif
4965  return ret;
4966 }
4967 
4968 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4969  size_t i;
4970  for (i = 0; i < ptrlen; i++) {
4971  int shift = ptrlen - 1 - i;
4972  if (shift >= 4) {
4973  ptr[i] = 0;
4974  } else {
4975  ptr[i] = (val >> shift) & 0xFF;
4976  }
4977  }
4978 }
4979 
4980 static void damage_array(unsigned char *sig, size_t *len) {
4981  int pos;
4982  int action = secp256k1_testrand_bits(3);
4983  if (action < 1 && *len > 3) {
4984  /* Delete a byte. */
4985  pos = secp256k1_testrand_int(*len);
4986  memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4987  (*len)--;
4988  return;
4989  } else if (action < 2 && *len < 2048) {
4990  /* Insert a byte. */
4991  pos = secp256k1_testrand_int(1 + *len);
4992  memmove(sig + pos + 1, sig + pos, *len - pos);
4993  sig[pos] = secp256k1_testrand_bits(8);
4994  (*len)++;
4995  return;
4996  } else if (action < 4) {
4997  /* Modify a byte. */
4998  sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
4999  return;
5000  } else { /* action < 8 */
5001  /* Modify a bit. */
5002  sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
5003  return;
5004  }
5005 }
5006 
5007 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
5008  int der;
5009  int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
5010  size_t tlen, elen, glen;
5011  int indet;
5012  int n;
5013 
5014  *len = 0;
5015  der = secp256k1_testrand_bits(2) == 0;
5016  *certainly_der = der;
5017  *certainly_not_der = 0;
5018  indet = der ? 0 : secp256k1_testrand_int(10) == 0;
5019 
5020  for (n = 0; n < 2; n++) {
5021  /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
5022  nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
5023  /* The length of the number in bytes (the first byte of which will always be nonzero) */
5024  nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_int(8) / 8;
5025  CHECK(nlen[n] <= 232);
5026  /* The top bit of the number. */
5027  nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
5028  /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
5029  nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
5030  /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
5031  nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_int(8) / 8);
5032  if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
5033  *certainly_not_der = 1;
5034  }
5035  CHECK(nlen[n] + nzlen[n] <= 300);
5036  /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
5037  nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
5038  if (!der) {
5039  /* nlenlen[n] max 127 bytes */
5040  int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
5041  nlenlen[n] += add;
5042  if (add != 0) {
5043  *certainly_not_der = 1;
5044  }
5045  }
5046  CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
5047  }
5048 
5049  /* The total length of the data to go, so far */
5050  tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
5051  CHECK(tlen <= 856);
5052 
5053  /* The length of the garbage inside the tuple. */
5054  elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_int(8) / 8;
5055  if (elen != 0) {
5056  *certainly_not_der = 1;
5057  }
5058  tlen += elen;
5059  CHECK(tlen <= 980);
5060 
5061  /* The length of the garbage after the end of the tuple. */
5062  glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_int(8) / 8;
5063  if (glen != 0) {
5064  *certainly_not_der = 1;
5065  }
5066  CHECK(tlen + glen <= 990);
5067 
5068  /* Write the tuple header. */
5069  sig[(*len)++] = 0x30;
5070  if (indet) {
5071  /* Indeterminate length */
5072  sig[(*len)++] = 0x80;
5073  *certainly_not_der = 1;
5074  } else {
5075  int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
5076  if (!der) {
5077  int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
5078  tlenlen += add;
5079  if (add != 0) {
5080  *certainly_not_der = 1;
5081  }
5082  }
5083  if (tlenlen == 0) {
5084  /* Short length notation */
5085  sig[(*len)++] = tlen;
5086  } else {
5087  /* Long length notation */
5088  sig[(*len)++] = 128 + tlenlen;
5089  assign_big_endian(sig + *len, tlenlen, tlen);
5090  *len += tlenlen;
5091  }
5092  tlen += tlenlen;
5093  }
5094  tlen += 2;
5095  CHECK(tlen + glen <= 1119);
5096 
5097  for (n = 0; n < 2; n++) {
5098  /* Write the integer header. */
5099  sig[(*len)++] = 0x02;
5100  if (nlenlen[n] == 0) {
5101  /* Short length notation */
5102  sig[(*len)++] = nlen[n] + nzlen[n];
5103  } else {
5104  /* Long length notation. */
5105  sig[(*len)++] = 128 + nlenlen[n];
5106  assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
5107  *len += nlenlen[n];
5108  }
5109  /* Write zero padding */
5110  while (nzlen[n] > 0) {
5111  sig[(*len)++] = 0x00;
5112  nzlen[n]--;
5113  }
5114  if (nlen[n] == 32 && !nlow[n]) {
5115  /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
5116  int i;
5117  for (i = 0; i < 16; i++) {
5118  sig[(*len)++] = 0xFF;
5119  }
5120  nlen[n] -= 16;
5121  }
5122  /* Write first byte of number */
5123  if (nlen[n] > 0) {
5124  sig[(*len)++] = nhbyte[n];
5125  nlen[n]--;
5126  }
5127  /* Generate remaining random bytes of number */
5128  secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
5129  *len += nlen[n];
5130  nlen[n] = 0;
5131  }
5132 
5133  /* Generate random garbage inside tuple. */
5134  secp256k1_testrand_bytes_test(sig + *len, elen);
5135  *len += elen;
5136 
5137  /* Generate end-of-contents bytes. */
5138  if (indet) {
5139  sig[(*len)++] = 0;
5140  sig[(*len)++] = 0;
5141  tlen += 2;
5142  }
5143  CHECK(tlen + glen <= 1121);
5144 
5145  /* Generate random garbage outside tuple. */
5146  secp256k1_testrand_bytes_test(sig + *len, glen);
5147  *len += glen;
5148  tlen += glen;
5149  CHECK(tlen <= 1121);
5150  CHECK(tlen == *len);
5151 }
5152 
5153 void run_ecdsa_der_parse(void) {
5154  int i,j;
5155  for (i = 0; i < 200 * count; i++) {
5156  unsigned char buffer[2048];
5157  size_t buflen = 0;
5158  int certainly_der = 0;
5159  int certainly_not_der = 0;
5160  random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
5161  CHECK(buflen <= 2048);
5162  for (j = 0; j < 16; j++) {
5163  int ret = 0;
5164  if (j > 0) {
5165  damage_array(buffer, &buflen);
5166  /* We don't know anything anymore about the DERness of the result */
5167  certainly_der = 0;
5168  certainly_not_der = 0;
5169  }
5170  ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
5171  if (ret != 0) {
5172  size_t k;
5173  fprintf(stderr, "Failure %x on ", ret);
5174  for (k = 0; k < buflen; k++) {
5175  fprintf(stderr, "%02x ", buffer[k]);
5176  }
5177  fprintf(stderr, "\n");
5178  }
5179  CHECK(ret == 0);
5180  }
5181  }
5182 }
5183 
5184 /* Tests several edge cases. */
5185 void test_ecdsa_edge_cases(void) {
5186  int t;
5187  secp256k1_ecdsa_signature sig;
5188 
5189  /* Test the case where ECDSA recomputes a point that is infinity. */
5190  {
5191  secp256k1_gej keyj;
5192  secp256k1_ge key;
5193  secp256k1_scalar msg;
5194  secp256k1_scalar sr, ss;
5195  secp256k1_scalar_set_int(&ss, 1);
5196  secp256k1_scalar_negate(&ss, &ss);
5197  secp256k1_scalar_inverse(&ss, &ss);
5198  secp256k1_scalar_set_int(&sr, 1);
5199  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
5200  secp256k1_ge_set_gej(&key, &keyj);
5201  msg = ss;
5202  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5203  }
5204 
5205  /* Verify signature with r of zero fails. */
5206  {
5207  const unsigned char pubkey_mods_zero[33] = {
5208  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5209  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5210  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5211  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5212  0x41
5213  };
5214  secp256k1_ge key;
5215  secp256k1_scalar msg;
5216  secp256k1_scalar sr, ss;
5217  secp256k1_scalar_set_int(&ss, 1);
5218  secp256k1_scalar_set_int(&msg, 0);
5219  secp256k1_scalar_set_int(&sr, 0);
5220  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
5221  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5222  }
5223 
5224  /* Verify signature with s of zero fails. */
5225  {
5226  const unsigned char pubkey[33] = {
5227  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5228  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5229  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5230  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5231  0x01
5232  };
5233  secp256k1_ge key;
5234  secp256k1_scalar msg;
5235  secp256k1_scalar sr, ss;
5236  secp256k1_scalar_set_int(&ss, 0);
5237  secp256k1_scalar_set_int(&msg, 0);
5238  secp256k1_scalar_set_int(&sr, 1);
5239  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5240  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5241  }
5242 
5243  /* Verify signature with message 0 passes. */
5244  {
5245  const unsigned char pubkey[33] = {
5246  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5247  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5248  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5249  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5250  0x02
5251  };
5252  const unsigned char pubkey2[33] = {
5253  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5254  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5255  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5256  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5257  0x43
5258  };
5259  secp256k1_ge key;
5260  secp256k1_ge key2;
5261  secp256k1_scalar msg;
5262  secp256k1_scalar sr, ss;
5263  secp256k1_scalar_set_int(&ss, 2);
5264  secp256k1_scalar_set_int(&msg, 0);
5265  secp256k1_scalar_set_int(&sr, 2);
5266  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5267  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5268  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5269  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5270  secp256k1_scalar_negate(&ss, &ss);
5271  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5272  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5273  secp256k1_scalar_set_int(&ss, 1);
5274  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5275  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5276  }
5277 
5278  /* Verify signature with message 1 passes. */
5279  {
5280  const unsigned char pubkey[33] = {
5281  0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
5282  0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
5283  0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
5284  0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
5285  0x25
5286  };
5287  const unsigned char pubkey2[33] = {
5288  0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
5289  0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
5290  0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
5291  0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
5292  0x62
5293  };
5294  const unsigned char csr[32] = {
5295  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5296  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5297  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5298  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
5299  };
5300  secp256k1_ge key;
5301  secp256k1_ge key2;
5302  secp256k1_scalar msg;
5303  secp256k1_scalar sr, ss;
5304  secp256k1_scalar_set_int(&ss, 1);
5305  secp256k1_scalar_set_int(&msg, 1);
5306  secp256k1_scalar_set_b32(&sr, csr, NULL);
5307  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5308  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5309  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5310  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5311  secp256k1_scalar_negate(&ss, &ss);
5312  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5313  CHECK(secp256k1_ecdsa_sig_verify(&ctx->