Bitcoin Core  0.21.1
P2P Digital Currency
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Properties Friends Macros Modules
tests.c
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10 
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 
15 #include <time.h>
16 
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
21 
22 #ifdef ENABLE_OPENSSL_TESTS
23 #include "openssl/bn.h"
24 #include "openssl/ec.h"
25 #include "openssl/ecdsa.h"
26 #include "openssl/obj_mac.h"
27 # if OPENSSL_VERSION_NUMBER < 0x10100000L
28 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
29 # endif
30 #endif
31 
32 #include "contrib/lax_der_parsing.c"
33 #include "contrib/lax_der_privatekey_parsing.c"
34 
35 static int count = 64;
36 static secp256k1_context *ctx = NULL;
37 
38 static void counting_illegal_callback_fn(const char* str, void* data) {
39  /* Dummy callback function that just counts. */
40  int32_t *p;
41  (void)str;
42  p = data;
43  (*p)++;
44 }
45 
46 static void uncounting_illegal_callback_fn(const char* str, void* data) {
47  /* Dummy callback function that just counts (backwards). */
48  int32_t *p;
49  (void)str;
50  p = data;
51  (*p)--;
52 }
53 
54 void random_field_element_test(secp256k1_fe *fe) {
55  do {
56  unsigned char b32[32];
57  secp256k1_testrand256_test(b32);
58  if (secp256k1_fe_set_b32(fe, b32)) {
59  break;
60  }
61  } while(1);
62 }
63 
64 void random_field_element_magnitude(secp256k1_fe *fe) {
65  secp256k1_fe zero;
66  int n = secp256k1_testrand_int(9);
67  secp256k1_fe_normalize(fe);
68  if (n == 0) {
69  return;
70  }
71  secp256k1_fe_clear(&zero);
72  secp256k1_fe_negate(&zero, &zero, 0);
73  secp256k1_fe_mul_int(&zero, n - 1);
74  secp256k1_fe_add(fe, &zero);
75 #ifdef VERIFY
76  CHECK(fe->magnitude == n);
77 #endif
78 }
79 
80 void random_group_element_test(secp256k1_ge *ge) {
81  secp256k1_fe fe;
82  do {
83  random_field_element_test(&fe);
84  if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
85  secp256k1_fe_normalize(&ge->y);
86  break;
87  }
88  } while(1);
89  ge->infinity = 0;
90 }
91 
92 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
93  secp256k1_fe z2, z3;
94  do {
95  random_field_element_test(&gej->z);
96  if (!secp256k1_fe_is_zero(&gej->z)) {
97  break;
98  }
99  } while(1);
100  secp256k1_fe_sqr(&z2, &gej->z);
101  secp256k1_fe_mul(&z3, &z2, &gej->z);
102  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
103  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
104  gej->infinity = ge->infinity;
105 }
106 
107 void random_scalar_order_test(secp256k1_scalar *num) {
108  do {
109  unsigned char b32[32];
110  int overflow = 0;
111  secp256k1_testrand256_test(b32);
112  secp256k1_scalar_set_b32(num, b32, &overflow);
113  if (overflow || secp256k1_scalar_is_zero(num)) {
114  continue;
115  }
116  break;
117  } while(1);
118 }
119 
120 void random_scalar_order(secp256k1_scalar *num) {
121  do {
122  unsigned char b32[32];
123  int overflow = 0;
124  secp256k1_testrand256(b32);
125  secp256k1_scalar_set_b32(num, b32, &overflow);
126  if (overflow || secp256k1_scalar_is_zero(num)) {
127  continue;
128  }
129  break;
130  } while(1);
131 }
132 
133 void random_scalar_order_b32(unsigned char *b32) {
134  secp256k1_scalar num;
135  random_scalar_order(&num);
136  secp256k1_scalar_get_b32(b32, &num);
137 }
138 
139 void run_context_tests(int use_prealloc) {
140  secp256k1_pubkey pubkey;
141  secp256k1_pubkey zero_pubkey;
142  secp256k1_ecdsa_signature sig;
143  unsigned char ctmp[32];
144  int32_t ecount;
145  int32_t ecount2;
146  secp256k1_context *none;
147  secp256k1_context *sign;
148  secp256k1_context *vrfy;
149  secp256k1_context *both;
150  void *none_prealloc = NULL;
151  void *sign_prealloc = NULL;
152  void *vrfy_prealloc = NULL;
153  void *both_prealloc = NULL;
154 
155  secp256k1_gej pubj;
156  secp256k1_ge pub;
157  secp256k1_scalar msg, key, nonce;
158  secp256k1_scalar sigr, sigs;
159 
160  if (use_prealloc) {
161  none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
162  sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
163  vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
164  both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
165  CHECK(none_prealloc != NULL);
166  CHECK(sign_prealloc != NULL);
167  CHECK(vrfy_prealloc != NULL);
168  CHECK(both_prealloc != NULL);
169  none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
170  sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
171  vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
172  both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
173  } else {
174  none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
175  sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
176  vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
177  both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
178  }
179 
180  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
181 
182  ecount = 0;
183  ecount2 = 10;
184  secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
185  secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
186  /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
187  secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL);
188  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
189  CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
190 
191  /* check if sizes for cloning are consistent */
192  CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
193  CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
194  CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
195  CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
196 
197  /*** clone and destroy all of them to make sure cloning was complete ***/
198  {
199  secp256k1_context *ctx_tmp;
200 
201  if (use_prealloc) {
202  /* clone into a non-preallocated context and then again into a new preallocated one. */
203  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
204  free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
205  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
206 
207  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
208  free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
209  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
210 
211  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
212  free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
213  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
214 
215  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
216  free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
217  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
218  } else {
219  /* clone into a preallocated context and then again into a new non-preallocated one. */
220  void *prealloc_tmp;
221 
222  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
223  ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
224  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
225  free(prealloc_tmp);
226 
227  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
228  ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
229  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
230  free(prealloc_tmp);
231 
232  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
233  ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
234  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
235  free(prealloc_tmp);
236 
237  prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
238  ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
239  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
240  free(prealloc_tmp);
241  }
242  }
243 
244  /* Verify that the error callback makes it across the clone. */
245  CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
246  CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
247  /* And that it resets back to default. */
248  secp256k1_context_set_error_callback(sign, NULL, NULL);
249  CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
250 
251  /*** attempt to use them ***/
252  random_scalar_order_test(&msg);
253  random_scalar_order_test(&key);
254  secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
255  secp256k1_ge_set_gej(&pub, &pubj);
256 
257  /* Verify context-type checking illegal-argument errors. */
258  memset(ctmp, 1, 32);
259  CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
260  CHECK(ecount == 1);
261  VG_UNDEF(&pubkey, sizeof(pubkey));
262  CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
263  VG_CHECK(&pubkey, sizeof(pubkey));
264  CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
265  CHECK(ecount == 2);
266  VG_UNDEF(&sig, sizeof(sig));
267  CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
268  VG_CHECK(&sig, sizeof(sig));
269  CHECK(ecount2 == 10);
270  CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
271  CHECK(ecount2 == 11);
272  CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
273  CHECK(ecount == 2);
274  CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
275  CHECK(ecount2 == 12);
276  CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
277  CHECK(ecount == 2);
278  CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
279  CHECK(ecount2 == 13);
280  CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
281  CHECK(ecount == 2);
282  CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
283  CHECK(ecount == 2);
284  CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
285  CHECK(ecount2 == 14);
286  CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
287  CHECK(ecount == 3);
288  CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
289  CHECK(ecount == 3);
290  CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
291  CHECK(ecount == 3);
292  CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
293  CHECK(ecount == 3);
294  CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
295  CHECK(ecount2 == 14);
296  CHECK(secp256k1_context_randomize(sign, NULL) == 1);
297  CHECK(ecount2 == 14);
298  secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
299  secp256k1_context_set_illegal_callback(sign, NULL, NULL);
300 
301  /* obtain a working nonce */
302  do {
303  random_scalar_order_test(&nonce);
304  } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
305 
306  /* try signing */
307  CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
308  CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
309 
310  /* try verifying */
311  CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
312  CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
313 
314  /* cleanup */
315  if (use_prealloc) {
316  secp256k1_context_preallocated_destroy(none);
317  secp256k1_context_preallocated_destroy(sign);
318  secp256k1_context_preallocated_destroy(vrfy);
319  secp256k1_context_preallocated_destroy(both);
320  free(none_prealloc);
321  free(sign_prealloc);
322  free(vrfy_prealloc);
323  free(both_prealloc);
324  } else {
325  secp256k1_context_destroy(none);
326  secp256k1_context_destroy(sign);
327  secp256k1_context_destroy(vrfy);
328  secp256k1_context_destroy(both);
329  }
330  /* Defined as no-op. */
331  secp256k1_context_destroy(NULL);
332  secp256k1_context_preallocated_destroy(NULL);
333 
334 }
335 
336 void run_scratch_tests(void) {
337  const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
338 
339  int32_t ecount = 0;
340  size_t checkpoint;
341  size_t checkpoint_2;
342  secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
343  secp256k1_scratch_space *scratch;
344  secp256k1_scratch_space local_scratch;
345 
346  /* Test public API */
347  secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
348  secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
349 
350  scratch = secp256k1_scratch_space_create(none, 1000);
351  CHECK(scratch != NULL);
352  CHECK(ecount == 0);
353 
354  /* Test internal API */
355  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
356  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
357  CHECK(scratch->alloc_size == 0);
358  CHECK(scratch->alloc_size % ALIGNMENT == 0);
359 
360  /* Allocating 500 bytes succeeds */
361  checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
362  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
363  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
364  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
365  CHECK(scratch->alloc_size != 0);
366  CHECK(scratch->alloc_size % ALIGNMENT == 0);
367 
368  /* Allocating another 501 bytes fails */
369  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
370  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
371  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
372  CHECK(scratch->alloc_size != 0);
373  CHECK(scratch->alloc_size % ALIGNMENT == 0);
374 
375  /* ...but it succeeds once we apply the checkpoint to undo it */
376  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
377  CHECK(scratch->alloc_size == 0);
378  CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
379  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
380  CHECK(scratch->alloc_size != 0);
381 
382  /* try to apply a bad checkpoint */
383  checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
384  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
385  CHECK(ecount == 0);
386  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
387  CHECK(ecount == 1);
388  secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
389  CHECK(ecount == 2);
390 
391  /* try to use badly initialized scratch space */
392  secp256k1_scratch_space_destroy(none, scratch);
393  memset(&local_scratch, 0, sizeof(local_scratch));
394  scratch = &local_scratch;
395  CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
396  CHECK(ecount == 3);
397  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
398  CHECK(ecount == 4);
399  secp256k1_scratch_space_destroy(none, scratch);
400  CHECK(ecount == 5);
401 
402  /* Test that large integers do not wrap around in a bad way */
403  scratch = secp256k1_scratch_space_create(none, 1000);
404  /* Try max allocation with a large number of objects. Only makes sense if
405  * ALIGNMENT is greater than 1 because otherwise the objects take no extra
406  * space. */
407  CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
408  /* Try allocating SIZE_MAX to test wrap around which only happens if
409  * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
410  * space is too small. */
411  CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
412  secp256k1_scratch_space_destroy(none, scratch);
413 
414  /* cleanup */
415  secp256k1_scratch_space_destroy(none, NULL); /* no-op */
416  secp256k1_context_destroy(none);
417 }
418 
419 /***** HASH TESTS *****/
420 
421 void run_sha256_tests(void) {
422  static const char *inputs[8] = {
423  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
424  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
425  "For this sample, this 63-byte string will be used as input data",
426  "This is exactly 64 bytes long, not counting the terminating byte"
427  };
428  static const unsigned char outputs[8][32] = {
429  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
430  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
431  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
432  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
433  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
434  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
435  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
436  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
437  };
438  int i;
439  for (i = 0; i < 8; i++) {
440  unsigned char out[32];
441  secp256k1_sha256 hasher;
442  secp256k1_sha256_initialize(&hasher);
443  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
444  secp256k1_sha256_finalize(&hasher, out);
445  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
446  if (strlen(inputs[i]) > 0) {
447  int split = secp256k1_testrand_int(strlen(inputs[i]));
448  secp256k1_sha256_initialize(&hasher);
449  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
450  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
451  secp256k1_sha256_finalize(&hasher, out);
452  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
453  }
454  }
455 }
456 
457 void run_hmac_sha256_tests(void) {
458  static const char *keys[6] = {
459  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
460  "\x4a\x65\x66\x65",
461  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
462  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
463  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
464  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
465  };
466  static const char *inputs[6] = {
467  "\x48\x69\x20\x54\x68\x65\x72\x65",
468  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
469  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
470  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
471  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
472  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
473  };
474  static const unsigned char outputs[6][32] = {
475  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
476  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
477  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
478  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
479  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
480  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
481  };
482  int i;
483  for (i = 0; i < 6; i++) {
484  secp256k1_hmac_sha256 hasher;
485  unsigned char out[32];
486  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
487  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
488  secp256k1_hmac_sha256_finalize(&hasher, out);
489  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
490  if (strlen(inputs[i]) > 0) {
491  int split = secp256k1_testrand_int(strlen(inputs[i]));
492  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
493  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
494  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
495  secp256k1_hmac_sha256_finalize(&hasher, out);
496  CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
497  }
498  }
499 }
500 
501 void run_rfc6979_hmac_sha256_tests(void) {
502  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
503  static const unsigned char out1[3][32] = {
504  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
505  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
506  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
507  };
508 
509  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
510  static const unsigned char out2[3][32] = {
511  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
512  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
513  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
514  };
515 
516  secp256k1_rfc6979_hmac_sha256 rng;
517  unsigned char out[32];
518  int i;
519 
520  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
521  for (i = 0; i < 3; i++) {
522  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
523  CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
524  }
525  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
526 
527  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
528  for (i = 0; i < 3; i++) {
529  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
530  CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
531  }
532  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
533 
534  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
535  for (i = 0; i < 3; i++) {
536  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
537  CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
538  }
539  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
540 }
541 
542 /***** RANDOM TESTS *****/
543 
544 void test_rand_bits(int rand32, int bits) {
545  /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
546  * get a false negative chance below once in a billion */
547  static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
548  /* We try multiplying the results with various odd numbers, which shouldn't
549  * influence the uniform distribution modulo a power of 2. */
550  static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
551  /* We only select up to 6 bits from the output to analyse */
552  unsigned int usebits = bits > 6 ? 6 : bits;
553  unsigned int maxshift = bits - usebits;
554  /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
555  number, track all observed outcomes, one per bit in a uint64_t. */
556  uint64_t x[6][27] = {{0}};
557  unsigned int i, shift, m;
558  /* Multiply the output of all rand calls with the odd number m, which
559  should not change the uniformity of its distribution. */
560  for (i = 0; i < rounds[usebits]; i++) {
561  uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
562  CHECK((((uint64_t)r) >> bits) == 0);
563  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
564  uint32_t rm = r * mults[m];
565  for (shift = 0; shift <= maxshift; shift++) {
566  x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
567  }
568  }
569  }
570  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
571  for (shift = 0; shift <= maxshift; shift++) {
572  /* Test that the lower usebits bits of x[shift] are 1 */
573  CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
574  }
575  }
576 }
577 
578 /* Subrange must be a whole divisor of range, and at most 64 */
579 void test_rand_int(uint32_t range, uint32_t subrange) {
580  /* (1-1/subrange)^rounds < 1/10^9 */
581  int rounds = (subrange * 2073) / 100;
582  int i;
583  uint64_t x = 0;
584  CHECK((range % subrange) == 0);
585  for (i = 0; i < rounds; i++) {
586  uint32_t r = secp256k1_testrand_int(range);
587  CHECK(r < range);
588  r = r % subrange;
589  x |= (((uint64_t)1) << r);
590  }
591  /* Test that the lower subrange bits of x are 1. */
592  CHECK(((~x) << (64 - subrange)) == 0);
593 }
594 
595 void run_rand_bits(void) {
596  size_t b;
597  test_rand_bits(1, 32);
598  for (b = 1; b <= 32; b++) {
599  test_rand_bits(0, b);
600  }
601 }
602 
603 void run_rand_int(void) {
604  static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
605  static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
606  unsigned int m, s;
607  for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
608  for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
609  test_rand_int(ms[m] * ss[s], ss[s]);
610  }
611  }
612 }
613 
614 /***** NUM TESTS *****/
615 
616 #ifndef USE_NUM_NONE
617 void random_num_negate(secp256k1_num *num) {
618  if (secp256k1_testrand_bits(1)) {
619  secp256k1_num_negate(num);
620  }
621 }
622 
623 void random_num_order_test(secp256k1_num *num) {
624  secp256k1_scalar sc;
625  random_scalar_order_test(&sc);
626  secp256k1_scalar_get_num(num, &sc);
627 }
628 
629 void random_num_order(secp256k1_num *num) {
630  secp256k1_scalar sc;
631  random_scalar_order(&sc);
632  secp256k1_scalar_get_num(num, &sc);
633 }
634 
635 void test_num_negate(void) {
636  secp256k1_num n1;
637  secp256k1_num n2;
638  random_num_order_test(&n1); /* n1 = R */
639  random_num_negate(&n1);
640  secp256k1_num_copy(&n2, &n1); /* n2 = R */
641  secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
642  CHECK(secp256k1_num_is_zero(&n1));
643  secp256k1_num_copy(&n1, &n2); /* n1 = R */
644  secp256k1_num_negate(&n1); /* n1 = -R */
645  CHECK(!secp256k1_num_is_zero(&n1));
646  secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
647  CHECK(secp256k1_num_is_zero(&n1));
648  secp256k1_num_copy(&n1, &n2); /* n1 = R */
649  secp256k1_num_negate(&n1); /* n1 = -R */
650  CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
651  secp256k1_num_negate(&n1); /* n1 = R */
652  CHECK(secp256k1_num_eq(&n1, &n2));
653 }
654 
655 void test_num_add_sub(void) {
656  int i;
657  secp256k1_scalar s;
658  secp256k1_num n1;
659  secp256k1_num n2;
660  secp256k1_num n1p2, n2p1, n1m2, n2m1;
661  random_num_order_test(&n1); /* n1 = R1 */
662  if (secp256k1_testrand_bits(1)) {
663  random_num_negate(&n1);
664  }
665  random_num_order_test(&n2); /* n2 = R2 */
666  if (secp256k1_testrand_bits(1)) {
667  random_num_negate(&n2);
668  }
669  secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
670  secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
671  secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
672  secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
673  CHECK(secp256k1_num_eq(&n1p2, &n2p1));
674  CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
675  secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
676  CHECK(secp256k1_num_eq(&n2m1, &n1m2));
677  CHECK(!secp256k1_num_eq(&n2m1, &n1));
678  secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
679  CHECK(secp256k1_num_eq(&n2m1, &n1));
680  CHECK(!secp256k1_num_eq(&n2p1, &n1));
681  secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
682  CHECK(secp256k1_num_eq(&n2p1, &n1));
683 
684  /* check is_one */
685  secp256k1_scalar_set_int(&s, 1);
686  secp256k1_scalar_get_num(&n1, &s);
687  CHECK(secp256k1_num_is_one(&n1));
688  /* check that 2^n + 1 is never 1 */
689  secp256k1_scalar_get_num(&n2, &s);
690  for (i = 0; i < 250; ++i) {
691  secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
692  secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
693  CHECK(!secp256k1_num_is_one(&n1p2));
694  }
695 }
696 
697 void test_num_mod(void) {
698  int i;
699  secp256k1_scalar s;
700  secp256k1_num order, n;
701 
702  /* check that 0 mod anything is 0 */
703  random_scalar_order_test(&s);
704  secp256k1_scalar_get_num(&order, &s);
705  secp256k1_scalar_set_int(&s, 0);
706  secp256k1_scalar_get_num(&n, &s);
707  secp256k1_num_mod(&n, &order);
708  CHECK(secp256k1_num_is_zero(&n));
709 
710  /* check that anything mod 1 is 0 */
711  secp256k1_scalar_set_int(&s, 1);
712  secp256k1_scalar_get_num(&order, &s);
713  secp256k1_scalar_get_num(&n, &s);
714  secp256k1_num_mod(&n, &order);
715  CHECK(secp256k1_num_is_zero(&n));
716 
717  /* check that increasing the number past 2^256 does not break this */
718  random_scalar_order_test(&s);
719  secp256k1_scalar_get_num(&n, &s);
720  /* multiply by 2^8, which'll test this case with high probability */
721  for (i = 0; i < 8; ++i) {
722  secp256k1_num_add(&n, &n, &n);
723  }
724  secp256k1_num_mod(&n, &order);
725  CHECK(secp256k1_num_is_zero(&n));
726 }
727 
728 void test_num_jacobi(void) {
729  secp256k1_scalar sqr;
730  secp256k1_scalar small;
731  secp256k1_scalar five; /* five is not a quadratic residue */
732  secp256k1_num order, n;
733  int i;
734  /* squares mod 5 are 1, 4 */
735  const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
736 
737  /* check some small values with 5 as the order */
738  secp256k1_scalar_set_int(&five, 5);
739  secp256k1_scalar_get_num(&order, &five);
740  for (i = 0; i < 10; ++i) {
741  secp256k1_scalar_set_int(&small, i);
742  secp256k1_scalar_get_num(&n, &small);
743  CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
744  }
745 
747  secp256k1_scalar_get_num(&order, &five);
748  /* we first need a scalar which is not a multiple of 5 */
749  do {
750  secp256k1_num fiven;
751  random_scalar_order_test(&sqr);
752  secp256k1_scalar_get_num(&fiven, &five);
753  secp256k1_scalar_get_num(&n, &sqr);
754  secp256k1_num_mod(&n, &fiven);
755  } while (secp256k1_num_is_zero(&n));
756  /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
757  * just multiply by two, i.e. add the number to itself */
758  if (secp256k1_num_jacobi(&n, &order) == -1) {
759  secp256k1_num_add(&n, &n, &n);
760  }
761 
762  /* test residue */
763  CHECK(secp256k1_num_jacobi(&n, &order) == 1);
764  /* test nonresidue */
765  secp256k1_num_add(&n, &n, &n);
766  CHECK(secp256k1_num_jacobi(&n, &order) == -1);
767 
769  secp256k1_scalar_order_get_num(&order);
770  random_scalar_order_test(&sqr);
771  secp256k1_scalar_sqr(&sqr, &sqr);
772  /* test residue */
773  secp256k1_scalar_get_num(&n, &sqr);
774  CHECK(secp256k1_num_jacobi(&n, &order) == 1);
775  /* test nonresidue */
776  secp256k1_scalar_mul(&sqr, &sqr, &five);
777  secp256k1_scalar_get_num(&n, &sqr);
778  CHECK(secp256k1_num_jacobi(&n, &order) == -1);
779  /* test multiple of the order*/
780  CHECK(secp256k1_num_jacobi(&order, &order) == 0);
781 
782  /* check one less than the order */
783  secp256k1_scalar_set_int(&small, 1);
784  secp256k1_scalar_get_num(&n, &small);
785  secp256k1_num_sub(&n, &order, &n);
786  CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
787 }
788 
789 void run_num_smalltests(void) {
790  int i;
791  for (i = 0; i < 100*count; i++) {
792  test_num_negate();
793  test_num_add_sub();
794  test_num_mod();
795  test_num_jacobi();
796  }
797 }
798 #endif
799 
800 /***** SCALAR TESTS *****/
801 
802 void scalar_test(void) {
803  secp256k1_scalar s;
804  secp256k1_scalar s1;
805  secp256k1_scalar s2;
806 #ifndef USE_NUM_NONE
807  secp256k1_num snum, s1num, s2num;
808  secp256k1_num order, half_order;
809 #endif
810  unsigned char c[32];
811 
812  /* Set 's' to a random scalar, with value 'snum'. */
813  random_scalar_order_test(&s);
814 
815  /* Set 's1' to a random scalar, with value 's1num'. */
816  random_scalar_order_test(&s1);
817 
818  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
819  random_scalar_order_test(&s2);
820  secp256k1_scalar_get_b32(c, &s2);
821 
822 #ifndef USE_NUM_NONE
823  secp256k1_scalar_get_num(&snum, &s);
824  secp256k1_scalar_get_num(&s1num, &s1);
825  secp256k1_scalar_get_num(&s2num, &s2);
826 
827  secp256k1_scalar_order_get_num(&order);
828  half_order = order;
829  secp256k1_num_shift(&half_order, 1);
830 #endif
831 
832  {
833  int i;
834  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
835  secp256k1_scalar n;
836  secp256k1_scalar_set_int(&n, 0);
837  for (i = 0; i < 256; i += 4) {
838  secp256k1_scalar t;
839  int j;
840  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
841  for (j = 0; j < 4; j++) {
842  secp256k1_scalar_add(&n, &n, &n);
843  }
844  secp256k1_scalar_add(&n, &n, &t);
845  }
846  CHECK(secp256k1_scalar_eq(&n, &s));
847  }
848 
849  {
850  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
851  secp256k1_scalar n;
852  int i = 0;
853  secp256k1_scalar_set_int(&n, 0);
854  while (i < 256) {
855  secp256k1_scalar t;
856  int j;
857  int now = secp256k1_testrand_int(15) + 1;
858  if (now + i > 256) {
859  now = 256 - i;
860  }
861  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
862  for (j = 0; j < now; j++) {
863  secp256k1_scalar_add(&n, &n, &n);
864  }
865  secp256k1_scalar_add(&n, &n, &t);
866  i += now;
867  }
868  CHECK(secp256k1_scalar_eq(&n, &s));
869  }
870 
871 #ifndef USE_NUM_NONE
872  {
873  /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
874  secp256k1_num rnum;
875  secp256k1_num r2num;
876  secp256k1_scalar r;
877  secp256k1_num_add(&rnum, &snum, &s2num);
878  secp256k1_num_mod(&rnum, &order);
879  secp256k1_scalar_add(&r, &s, &s2);
880  secp256k1_scalar_get_num(&r2num, &r);
881  CHECK(secp256k1_num_eq(&rnum, &r2num));
882  }
883 
884  {
885  /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
886  secp256k1_scalar r;
887  secp256k1_num r2num;
888  secp256k1_num rnum;
889  secp256k1_num_mul(&rnum, &snum, &s2num);
890  secp256k1_num_mod(&rnum, &order);
891  secp256k1_scalar_mul(&r, &s, &s2);
892  secp256k1_scalar_get_num(&r2num, &r);
893  CHECK(secp256k1_num_eq(&rnum, &r2num));
894  /* The result can only be zero if at least one of the factors was zero. */
895  CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
896  /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
897  CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
898  CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
899  }
900 
901  {
902  secp256k1_scalar neg;
903  secp256k1_num negnum;
904  secp256k1_num negnum2;
905  /* Check that comparison with zero matches comparison with zero on the number. */
906  CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
907  /* Check that comparison with the half order is equal to testing for high scalar. */
908  CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
909  secp256k1_scalar_negate(&neg, &s);
910  secp256k1_num_sub(&negnum, &order, &snum);
911  secp256k1_num_mod(&negnum, &order);
912  /* Check that comparison with the half order is equal to testing for high scalar after negation. */
913  CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
914  /* Negating should change the high property, unless the value was already zero. */
915  CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
916  secp256k1_scalar_get_num(&negnum2, &neg);
917  /* Negating a scalar should be equal to (order - n) mod order on the number. */
918  CHECK(secp256k1_num_eq(&negnum, &negnum2));
919  secp256k1_scalar_add(&neg, &neg, &s);
920  /* Adding a number to its negation should result in zero. */
921  CHECK(secp256k1_scalar_is_zero(&neg));
922  secp256k1_scalar_negate(&neg, &neg);
923  /* Negating zero should still result in zero. */
924  CHECK(secp256k1_scalar_is_zero(&neg));
925  }
926 
927  {
928  /* Test secp256k1_scalar_mul_shift_var. */
929  secp256k1_scalar r;
930  secp256k1_num one;
931  secp256k1_num rnum;
932  secp256k1_num rnum2;
933  unsigned char cone[1] = {0x01};
934  unsigned int shift = 256 + secp256k1_testrand_int(257);
935  secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
936  secp256k1_num_mul(&rnum, &s1num, &s2num);
937  secp256k1_num_shift(&rnum, shift - 1);
938  secp256k1_num_set_bin(&one, cone, 1);
939  secp256k1_num_add(&rnum, &rnum, &one);
940  secp256k1_num_shift(&rnum, 1);
941  secp256k1_scalar_get_num(&rnum2, &r);
942  CHECK(secp256k1_num_eq(&rnum, &rnum2));
943  }
944 
945  {
946  /* test secp256k1_scalar_shr_int */
947  secp256k1_scalar r;
948  int i;
949  random_scalar_order_test(&r);
950  for (i = 0; i < 100; ++i) {
951  int low;
952  int shift = 1 + secp256k1_testrand_int(15);
953  int expected = r.d[0] % (1 << shift);
954  low = secp256k1_scalar_shr_int(&r, shift);
955  CHECK(expected == low);
956  }
957  }
958 #endif
959 
960  {
961  /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
962  if (!secp256k1_scalar_is_zero(&s)) {
963  secp256k1_scalar inv;
964 #ifndef USE_NUM_NONE
965  secp256k1_num invnum;
966  secp256k1_num invnum2;
967 #endif
968  secp256k1_scalar_inverse(&inv, &s);
969 #ifndef USE_NUM_NONE
970  secp256k1_num_mod_inverse(&invnum, &snum, &order);
971  secp256k1_scalar_get_num(&invnum2, &inv);
972  CHECK(secp256k1_num_eq(&invnum, &invnum2));
973 #endif
974  secp256k1_scalar_mul(&inv, &inv, &s);
975  /* Multiplying a scalar with its inverse must result in one. */
976  CHECK(secp256k1_scalar_is_one(&inv));
977  secp256k1_scalar_inverse(&inv, &inv);
978  /* Inverting one must result in one. */
979  CHECK(secp256k1_scalar_is_one(&inv));
980 #ifndef USE_NUM_NONE
981  secp256k1_scalar_get_num(&invnum, &inv);
982  CHECK(secp256k1_num_is_one(&invnum));
983 #endif
984  }
985  }
986 
987  {
988  /* Test commutativity of add. */
989  secp256k1_scalar r1, r2;
990  secp256k1_scalar_add(&r1, &s1, &s2);
991  secp256k1_scalar_add(&r2, &s2, &s1);
992  CHECK(secp256k1_scalar_eq(&r1, &r2));
993  }
994 
995  {
996  secp256k1_scalar r1, r2;
997  secp256k1_scalar b;
998  int i;
999  /* Test add_bit. */
1000  int bit = secp256k1_testrand_bits(8);
1001  secp256k1_scalar_set_int(&b, 1);
1002  CHECK(secp256k1_scalar_is_one(&b));
1003  for (i = 0; i < bit; i++) {
1004  secp256k1_scalar_add(&b, &b, &b);
1005  }
1006  r1 = s1;
1007  r2 = s1;
1008  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1009  /* No overflow happened. */
1010  secp256k1_scalar_cadd_bit(&r2, bit, 1);
1011  CHECK(secp256k1_scalar_eq(&r1, &r2));
1012  /* cadd is a noop when flag is zero */
1013  secp256k1_scalar_cadd_bit(&r2, bit, 0);
1014  CHECK(secp256k1_scalar_eq(&r1, &r2));
1015  }
1016  }
1017 
1018  {
1019  /* Test commutativity of mul. */
1020  secp256k1_scalar r1, r2;
1021  secp256k1_scalar_mul(&r1, &s1, &s2);
1022  secp256k1_scalar_mul(&r2, &s2, &s1);
1023  CHECK(secp256k1_scalar_eq(&r1, &r2));
1024  }
1025 
1026  {
1027  /* Test associativity of add. */
1028  secp256k1_scalar r1, r2;
1029  secp256k1_scalar_add(&r1, &s1, &s2);
1030  secp256k1_scalar_add(&r1, &r1, &s);
1031  secp256k1_scalar_add(&r2, &s2, &s);
1032  secp256k1_scalar_add(&r2, &s1, &r2);
1033  CHECK(secp256k1_scalar_eq(&r1, &r2));
1034  }
1035 
1036  {
1037  /* Test associativity of mul. */
1038  secp256k1_scalar r1, r2;
1039  secp256k1_scalar_mul(&r1, &s1, &s2);
1040  secp256k1_scalar_mul(&r1, &r1, &s);
1041  secp256k1_scalar_mul(&r2, &s2, &s);
1042  secp256k1_scalar_mul(&r2, &s1, &r2);
1043  CHECK(secp256k1_scalar_eq(&r1, &r2));
1044  }
1045 
1046  {
1047  /* Test distributitivity of mul over add. */
1048  secp256k1_scalar r1, r2, t;
1049  secp256k1_scalar_add(&r1, &s1, &s2);
1050  secp256k1_scalar_mul(&r1, &r1, &s);
1051  secp256k1_scalar_mul(&r2, &s1, &s);
1052  secp256k1_scalar_mul(&t, &s2, &s);
1053  secp256k1_scalar_add(&r2, &r2, &t);
1054  CHECK(secp256k1_scalar_eq(&r1, &r2));
1055  }
1056 
1057  {
1058  /* Test square. */
1059  secp256k1_scalar r1, r2;
1060  secp256k1_scalar_sqr(&r1, &s1);
1061  secp256k1_scalar_mul(&r2, &s1, &s1);
1062  CHECK(secp256k1_scalar_eq(&r1, &r2));
1063  }
1064 
1065  {
1066  /* Test multiplicative identity. */
1067  secp256k1_scalar r1, v1;
1068  secp256k1_scalar_set_int(&v1,1);
1069  secp256k1_scalar_mul(&r1, &s1, &v1);
1070  CHECK(secp256k1_scalar_eq(&r1, &s1));
1071  }
1072 
1073  {
1074  /* Test additive identity. */
1075  secp256k1_scalar r1, v0;
1076  secp256k1_scalar_set_int(&v0,0);
1077  secp256k1_scalar_add(&r1, &s1, &v0);
1078  CHECK(secp256k1_scalar_eq(&r1, &s1));
1079  }
1080 
1081  {
1082  /* Test zero product property. */
1083  secp256k1_scalar r1, v0;
1084  secp256k1_scalar_set_int(&v0,0);
1085  secp256k1_scalar_mul(&r1, &s1, &v0);
1086  CHECK(secp256k1_scalar_eq(&r1, &v0));
1087  }
1088 
1089 }
1090 
1091 void run_scalar_set_b32_seckey_tests(void) {
1092  unsigned char b32[32];
1093  secp256k1_scalar s1;
1094  secp256k1_scalar s2;
1095 
1096  /* Usually set_b32 and set_b32_seckey give the same result */
1097  random_scalar_order_b32(b32);
1098  secp256k1_scalar_set_b32(&s1, b32, NULL);
1099  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1100  CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1101 
1102  memset(b32, 0, sizeof(b32));
1103  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1104  memset(b32, 0xFF, sizeof(b32));
1105  CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1106 }
1107 
1108 void run_scalar_tests(void) {
1109  int i;
1110  for (i = 0; i < 128 * count; i++) {
1111  scalar_test();
1112  }
1113  for (i = 0; i < count; i++) {
1114  run_scalar_set_b32_seckey_tests();
1115  }
1116 
1117  {
1118  /* (-1)+1 should be zero. */
1119  secp256k1_scalar s, o;
1120  secp256k1_scalar_set_int(&s, 1);
1121  CHECK(secp256k1_scalar_is_one(&s));
1122  secp256k1_scalar_negate(&o, &s);
1123  secp256k1_scalar_add(&o, &o, &s);
1124  CHECK(secp256k1_scalar_is_zero(&o));
1125  secp256k1_scalar_negate(&o, &o);
1126  CHECK(secp256k1_scalar_is_zero(&o));
1127  }
1128 
1129 #ifndef USE_NUM_NONE
1130  {
1131  /* Test secp256k1_scalar_set_b32 boundary conditions */
1132  secp256k1_num order;
1133  secp256k1_scalar scalar;
1134  unsigned char bin[32];
1135  unsigned char bin_tmp[32];
1136  int overflow = 0;
1137  /* 2^256-1 - order */
1138  static const secp256k1_scalar all_ones_minus_order = SECP256K1_SCALAR_CONST(
1139  0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000001UL,
1140  0x45512319UL, 0x50B75FC4UL, 0x402DA173UL, 0x2FC9BEBEUL
1141  );
1142 
1143  /* A scalar set to 0s should be 0. */
1144  memset(bin, 0, 32);
1145  secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1146  CHECK(overflow == 0);
1147  CHECK(secp256k1_scalar_is_zero(&scalar));
1148 
1149  /* A scalar with value of the curve order should be 0. */
1150  secp256k1_scalar_order_get_num(&order);
1151  secp256k1_num_get_bin(bin, 32, &order);
1152  secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1153  CHECK(overflow == 1);
1154  CHECK(secp256k1_scalar_is_zero(&scalar));
1155 
1156  /* A scalar with value of the curve order minus one should not overflow. */
1157  bin[31] -= 1;
1158  secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1159  CHECK(overflow == 0);
1160  secp256k1_scalar_get_b32(bin_tmp, &scalar);
1161  CHECK(secp256k1_memcmp_var(bin, bin_tmp, 32) == 0);
1162 
1163  /* A scalar set to all 1s should overflow. */
1164  memset(bin, 0xFF, 32);
1165  secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1166  CHECK(overflow == 1);
1167  CHECK(secp256k1_scalar_eq(&scalar, &all_ones_minus_order));
1168  }
1169 #endif
1170 
1171  {
1172  /* Does check_overflow check catch all ones? */
1173  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1174  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1175  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1176  );
1177  CHECK(secp256k1_scalar_check_overflow(&overflowed));
1178  }
1179 
1180  {
1181  /* Static test vectors.
1182  * These were reduced from ~10^12 random vectors based on comparison-decision
1183  * and edge-case coverage on 32-bit and 64-bit implementations.
1184  * The responses were generated with Sage 5.9.
1185  */
1186  secp256k1_scalar x;
1187  secp256k1_scalar y;
1188  secp256k1_scalar z;
1189  secp256k1_scalar zz;
1190  secp256k1_scalar one;
1191  secp256k1_scalar r1;
1192  secp256k1_scalar r2;
1193 #if defined(USE_SCALAR_INV_NUM)
1194  secp256k1_scalar zzv;
1195 #endif
1196  int overflow;
1197  unsigned char chal[33][2][32] = {
1198  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1199  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1200  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1201  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1202  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1203  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1204  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1205  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1206  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1207  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1208  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1209  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1210  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1211  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1212  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1213  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1214  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1215  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1216  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1217  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1218  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1219  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1220  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1221  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1222  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1223  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1224  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1225  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1226  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1227  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1228  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1229  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1230  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1231  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1232  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1233  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1234  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1235  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1236  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1237  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1238  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1239  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1240  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1241  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1242  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1243  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1244  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1245  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1246  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1247  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1248  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1249  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1250  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1251  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1252  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1253  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1254  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1255  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1256  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1257  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1258  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1259  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1260  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1261  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1262  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1263  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1264  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1265  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1266  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1267  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1268  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1269  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1270  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1271  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1272  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1273  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1274  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1275  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1276  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1277  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1278  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1279  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1280  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1281  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1282  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1283  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1284  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1285  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1286  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1287  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1288  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1289  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1290  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1291  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1292  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1293  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1294  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1295  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1296  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1297  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1298  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1299  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1300  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1301  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1302  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1303  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1304  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1305  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1306  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1307  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1308  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1309  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1310  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1311  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1312  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1313  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1314  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1315  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1316  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1317  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1318  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1319  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1320  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1321  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1322  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1323  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1324  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1325  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1326  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1327  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1328  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1329  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1330  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1331  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1332  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1333  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1334  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1335  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1336  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1337  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1338  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1339  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1340  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1341  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1342  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1343  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1344  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1345  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1346  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1347  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1348  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1349  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1350  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1351  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1352  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1353  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1354  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1355  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1356  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1357  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1358  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1359  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1360  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1361  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1362  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1363  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1364  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1365  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1366  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1367  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1368  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1369  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1370  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1371  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1372  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1373  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1374  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1375  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1376  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1377  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1378  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1379  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1380  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1381  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1382  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1383  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1384  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1385  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1386  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1387  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1388  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1389  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1390  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1391  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1392  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1393  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1394  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1395  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1396  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1397  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1398  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1399  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1400  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1401  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1402  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1403  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1404  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1405  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1406  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1407  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1408  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1409  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1410  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1411  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1412  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1413  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1414  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1415  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1416  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1417  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1418  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1419  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1420  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1421  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1422  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1423  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1424  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1425  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1426  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1427  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1428  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1429  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1430  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1431  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1432  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1433  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1434  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1435  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1436  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1437  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1438  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1439  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1440  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1441  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1442  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1443  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1444  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1445  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1446  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1447  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1448  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1449  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1450  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1451  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1452  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1453  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1454  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1455  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1456  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1457  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1458  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1459  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1460  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1461  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1462  };
1463  unsigned char res[33][2][32] = {
1464  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1465  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1466  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1467  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1468  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1469  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1470  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1471  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1472  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1473  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1474  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1475  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1476  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1477  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1478  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1479  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1480  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1481  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1482  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1483  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1484  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1485  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1486  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1487  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1488  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1489  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1490  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1491  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1492  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1493  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1494  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1495  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1496  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1497  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1498  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1499  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1500  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1501  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1502  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1503  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1504  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1505  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1506  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1507  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1508  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1509  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1510  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1511  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1512  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1513  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1514  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1515  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1516  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1517  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1518  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1519  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1520  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1521  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1522  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1523  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1524  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1525  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1526  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1527  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1528  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1529  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1530  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1531  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1532  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1533  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1534  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1535  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1536  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1537  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1538  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1539  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1540  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1541  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1542  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1543  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1544  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1545  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1546  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1547  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1548  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1549  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1550  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1551  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1552  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1553  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1554  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1555  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1556  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1557  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1558  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1559  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1560  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1561  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1562  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1563  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1564  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1565  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1566  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1567  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1568  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1569  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1570  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1571  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1572  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1573  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1574  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1575  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1576  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1577  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1578  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1579  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1580  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1581  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1582  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1583  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1584  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1585  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1586  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1587  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1588  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1589  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1590  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1591  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1592  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1593  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1594  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1595  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1596  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1597  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1598  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1599  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1600  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1601  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1602  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1603  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1604  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1605  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1606  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1607  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1608  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1609  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1610  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1611  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1612  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1613  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1614  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1615  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1616  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1617  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1618  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1619  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1620  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1621  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1622  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1623  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1624  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1625  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1626  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1627  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1628  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1629  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1630  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1631  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1632  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1633  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1634  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1635  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1636  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1637  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1638  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1639  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1640  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1641  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1642  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1643  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1644  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1645  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1646  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1647  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1648  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1649  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1650  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1651  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1652  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1653  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1654  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1655  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1656  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1657  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1658  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1659  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1660  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1661  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1662  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1663  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1664  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1665  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1666  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1667  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1668  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1669  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1670  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1671  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1672  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1673  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1674  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1675  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1676  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1677  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1678  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1679  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1680  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1681  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1682  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1683  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1684  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1685  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1686  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1687  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1688  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1689  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1690  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1691  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1692  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1693  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1694  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1695  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1696  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1697  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1698  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1699  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1700  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1701  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1702  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1703  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1704  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1705  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1706  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1707  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1708  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1709  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1710  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1711  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1712  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1713  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1714  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1715  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1716  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1717  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1718  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1719  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1720  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1721  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1722  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1723  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1724  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1725  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1726  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1727  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1728  };
1729  secp256k1_scalar_set_int(&one, 1);
1730  for (i = 0; i < 33; i++) {
1731  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1732  CHECK(!overflow);
1733  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1734  CHECK(!overflow);
1735  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1736  CHECK(!overflow);
1737  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1738  CHECK(!overflow);
1739  secp256k1_scalar_mul(&z, &x, &y);
1740  CHECK(!secp256k1_scalar_check_overflow(&z));
1741  CHECK(secp256k1_scalar_eq(&r1, &z));
1742  if (!secp256k1_scalar_is_zero(&y)) {
1743  secp256k1_scalar_inverse(&zz, &y);
1744  CHECK(!secp256k1_scalar_check_overflow(&zz));
1745 #if defined(USE_SCALAR_INV_NUM)
1746  secp256k1_scalar_inverse_var(&zzv, &y);
1747  CHECK(secp256k1_scalar_eq(&zzv, &zz));
1748 #endif
1749  secp256k1_scalar_mul(&z, &z, &zz);
1750  CHECK(!secp256k1_scalar_check_overflow(&z));
1751  CHECK(secp256k1_scalar_eq(&x, &z));
1752  secp256k1_scalar_mul(&zz, &zz, &y);
1753  CHECK(!secp256k1_scalar_check_overflow(&zz));
1754  CHECK(secp256k1_scalar_eq(&one, &zz));
1755  }
1756  secp256k1_scalar_mul(&z, &x, &x);
1757  CHECK(!secp256k1_scalar_check_overflow(&z));
1758  secp256k1_scalar_sqr(&zz, &x);
1759  CHECK(!secp256k1_scalar_check_overflow(&zz));
1760  CHECK(secp256k1_scalar_eq(&zz, &z));
1761  CHECK(secp256k1_scalar_eq(&r2, &zz));
1762  }
1763  }
1764 }
1765 
1766 /***** FIELD TESTS *****/
1767 
1768 void random_fe(secp256k1_fe *x) {
1769  unsigned char bin[32];
1770  do {
1771  secp256k1_testrand256(bin);
1772  if (secp256k1_fe_set_b32(x, bin)) {
1773  return;
1774  }
1775  } while(1);
1776 }
1777 
1778 void random_fe_test(secp256k1_fe *x) {
1779  unsigned char bin[32];
1780  do {
1781  secp256k1_testrand256_test(bin);
1782  if (secp256k1_fe_set_b32(x, bin)) {
1783  return;
1784  }
1785  } while(1);
1786 }
1787 
1788 void random_fe_non_zero(secp256k1_fe *nz) {
1789  int tries = 10;
1790  while (--tries >= 0) {
1791  random_fe(nz);
1792  secp256k1_fe_normalize(nz);
1793  if (!secp256k1_fe_is_zero(nz)) {
1794  break;
1795  }
1796  }
1797  /* Infinitesimal probability of spurious failure here */
1798  CHECK(tries >= 0);
1799 }
1800 
1801 void random_fe_non_square(secp256k1_fe *ns) {
1802  secp256k1_fe r;
1803  random_fe_non_zero(ns);
1804  if (secp256k1_fe_sqrt(&r, ns)) {
1805  secp256k1_fe_negate(ns, ns, 1);
1806  }
1807 }
1808 
1809 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1810  secp256k1_fe an = *a;
1811  secp256k1_fe bn = *b;
1812  secp256k1_fe_normalize_weak(&an);
1813  secp256k1_fe_normalize_var(&bn);
1814  return secp256k1_fe_equal_var(&an, &bn);
1815 }
1816 
1817 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1818  secp256k1_fe x;
1819  secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1820  secp256k1_fe_mul(&x, a, ai);
1821  return check_fe_equal(&x, &one);
1822 }
1823 
1824 void run_field_convert(void) {
1825  static const unsigned char b32[32] = {
1826  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1827  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1828  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1829  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1830  };
1831  static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1832  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1833  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1834  );
1835  static const secp256k1_fe fe = SECP256K1_FE_CONST(
1836  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1837  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1838  );
1839  secp256k1_fe fe2;
1840  unsigned char b322[32];
1841  secp256k1_fe_storage fes2;
1842  /* Check conversions to fe. */
1843  CHECK(secp256k1_fe_set_b32(&fe2, b32));
1844  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1845  secp256k1_fe_from_storage(&fe2, &fes);
1846  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1847  /* Check conversion from fe. */
1848  secp256k1_fe_get_b32(b322, &fe);
1849  CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
1850  secp256k1_fe_to_storage(&fes2, &fe);
1851  CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
1852 }
1853 
1854 int fe_secp256k1_memcmp_var(const secp256k1_fe *a, const secp256k1_fe *b) {
1855  secp256k1_fe t = *b;
1856 #ifdef VERIFY
1857  t.magnitude = a->magnitude;
1858  t.normalized = a->normalized;
1859 #endif
1860  return secp256k1_memcmp_var(a, &t, sizeof(secp256k1_fe));
1861 }
1862 
1863 void run_field_misc(void) {
1864  secp256k1_fe x;
1865  secp256k1_fe y;
1866  secp256k1_fe z;
1867  secp256k1_fe q;
1868  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1869  int i, j;
1870  for (i = 0; i < 5*count; i++) {
1871  secp256k1_fe_storage xs, ys, zs;
1872  random_fe(&x);
1873  random_fe_non_zero(&y);
1874  /* Test the fe equality and comparison operations. */
1875  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1876  CHECK(secp256k1_fe_equal_var(&x, &x));
1877  z = x;
1878  secp256k1_fe_add(&z,&y);
1879  /* Test fe conditional move; z is not normalized here. */
1880  q = x;
1881  secp256k1_fe_cmov(&x, &z, 0);
1882 #ifdef VERIFY
1883  CHECK(x.normalized && x.magnitude == 1);
1884 #endif
1885  secp256k1_fe_cmov(&x, &x, 1);
1886  CHECK(fe_secp256k1_memcmp_var(&x, &z) != 0);
1887  CHECK(fe_secp256k1_memcmp_var(&x, &q) == 0);
1888  secp256k1_fe_cmov(&q, &z, 1);
1889 #ifdef VERIFY
1890  CHECK(!q.normalized && q.magnitude == z.magnitude);
1891 #endif
1892  CHECK(fe_secp256k1_memcmp_var(&q, &z) == 0);
1893  secp256k1_fe_normalize_var(&x);
1894  secp256k1_fe_normalize_var(&z);
1895  CHECK(!secp256k1_fe_equal_var(&x, &z));
1896  secp256k1_fe_normalize_var(&q);
1897  secp256k1_fe_cmov(&q, &z, (i&1));
1898 #ifdef VERIFY
1899  CHECK(q.normalized && q.magnitude == 1);
1900 #endif
1901  for (j = 0; j < 6; j++) {
1902  secp256k1_fe_negate(&z, &z, j+1);
1903  secp256k1_fe_normalize_var(&q);
1904  secp256k1_fe_cmov(&q, &z, (j&1));
1905 #ifdef VERIFY
1906  CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
1907 #endif
1908  }
1909  secp256k1_fe_normalize_var(&z);
1910  /* Test storage conversion and conditional moves. */
1911  secp256k1_fe_to_storage(&xs, &x);
1912  secp256k1_fe_to_storage(&ys, &y);
1913  secp256k1_fe_to_storage(&zs, &z);
1914  secp256k1_fe_storage_cmov(&zs, &xs, 0);
1915  secp256k1_fe_storage_cmov(&zs, &zs, 1);
1916  CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
1917  secp256k1_fe_storage_cmov(&ys, &xs, 1);
1918  CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
1919  secp256k1_fe_from_storage(&x, &xs);
1920  secp256k1_fe_from_storage(&y, &ys);
1921  secp256k1_fe_from_storage(&z, &zs);
1922  /* Test that mul_int, mul, and add agree. */
1923  secp256k1_fe_add(&y, &x);
1924  secp256k1_fe_add(&y, &x);
1925  z = x;
1926  secp256k1_fe_mul_int(&z, 3);
1927  CHECK(check_fe_equal(&y, &z));
1928  secp256k1_fe_add(&y, &x);
1929  secp256k1_fe_add(&z, &x);
1930  CHECK(check_fe_equal(&z, &y));
1931  z = x;
1932  secp256k1_fe_mul_int(&z, 5);
1933  secp256k1_fe_mul(&q, &x, &fe5);
1934  CHECK(check_fe_equal(&z, &q));
1935  secp256k1_fe_negate(&x, &x, 1);
1936  secp256k1_fe_add(&z, &x);
1937  secp256k1_fe_add(&q, &x);
1938  CHECK(check_fe_equal(&y, &z));
1939  CHECK(check_fe_equal(&q, &y));
1940  }
1941 }
1942 
1943 void run_field_inv(void) {
1944  secp256k1_fe x, xi, xii;
1945  int i;
1946  for (i = 0; i < 10*count; i++) {
1947  random_fe_non_zero(&x);
1948  secp256k1_fe_inv(&xi, &x);
1949  CHECK(check_fe_inverse(&x, &xi));
1950  secp256k1_fe_inv(&xii, &xi);
1951  CHECK(check_fe_equal(&x, &xii));
1952  }
1953 }
1954 
1955 void run_field_inv_var(void) {
1956  secp256k1_fe x, xi, xii;
1957  int i;
1958  for (i = 0; i < 10*count; i++) {
1959  random_fe_non_zero(&x);
1960  secp256k1_fe_inv_var(&xi, &x);
1961  CHECK(check_fe_inverse(&x, &xi));
1962  secp256k1_fe_inv_var(&xii, &xi);
1963  CHECK(check_fe_equal(&x, &xii));
1964  }
1965 }
1966 
1967 void run_field_inv_all_var(void) {
1968  secp256k1_fe x[16], xi[16], xii[16];
1969  int i;
1970  /* Check it's safe to call for 0 elements */
1971  secp256k1_fe_inv_all_var(xi, x, 0);
1972  for (i = 0; i < count; i++) {
1973  size_t j;
1974  size_t len = secp256k1_testrand_int(15) + 1;
1975  for (j = 0; j < len; j++) {
1976  random_fe_non_zero(&x[j]);
1977  }
1978  secp256k1_fe_inv_all_var(xi, x, len);
1979  for (j = 0; j < len; j++) {
1980  CHECK(check_fe_inverse(&x[j], &xi[j]));
1981  }
1982  secp256k1_fe_inv_all_var(xii, xi, len);
1983  for (j = 0; j < len; j++) {
1984  CHECK(check_fe_equal(&x[j], &xii[j]));
1985  }
1986  }
1987 }
1988 
1989 void run_sqr(void) {
1990  secp256k1_fe x, s;
1991 
1992  {
1993  int i;
1994  secp256k1_fe_set_int(&x, 1);
1995  secp256k1_fe_negate(&x, &x, 1);
1996 
1997  for (i = 1; i <= 512; ++i) {
1998  secp256k1_fe_mul_int(&x, 2);
1999  secp256k1_fe_normalize(&x);
2000  secp256k1_fe_sqr(&s, &x);
2001  }
2002  }
2003 }
2004 
2005 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2006  secp256k1_fe r1, r2;
2007  int v = secp256k1_fe_sqrt(&r1, a);
2008  CHECK((v == 0) == (k == NULL));
2009 
2010  if (k != NULL) {
2011  /* Check that the returned root is +/- the given known answer */
2012  secp256k1_fe_negate(&r2, &r1, 1);
2013  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2014  secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
2015  CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
2016  }
2017 }
2018 
2019 void run_sqrt(void) {
2020  secp256k1_fe ns, x, s, t;
2021  int i;
2022 
2023  /* Check sqrt(0) is 0 */
2024  secp256k1_fe_set_int(&x, 0);
2025  secp256k1_fe_sqr(&s, &x);
2026  test_sqrt(&s, &x);
2027 
2028  /* Check sqrt of small squares (and their negatives) */
2029  for (i = 1; i <= 100; i++) {
2030  secp256k1_fe_set_int(&x, i);
2031  secp256k1_fe_sqr(&s, &x);
2032  test_sqrt(&s, &x);
2033  secp256k1_fe_negate(&t, &s, 1);
2034  test_sqrt(&t, NULL);
2035  }
2036 
2037  /* Consistency checks for large random values */
2038  for (i = 0; i < 10; i++) {
2039  int j;
2040  random_fe_non_square(&ns);
2041  for (j = 0; j < count; j++) {
2042  random_fe(&x);
2043  secp256k1_fe_sqr(&s, &x);
2044  test_sqrt(&s, &x);
2045  secp256k1_fe_negate(&t, &s, 1);
2046  test_sqrt(&t, NULL);
2047  secp256k1_fe_mul(&t, &s, &ns);
2048  test_sqrt(&t, NULL);
2049  }
2050  }
2051 }
2052 
2053 /***** GROUP TESTS *****/
2054 
2055 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
2056  CHECK(a->infinity == b->infinity);
2057  if (a->infinity) {
2058  return;
2059  }
2060  CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2061  CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2062 }
2063 
2064 /* This compares jacobian points including their Z, not just their geometric meaning. */
2065 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2066  secp256k1_gej a2;
2067  secp256k1_gej b2;
2068  int ret = 1;
2069  ret &= a->infinity == b->infinity;
2070  if (ret && !a->infinity) {
2071  a2 = *a;
2072  b2 = *b;
2073  secp256k1_fe_normalize(&a2.x);
2074  secp256k1_fe_normalize(&a2.y);
2075  secp256k1_fe_normalize(&a2.z);
2076  secp256k1_fe_normalize(&b2.x);
2077  secp256k1_fe_normalize(&b2.y);
2078  secp256k1_fe_normalize(&b2.z);
2079  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2080  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2081  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2082  }
2083  return ret;
2084 }
2085 
2086 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2087  secp256k1_fe z2s;
2088  secp256k1_fe u1, u2, s1, s2;
2089  CHECK(a->infinity == b->infinity);
2090  if (a->infinity) {
2091  return;
2092  }
2093  /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
2094  secp256k1_fe_sqr(&z2s, &b->z);
2095  secp256k1_fe_mul(&u1, &a->x, &z2s);
2096  u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2097  secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2098  s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2099  CHECK(secp256k1_fe_equal_var(&u1, &u2));
2100  CHECK(secp256k1_fe_equal_var(&s1, &s2));
2101 }
2102 
2103 void test_ge(void) {
2104  int i, i1;
2105  int runs = 6;
2106  /* 25 points are used:
2107  * - infinity
2108  * - for each of four random points p1 p2 p3 p4, we add the point, its
2109  * negation, and then those two again but with randomized Z coordinate.
2110  * - The same is then done for lambda*p1 and lambda^2*p1.
2111  */
2112  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2113  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2114  secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2115  secp256k1_fe zf;
2116  secp256k1_fe zfi2, zfi3;
2117 
2118  secp256k1_gej_set_infinity(&gej[0]);
2119  secp256k1_ge_clear(&ge[0]);
2120  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2121  for (i = 0; i < runs; i++) {
2122  int j;
2123  secp256k1_ge g;
2124  random_group_element_test(&g);
2125  if (i >= runs - 2) {
2126  secp256k1_ge_mul_lambda(&g, &ge[1]);
2127  }
2128  if (i >= runs - 1) {
2129  secp256k1_ge_mul_lambda(&g, &g);
2130  }
2131  ge[1 + 4 * i] = g;
2132  ge[2 + 4 * i] = g;
2133  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2134  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2135  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2136  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2137  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2138  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2139  for (j = 0; j < 4; j++) {
2140  random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2141  random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2142  random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2143  random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2144  random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2145  }
2146  }
2147 
2148  /* Compute z inverses. */
2149  {
2150  secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2151  for (i = 0; i < 4 * runs + 1; i++) {
2152  if (i == 0) {
2153  /* The point at infinity does not have a meaningful z inverse. Any should do. */
2154  do {
2155  random_field_element_test(&zs[i]);
2156  } while(secp256k1_fe_is_zero(&zs[i]));
2157  } else {
2158  zs[i] = gej[i].z;
2159  }
2160  }
2161  secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
2162  free(zs);
2163  }
2164 
2165  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2166  do {
2167  random_field_element_test(&zf);
2168  } while(secp256k1_fe_is_zero(&zf));
2169  random_field_element_magnitude(&zf);
2170  secp256k1_fe_inv_var(&zfi3, &zf);
2171  secp256k1_fe_sqr(&zfi2, &zfi3);
2172  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2173 
2174  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2175  int i2;
2176  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2177  /* Compute reference result using gej + gej (var). */
2178  secp256k1_gej refj, resj;
2179  secp256k1_ge ref;
2180  secp256k1_fe zr;
2181  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2182  /* Check Z ratio. */
2183  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2184  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2185  CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2186  }
2187  secp256k1_ge_set_gej_var(&ref, &refj);
2188 
2189  /* Test gej + ge with Z ratio result (var). */
2190  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2191  ge_equals_gej(&ref, &resj);
2192  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2193  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2194  CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2195  }
2196 
2197  /* Test gej + ge (var, with additional Z factor). */
2198  {
2199  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2200  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2201  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2202  random_field_element_magnitude(&ge2_zfi.x);
2203  random_field_element_magnitude(&ge2_zfi.y);
2204  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2205  ge_equals_gej(&ref, &resj);
2206  }
2207 
2208  /* Test gej + ge (const). */
2209  if (i2 != 0) {
2210  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2211  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2212  ge_equals_gej(&ref, &resj);
2213  }
2214 
2215  /* Test doubling (var). */
2216  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2217  secp256k1_fe zr2;
2218  /* Normal doubling with Z ratio result. */
2219  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2220  ge_equals_gej(&ref, &resj);
2221  /* Check Z ratio. */
2222  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2223  CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2224  /* Normal doubling. */
2225  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2226  ge_equals_gej(&ref, &resj);
2227  /* Constant-time doubling. */
2228  secp256k1_gej_double(&resj, &gej[i2]);
2229  ge_equals_gej(&ref, &resj);
2230  }
2231 
2232  /* Test adding opposites. */
2233  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2234  CHECK(secp256k1_ge_is_infinity(&ref));
2235  }
2236 
2237  /* Test adding infinity. */
2238  if (i1 == 0) {
2239  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2240  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2241  ge_equals_gej(&ref, &gej[i2]);
2242  }
2243  if (i2 == 0) {
2244  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2245  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2246  ge_equals_gej(&ref, &gej[i1]);
2247  }
2248  }
2249  }
2250 
2251  /* Test adding all points together in random order equals infinity. */
2252  {
2253  secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2254  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2255  for (i = 0; i < 4 * runs + 1; i++) {
2256  gej_shuffled[i] = gej[i];
2257  }
2258  for (i = 0; i < 4 * runs + 1; i++) {
2259  int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
2260  if (swap != i) {
2261  secp256k1_gej t = gej_shuffled[i];
2262  gej_shuffled[i] = gej_shuffled[swap];
2263  gej_shuffled[swap] = t;
2264  }
2265  }
2266  for (i = 0; i < 4 * runs + 1; i++) {
2267  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2268  }
2269  CHECK(secp256k1_gej_is_infinity(&sum));
2270  free(gej_shuffled);
2271  }
2272 
2273  /* Test batch gej -> ge conversion with and without known z ratios. */
2274  {
2275  secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2276  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2277  for (i = 0; i < 4 * runs + 1; i++) {
2278  /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2279  if (i < 4 * runs) {
2280  secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2281  }
2282  }
2283  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2284  for (i = 0; i < 4 * runs + 1; i++) {
2285  secp256k1_fe s;
2286  random_fe_non_zero(&s);
2287  secp256k1_gej_rescale(&gej[i], &s);
2288  ge_equals_gej(&ge_set_all[i], &gej[i]);
2289  }
2290  free(ge_set_all);
2291  free(zr);
2292  }
2293 
2294  /* Test batch gej -> ge conversion with many infinities. */
2295  for (i = 0; i < 4 * runs + 1; i++) {
2296  random_group_element_test(&ge[i]);
2297  /* randomly set half the points to infinity */
2298  if(secp256k1_fe_is_odd(&ge[i].x)) {
2299  secp256k1_ge_set_infinity(&ge[i]);
2300  }
2301  secp256k1_gej_set_ge(&gej[i], &ge[i]);
2302  }
2303  /* batch invert */
2304  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2305  /* check result */
2306  for (i = 0; i < 4 * runs + 1; i++) {
2307  ge_equals_gej(&ge[i], &gej[i]);
2308  }
2309 
2310  free(ge);
2311  free(gej);
2312  free(zinv);
2313 }
2314 
2315 
2316 void test_intialized_inf(void) {
2317  secp256k1_ge p;
2318  secp256k1_gej pj, npj, infj1, infj2, infj3;
2319  secp256k1_fe zinv;
2320 
2321  /* Test that adding P+(-P) results in a fully initalized infinity*/
2322  random_group_element_test(&p);
2323  secp256k1_gej_set_ge(&pj, &p);
2324  secp256k1_gej_neg(&npj, &pj);
2325 
2326  secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
2327  CHECK(secp256k1_gej_is_infinity(&infj1));
2328  CHECK(secp256k1_fe_is_zero(&infj1.x));
2329  CHECK(secp256k1_fe_is_zero(&infj1.y));
2330  CHECK(secp256k1_fe_is_zero(&infj1.z));
2331 
2332  secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
2333  CHECK(secp256k1_gej_is_infinity(&infj2));
2334  CHECK(secp256k1_fe_is_zero(&infj2.x));
2335  CHECK(secp256k1_fe_is_zero(&infj2.y));
2336  CHECK(secp256k1_fe_is_zero(&infj2.z));
2337 
2338  secp256k1_fe_set_int(&zinv, 1);
2339  secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
2340  CHECK(secp256k1_gej_is_infinity(&infj3));
2341  CHECK(secp256k1_fe_is_zero(&infj3.x));
2342  CHECK(secp256k1_fe_is_zero(&infj3.y));
2343  CHECK(secp256k1_fe_is_zero(&infj3.z));
2344 
2345 
2346 }
2347 
2348 void test_add_neg_y_diff_x(void) {
2349  /* The point of this test is to check that we can add two points
2350  * whose y-coordinates are negatives of each other but whose x
2351  * coordinates differ. If the x-coordinates were the same, these
2352  * points would be negatives of each other and their sum is
2353  * infinity. This is cool because it "covers up" any degeneracy
2354  * in the addition algorithm that would cause the xy coordinates
2355  * of the sum to be wrong (since infinity has no xy coordinates).
2356  * HOWEVER, if the x-coordinates are different, infinity is the
2357  * wrong answer, and such degeneracies are exposed. This is the
2358  * root of https://github.com/bitcoin-core/secp256k1/issues/257
2359  * which this test is a regression test for.
2360  *
2361  * These points were generated in sage as
2362  * # secp256k1 params
2363  * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2364  * C = EllipticCurve ([F (0), F (7)])
2365  * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2366  * N = FiniteField(G.order())
2367  *
2368  * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2369  * x = polygen(N)
2370  * lam = (1 - x^3).roots()[1][0]
2371  *
2372  * # random "bad pair"
2373  * P = C.random_element()
2374  * Q = -int(lam) * P
2375  * print " P: %x %x" % P.xy()
2376  * print " Q: %x %x" % Q.xy()
2377  * print "P + Q: %x %x" % (P + Q).xy()
2378  */
2379  secp256k1_gej aj = SECP256K1_GEJ_CONST(
2380  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2381  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2382  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2383  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2384  );
2385  secp256k1_gej bj = SECP256K1_GEJ_CONST(
2386  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2387  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2388  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2389  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2390  );
2391  secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2392  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2393  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2394  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2395  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2396  );
2397  secp256k1_ge b;
2398  secp256k1_gej resj;
2399  secp256k1_ge res;
2400  secp256k1_ge_set_gej(&b, &bj);
2401 
2402  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2403  secp256k1_ge_set_gej(&res, &resj);
2404  ge_equals_gej(&res, &sumj);
2405 
2406  secp256k1_gej_add_ge(&resj, &aj, &b);
2407  secp256k1_ge_set_gej(&res, &resj);
2408  ge_equals_gej(&res, &sumj);
2409 
2410  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2411  secp256k1_ge_set_gej(&res, &resj);
2412  ge_equals_gej(&res, &sumj);
2413 }
2414 
2415 void run_ge(void) {
2416  int i;
2417  for (i = 0; i < count * 32; i++) {
2418  test_ge();
2419  }
2420  test_add_neg_y_diff_x();
2421  test_intialized_inf();
2422 }
2423 
2424 void test_ec_combine(void) {
2425  secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2426  secp256k1_pubkey data[6];
2427  const secp256k1_pubkey* d[6];
2428  secp256k1_pubkey sd;
2429  secp256k1_pubkey sd2;
2430  secp256k1_gej Qj;
2431  secp256k1_ge Q;
2432  int i;
2433  for (i = 1; i <= 6; i++) {
2434  secp256k1_scalar s;
2435  random_scalar_order_test(&s);
2436  secp256k1_scalar_add(&sum, &sum, &s);
2437  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2438  secp256k1_ge_set_gej(&Q, &Qj);
2439  secp256k1_pubkey_save(&data[i - 1], &Q);
2440  d[i - 1] = &data[i - 1];
2441  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2442  secp256k1_ge_set_gej(&Q, &Qj);
2443  secp256k1_pubkey_save(&sd, &Q);
2444  CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2445  CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
2446  }
2447 }
2448 
2449 void run_ec_combine(void) {
2450  int i;
2451  for (i = 0; i < count * 8; i++) {
2452  test_ec_combine();
2453  }
2454 }
2455 
2456 void test_group_decompress(const secp256k1_fe* x) {
2457  /* The input itself, normalized. */
2458  secp256k1_fe fex = *x;
2459  secp256k1_fe fez;
2460  /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2461  secp256k1_ge ge_quad, ge_even, ge_odd;
2462  secp256k1_gej gej_quad;
2463  /* Return values of the above calls. */
2464  int res_quad, res_even, res_odd;
2465 
2466  secp256k1_fe_normalize_var(&fex);
2467 
2468  res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2469  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2470  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2471 
2472  CHECK(res_quad == res_even);
2473  CHECK(res_quad == res_odd);
2474 
2475  if (res_quad) {
2476  secp256k1_fe_normalize_var(&ge_quad.x);
2477  secp256k1_fe_normalize_var(&ge_odd.x);
2478  secp256k1_fe_normalize_var(&ge_even.x);
2479  secp256k1_fe_normalize_var(&ge_quad.y);
2480  secp256k1_fe_normalize_var(&ge_odd.y);
2481  secp256k1_fe_normalize_var(&ge_even.y);
2482 
2483  /* No infinity allowed. */
2484  CHECK(!ge_quad.infinity);
2485  CHECK(!ge_even.infinity);
2486  CHECK(!ge_odd.infinity);
2487 
2488  /* Check that the x coordinates check out. */
2489  CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2490  CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2491  CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2492 
2493  /* Check that the Y coordinate result in ge_quad is a square. */
2494  CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2495 
2496  /* Check odd/even Y in ge_odd, ge_even. */
2497  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2498  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2499 
2500  /* Check secp256k1_gej_has_quad_y_var. */
2501  secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2502  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2503  do {
2504  random_fe_test(&fez);
2505  } while (secp256k1_fe_is_zero(&fez));
2506  secp256k1_gej_rescale(&gej_quad, &fez);
2507  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2508  secp256k1_gej_neg(&gej_quad, &gej_quad);
2509  CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2510  do {
2511  random_fe_test(&fez);
2512  } while (secp256k1_fe_is_zero(&fez));
2513  secp256k1_gej_rescale(&gej_quad, &fez);
2514  CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2515  secp256k1_gej_neg(&gej_quad, &gej_quad);
2516  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2517  }
2518 }
2519 
2520 void run_group_decompress(void) {
2521  int i;
2522  for (i = 0; i < count * 4; i++) {
2523  secp256k1_fe fe;
2524  random_fe_test(&fe);
2525  test_group_decompress(&fe);
2526  }
2527 }
2528 
2529 /***** ECMULT TESTS *****/
2530 
2531 void run_ecmult_chain(void) {
2532  /* random starting point A (on the curve) */
2533  secp256k1_gej a = SECP256K1_GEJ_CONST(
2534  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2535  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2536  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2537  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2538  );
2539  /* two random initial factors xn and gn */
2540  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2541  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2542  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2543  );
2544  secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2545  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2546  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2547  );
2548  /* two small multipliers to be applied to xn and gn in every iteration: */
2549  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2550  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2551  /* accumulators with the resulting coefficients to A and G */
2552  secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2553  secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2554  /* actual points */
2555  secp256k1_gej x;
2556  secp256k1_gej x2;
2557  int i;
2558 
2559  /* the point being computed */
2560  x = a;
2561  for (i = 0; i < 200*count; i++) {
2562  /* in each iteration, compute X = xn*X + gn*G; */
2563  secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2564  /* also compute ae and ge: the actual accumulated factors for A and G */
2565  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2566  secp256k1_scalar_mul(&ae, &ae, &xn);
2567  secp256k1_scalar_mul(&ge, &ge, &xn);
2568  secp256k1_scalar_add(&ge, &ge, &gn);
2569  /* modify xn and gn */
2570  secp256k1_scalar_mul(&xn, &xn, &xf);
2571  secp256k1_scalar_mul(&gn, &gn, &gf);
2572 
2573  /* verify */
2574  if (i == 19999) {
2575  /* expected result after 19999 iterations */
2576  secp256k1_gej rp = SECP256K1_GEJ_CONST(
2577  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2578  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2579  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2580  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2581  );
2582 
2583  secp256k1_gej_neg(&rp, &rp);
2584  secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2585  CHECK(secp256k1_gej_is_infinity(&rp));
2586  }
2587  }
2588  /* redo the computation, but directly with the resulting ae and ge coefficients: */
2589  secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2590  secp256k1_gej_neg(&x2, &x2);
2591  secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2592  CHECK(secp256k1_gej_is_infinity(&x2));
2593 }
2594 
2595 void test_point_times_order(const secp256k1_gej *point) {
2596  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2597  secp256k1_scalar x;
2598  secp256k1_scalar nx;
2599  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2600  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2601  secp256k1_gej res1, res2;
2602  secp256k1_ge res3;
2603  unsigned char pub[65];
2604  size_t psize = 65;
2605  random_scalar_order_test(&x);
2606  secp256k1_scalar_negate(&nx, &x);
2607  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2608  secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2609  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2610  CHECK(secp256k1_gej_is_infinity(&res1));
2611  secp256k1_ge_set_gej(&res3, &res1);
2612  CHECK(secp256k1_ge_is_infinity(&res3));
2613  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2614  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2615  psize = 65;
2616  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2617  /* check zero/one edge cases */
2618  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2619  secp256k1_ge_set_gej(&res3, &res1);
2620  CHECK(secp256k1_ge_is_infinity(&res3));
2621  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2622  secp256k1_ge_set_gej(&res3, &res1);
2623  ge_equals_gej(&res3, point);
2624  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2625  secp256k1_ge_set_gej(&res3, &res1);
2626  ge_equals_ge(&res3, &secp256k1_ge_const_g);
2627 }
2628 
2629 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
2630  *
2631  * They are computed as:
2632  * - For a in [-2, -1, 0, 1, 2]:
2633  * - For b in [-3, -1, 1, 3]:
2634  * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
2635  */
2636 static const secp256k1_scalar scalars_near_split_bounds[20] = {
2637  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
2638  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
2639  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
2640  SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
2641  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
2642  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
2643  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
2644  SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
2645  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
2646  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
2647  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
2648  SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
2649  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
2650  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
2651  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
2652  SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
2653  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
2654  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
2655  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
2656  SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
2657 };
2658 
2659 void test_ecmult_target(const secp256k1_scalar* target, int mode) {
2660  /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
2661  secp256k1_scalar n1, n2;
2662  secp256k1_ge p;
2663  secp256k1_gej pj, p1j, p2j, ptj;
2664  static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2665 
2666  /* Generate random n1,n2 such that n1+n2 = -target. */
2667  random_scalar_order_test(&n1);
2668  secp256k1_scalar_add(&n2, &n1, target);
2669  secp256k1_scalar_negate(&n2, &n2);
2670 
2671  /* Generate a random input point. */
2672  if (mode != 0) {
2673  random_group_element_test(&p);
2674  secp256k1_gej_set_ge(&pj, &p);
2675  }
2676 
2677  /* EC multiplications */
2678  if (mode == 0) {
2679  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
2680  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
2681  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
2682  } else if (mode == 1) {
2683  secp256k1_ecmult(&ctx->ecmult_ctx, &p1j, &pj, &n1, &zero);
2684  secp256k1_ecmult(&ctx->ecmult_ctx, &p2j, &pj, &n2, &zero);
2685  secp256k1_ecmult(&ctx->ecmult_ctx, &ptj, &pj, target, &zero);
2686  } else {
2687  secp256k1_ecmult_const(&p1j, &p, &n1, 256);
2688  secp256k1_ecmult_const(&p2j, &p, &n2, 256);
2689  secp256k1_ecmult_const(&ptj, &p, target, 256);
2690  }
2691 
2692  /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
2693  secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
2694  secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
2695  CHECK(secp256k1_gej_is_infinity(&ptj));
2696 }
2697 
2698 void run_ecmult_near_split_bound(void) {
2699  int i;
2700  unsigned j;
2701  for (i = 0; i < 4*count; ++i) {
2702  for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
2703  test_ecmult_target(&scalars_near_split_bounds[j], 0);
2704  test_ecmult_target(&scalars_near_split_bounds[j], 1);
2705  test_ecmult_target(&scalars_near_split_bounds[j], 2);
2706  }
2707  }
2708 }
2709 
2710 void run_point_times_order(void) {
2711  int i;
2712  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2713  static const secp256k1_fe xr = SECP256K1_FE_CONST(
2714  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2715  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2716  );
2717  for (i = 0; i < 500; i++) {
2718  secp256k1_ge p;
2719  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2720  secp256k1_gej j;
2721  CHECK(secp256k1_ge_is_valid_var(&p));
2722  secp256k1_gej_set_ge(&j, &p);
2723  test_point_times_order(&j);
2724  }
2725  secp256k1_fe_sqr(&x, &x);
2726  }
2727  secp256k1_fe_normalize_var(&x);
2728  CHECK(secp256k1_fe_equal_var(&x, &xr));
2729 }
2730 
2731 void ecmult_const_random_mult(void) {
2732  /* random starting point A (on the curve) */
2733  secp256k1_ge a = SECP256K1_GE_CONST(
2734  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2735  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2736  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2737  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2738  );
2739  /* random initial factor xn */
2740  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2741  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2742  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2743  );
2744  /* expected xn * A (from sage) */
2745  secp256k1_ge expected_b = SECP256K1_GE_CONST(
2746  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2747  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2748  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2749  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2750  );
2751  secp256k1_gej b;
2752  secp256k1_ecmult_const(&b, &a, &xn, 256);
2753 
2754  CHECK(secp256k1_ge_is_valid_var(&a));
2755  ge_equals_gej(&expected_b, &b);
2756 }
2757 
2758 void ecmult_const_commutativity(void) {
2759  secp256k1_scalar a;
2760  secp256k1_scalar b;
2761  secp256k1_gej res1;
2762  secp256k1_gej res2;
2763  secp256k1_ge mid1;
2764  secp256k1_ge mid2;
2765  random_scalar_order_test(&a);
2766  random_scalar_order_test(&b);
2767 
2768  secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2769  secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2770  secp256k1_ge_set_gej(&mid1, &res1);
2771  secp256k1_ge_set_gej(&mid2, &res2);
2772  secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2773  secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2774  secp256k1_ge_set_gej(&mid1, &res1);
2775  secp256k1_ge_set_gej(&mid2, &res2);
2776  ge_equals_ge(&mid1, &mid2);
2777 }
2778 
2779 void ecmult_const_mult_zero_one(void) {
2780  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2781  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2782  secp256k1_scalar negone;
2783  secp256k1_gej res1;
2784  secp256k1_ge res2;
2785  secp256k1_ge point;
2786  secp256k1_scalar_negate(&negone, &one);
2787 
2788  random_group_element_test(&point);
2789  secp256k1_ecmult_const(&res1, &point, &zero, 3);
2790  secp256k1_ge_set_gej(&res2, &res1);
2791  CHECK(secp256k1_ge_is_infinity(&res2));
2792  secp256k1_ecmult_const(&res1, &point, &one, 2);
2793  secp256k1_ge_set_gej(&res2, &res1);
2794  ge_equals_ge(&res2, &point);
2795  secp256k1_ecmult_const(&res1, &point, &negone, 256);
2796  secp256k1_gej_neg(&res1, &res1);
2797  secp256k1_ge_set_gej(&res2, &res1);
2798  ge_equals_ge(&res2, &point);
2799 }
2800 
2801 void ecmult_const_chain_multiply(void) {
2802  /* Check known result (randomly generated test problem from sage) */
2803  const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2804  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2805  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2806  );
2807  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2808  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2809  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2810  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2811  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2812  );
2813  secp256k1_gej point;
2814  secp256k1_ge res;
2815  int i;
2816 
2817  secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2818  for (i = 0; i < 100; ++i) {
2819  secp256k1_ge tmp;
2820  secp256k1_ge_set_gej(&tmp, &point);
2821  secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2822  }
2823  secp256k1_ge_set_gej(&res, &point);
2824  ge_equals_gej(&res, &expected_point);
2825 }
2826 
2827 void run_ecmult_const_tests(void) {
2828  ecmult_const_mult_zero_one();
2829  ecmult_const_random_mult();
2830  ecmult_const_commutativity();
2831  ecmult_const_chain_multiply();
2832 }
2833 
2834 typedef struct {
2835  secp256k1_scalar *sc;
2836  secp256k1_ge *pt;
2837 } ecmult_multi_data;
2838 
2839 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2840  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2841  *sc = data->sc[idx];
2842  *pt = data->pt[idx];
2843  return 1;
2844 }
2845 
2846 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2847  (void)sc;
2848  (void)pt;
2849  (void)idx;
2850  (void)cbdata;
2851  return 0;
2852 }
2853 
2854 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2855  int ncount;
2856  secp256k1_scalar szero;
2857  secp256k1_scalar sc[32];
2858  secp256k1_ge pt[32];
2859  secp256k1_gej r;
2860  secp256k1_gej r2;
2861  ecmult_multi_data data;
2862 
2863  data.sc = sc;
2864  data.pt = pt;
2865  secp256k1_scalar_set_int(&szero, 0);
2866 
2867  /* No points to multiply */
2868  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2869 
2870  /* Check 1- and 2-point multiplies against ecmult */
2871  for (ncount = 0; ncount < count; ncount++) {
2872  secp256k1_ge ptg;
2873  secp256k1_gej ptgj;
2874  random_scalar_order(&sc[0]);
2875  random_scalar_order(&sc[1]);
2876 
2877  random_group_element_test(&ptg);
2878  secp256k1_gej_set_ge(&ptgj, &ptg);
2879  pt[0] = ptg;
2880  pt[1] = secp256k1_ge_const_g;
2881 
2882  /* only G scalar */
2883  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2884  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2885  secp256k1_gej_neg(&r2, &r2);
2886  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2887  CHECK(secp256k1_gej_is_infinity(&r));
2888 
2889  /* 1-point */
2890  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2891  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2892  secp256k1_gej_neg(&r2, &r2);
2893  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2894  CHECK(secp256k1_gej_is_infinity(&r));
2895 
2896  /* Try to multiply 1 point, but callback returns false */
2897  CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2898 
2899  /* 2-point */
2900  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2901  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2902  secp256k1_gej_neg(&r2, &r2);
2903  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2904  CHECK(secp256k1_gej_is_infinity(&r));
2905 
2906  /* 2-point with G scalar */
2907  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2908  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2909  secp256k1_gej_neg(&r2, &r2);
2910  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2911  CHECK(secp256k1_gej_is_infinity(&r));
2912  }
2913 
2914  /* Check infinite outputs of various forms */
2915  for (ncount = 0; ncount < count; ncount++) {
2916  secp256k1_ge ptg;
2917  size_t i, j;
2918  size_t sizes[] = { 2, 10, 32 };
2919 
2920  for (j = 0; j < 3; j++) {
2921  for (i = 0; i < 32; i++) {
2922  random_scalar_order(&sc[i]);
2923  secp256k1_ge_set_infinity(&pt[i]);
2924  }
2925  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2926  CHECK(secp256k1_gej_is_infinity(&r));
2927  }
2928 
2929  for (j = 0; j < 3; j++) {
2930  for (i = 0; i < 32; i++) {
2931  random_group_element_test(&ptg);
2932  pt[i] = ptg;
2933  secp256k1_scalar_set_int(&sc[i], 0);
2934  }
2935  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2936  CHECK(secp256k1_gej_is_infinity(&r));
2937  }
2938 
2939  for (j = 0; j < 3; j++) {
2940  random_group_element_test(&ptg);
2941  for (i = 0; i < 16; i++) {
2942  random_scalar_order(&sc[2*i]);
2943  secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2944  pt[2 * i] = ptg;
2945  pt[2 * i + 1] = ptg;
2946  }
2947 
2948  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2949  CHECK(secp256k1_gej_is_infinity(&r));
2950 
2951  random_scalar_order(&sc[0]);
2952  for (i = 0; i < 16; i++) {
2953  random_group_element_test(&ptg);
2954 
2955  sc[2*i] = sc[0];
2956  sc[2*i+1] = sc[0];
2957  pt[2 * i] = ptg;
2958  secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2959  }
2960 
2961  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2962  CHECK(secp256k1_gej_is_infinity(&r));
2963  }
2964 
2965  random_group_element_test(&ptg);
2966  secp256k1_scalar_set_int(&sc[0], 0);
2967  pt[0] = ptg;
2968  for (i = 1; i < 32; i++) {
2969  pt[i] = ptg;
2970 
2971  random_scalar_order(&sc[i]);
2972  secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2973  secp256k1_scalar_negate(&sc[i], &sc[i]);
2974  }
2975 
2976  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2977  CHECK(secp256k1_gej_is_infinity(&r));
2978  }
2979 
2980  /* Check random points, constant scalar */
2981  for (ncount = 0; ncount < count; ncount++) {
2982  size_t i;
2983  secp256k1_gej_set_infinity(&r);
2984 
2985  random_scalar_order(&sc[0]);
2986  for (i = 0; i < 20; i++) {
2987  secp256k1_ge ptg;
2988  sc[i] = sc[0];
2989  random_group_element_test(&ptg);
2990  pt[i] = ptg;
2991  secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2992  }
2993 
2994  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2995  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2996  secp256k1_gej_neg(&r2, &r2);
2997  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2998  CHECK(secp256k1_gej_is_infinity(&r));
2999  }
3000 
3001  /* Check random scalars, constant point */
3002  for (ncount = 0; ncount < count; ncount++) {
3003  size_t i;
3004  secp256k1_ge ptg;
3005  secp256k1_gej p0j;
3006  secp256k1_scalar rs;
3007  secp256k1_scalar_set_int(&rs, 0);
3008 
3009  random_group_element_test(&ptg);
3010  for (i = 0; i < 20; i++) {
3011  random_scalar_order(&sc[i]);
3012  pt[i] = ptg;
3013  secp256k1_scalar_add(&rs, &rs, &sc[i]);
3014  }
3015 
3016  secp256k1_gej_set_ge(&p0j, &pt[0]);
3017  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
3018  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3019  secp256k1_gej_neg(&r2, &r2);
3020  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3021  CHECK(secp256k1_gej_is_infinity(&r));
3022  }
3023 
3024  /* Sanity check that zero scalars don't cause problems */
3025  for (ncount = 0; ncount < 20; ncount++) {
3026  random_scalar_order(&sc[ncount]);
3027  random_group_element_test(&pt[ncount]);
3028  }
3029 
3030  secp256k1_scalar_clear(&sc[0]);
3031  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3032  secp256k1_scalar_clear(&sc[1]);
3033  secp256k1_scalar_clear(&sc[2]);
3034  secp256k1_scalar_clear(&sc[3]);
3035  secp256k1_scalar_clear(&sc[4]);
3036  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
3037  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
3038  CHECK(secp256k1_gej_is_infinity(&r));
3039 
3040  /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
3041  {
3042  const size_t TOP = 8;
3043  size_t s0i, s1i;
3044  size_t t0i, t1i;
3045  secp256k1_ge ptg;
3046  secp256k1_gej ptgj;
3047 
3048  random_group_element_test(&ptg);
3049  secp256k1_gej_set_ge(&ptgj, &ptg);
3050 
3051  for(t0i = 0; t0i < TOP; t0i++) {
3052  for(t1i = 0; t1i < TOP; t1i++) {
3053  secp256k1_gej t0p, t1p;
3054  secp256k1_scalar t0, t1;
3055 
3056  secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
3057  secp256k1_scalar_cond_negate(&t0, t0i & 1);
3058  secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
3059  secp256k1_scalar_cond_negate(&t1, t1i & 1);
3060 
3061  secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
3062  secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
3063 
3064  for(s0i = 0; s0i < TOP; s0i++) {
3065  for(s1i = 0; s1i < TOP; s1i++) {
3066  secp256k1_scalar tmp1, tmp2;
3067  secp256k1_gej expected, actual;
3068 
3069  secp256k1_ge_set_gej(&pt[0], &t0p);
3070  secp256k1_ge_set_gej(&pt[1], &t1p);
3071 
3072  secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
3073  secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
3074  secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
3075  secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
3076 
3077  secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
3078  secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
3079  secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
3080 
3081  secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
3082  CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
3083  secp256k1_gej_neg(&expected, &expected);
3084  secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
3085  CHECK(secp256k1_gej_is_infinity(&actual));
3086  }
3087  }
3088  }
3089  }
3090  }
3091 }
3092 
3093 void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
3094  secp256k1_scalar szero;
3095  secp256k1_scalar sc;
3096  secp256k1_ge pt;
3097  secp256k1_gej r;
3098  ecmult_multi_data data;
3099  secp256k1_scratch *scratch_empty;
3100 
3101  random_group_element_test(&pt);
3102  random_scalar_order(&sc);
3103  data.sc = &sc;
3104  data.pt = &pt;
3105  secp256k1_scalar_set_int(&szero, 0);
3106 
3107  /* Try to multiply 1 point, but scratch space is empty.*/
3108  scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
3109  CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
3110  secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
3111 }
3112 
3113 void test_secp256k1_pippenger_bucket_window_inv(void) {
3114  int i;
3115 
3116  CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
3117  for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
3118  /* Bucket_window of 8 is not used with endo */
3119  if (i == 8) {
3120  continue;
3121  }
3122  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
3123  if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
3124  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
3125  }
3126  }
3127 }
3128 
3133 void test_ecmult_multi_pippenger_max_points(void) {
3134  size_t scratch_size = secp256k1_testrand_int(256);
3135  size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
3136  secp256k1_scratch *scratch;
3137  size_t n_points_supported;
3138  int bucket_window = 0;
3139 
3140  for(; scratch_size < max_size; scratch_size+=256) {
3141  size_t i;
3142  size_t total_alloc;
3143  size_t checkpoint;
3144  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
3145  CHECK(scratch != NULL);
3146  checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
3147  n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
3148  if (n_points_supported == 0) {
3149  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3150  continue;
3151  }
3152  bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
3153  /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
3154  total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
3155  for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
3156  CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
3157  total_alloc--;
3158  }
3159  CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
3160  secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
3161  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3162  }
3163  CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
3164 }
3165 
3166 void test_ecmult_multi_batch_size_helper(void) {
3167  size_t n_batches, n_batch_points, max_n_batch_points, n;
3168 
3169  max_n_batch_points = 0;
3170  n = 1;
3171  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3172 
3173  max_n_batch_points = 1;
3174  n = 0;
3175  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3176  CHECK(n_batches == 0);
3177  CHECK(n_batch_points == 0);
3178 
3179  max_n_batch_points = 2;
3180  n = 5;
3181  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3182  CHECK(n_batches == 3);
3183  CHECK(n_batch_points == 2);
3184 
3185  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3186  n = ECMULT_MAX_POINTS_PER_BATCH;
3187  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3188  CHECK(n_batches == 1);
3189  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3190 
3191  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3192  n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3193  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3194  CHECK(n_batches == 2);
3195  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3196 
3197  max_n_batch_points = 1;
3198  n = SIZE_MAX;
3199  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3200  CHECK(n_batches == SIZE_MAX);
3201  CHECK(n_batch_points == 1);
3202 
3203  max_n_batch_points = 2;
3204  n = SIZE_MAX;
3205  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3206  CHECK(n_batches == SIZE_MAX/2 + 1);
3207  CHECK(n_batch_points == 2);
3208 }
3209 
3214 void test_ecmult_multi_batching(void) {
3215  static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
3216  secp256k1_scalar scG;
3217  secp256k1_scalar szero;
3218  secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3219  secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3220  secp256k1_gej r;
3221  secp256k1_gej r2;
3222  ecmult_multi_data data;
3223  int i;
3224  secp256k1_scratch *scratch;
3225 
3226  secp256k1_gej_set_infinity(&r2);
3227  secp256k1_scalar_set_int(&szero, 0);
3228 
3229  /* Get random scalars and group elements and compute result */
3230  random_scalar_order(&scG);
3231  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3232  for(i = 0; i < n_points; i++) {
3233  secp256k1_ge ptg;
3234  secp256k1_gej ptgj;
3235  random_group_element_test(&ptg);
3236  secp256k1_gej_set_ge(&ptgj, &ptg);
3237  pt[i] = ptg;
3238  random_scalar_order(&sc[i]);
3239  secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3240  secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
3241  }
3242  data.sc = sc;
3243  data.pt = pt;
3244  secp256k1_gej_neg(&r2, &r2);
3245 
3246  /* Test with empty scratch space. It should compute the correct result using
3247  * ecmult_mult_simple algorithm which doesn't require a scratch space. */
3248  scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
3249  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3250  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3251  CHECK(secp256k1_gej_is_infinity(&r));
3252  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3253 
3254  /* Test with space for 1 point in pippenger. That's not enough because
3255  * ecmult_multi selects strauss which requires more memory. It should
3256  * therefore select the simple algorithm. */
3257  scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3258  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3259  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3260  CHECK(secp256k1_gej_is_infinity(&r));
3261  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3262 
3263  for(i = 1; i <= n_points; i++) {
3264  if (i > ECMULT_PIPPENGER_THRESHOLD) {
3265  int bucket_window = secp256k1_pippenger_bucket_window(i);
3266  size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
3267  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3268  } else {
3269  size_t scratch_size = secp256k1_strauss_scratch_size(i);
3270  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3271  }
3272  CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3273  secp256k1_gej_add_var(&r, &r, &r2, NULL);
3274  CHECK(secp256k1_gej_is_infinity(&r));
3275  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3276  }
3277  free(sc);
3278  free(pt);
3279 }
3280 
3281 void run_ecmult_multi_tests(void) {
3282  secp256k1_scratch *scratch;
3283 
3284  test_secp256k1_pippenger_bucket_window_inv();
3285  test_ecmult_multi_pippenger_max_points();
3286  scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
3287  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3288  test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
3289  test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
3290  test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
3291  test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
3292  test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
3293  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3294 
3295  /* Run test_ecmult_multi with space for exactly one point */
3296  scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3297  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3298  secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3299 
3300  test_ecmult_multi_batch_size_helper();
3301  test_ecmult_multi_batching();
3302 }
3303 
3304 void test_wnaf(const secp256k1_scalar *number, int w) {
3305  secp256k1_scalar x, two, t;
3306  int wnaf[256];
3307  int zeroes = -1;
3308  int i;
3309  int bits;
3310  secp256k1_scalar_set_int(&x, 0);
3311  secp256k1_scalar_set_int(&two, 2);
3312  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
3313  CHECK(bits <= 256);
3314  for (i = bits-1; i >= 0; i--) {
3315  int v = wnaf[i];
3316  secp256k1_scalar_mul(&x, &x, &two);
3317  if (v) {
3318  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3319  zeroes=0;
3320  CHECK((v & 1) == 1); /* check non-zero elements are odd */
3321  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3322  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3323  } else {
3324  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3325  zeroes++;
3326  }
3327  if (v >= 0) {
3328  secp256k1_scalar_set_int(&t, v);
3329  } else {
3330  secp256k1_scalar_set_int(&t, -v);
3331  secp256k1_scalar_negate(&t, &t);
3332  }
3333  secp256k1_scalar_add(&x, &x, &t);
3334  }
3335  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3336 }
3337 
3338 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3339  secp256k1_scalar neg1 = *number;
3340  secp256k1_scalar neg2 = *number;
3341  int sign1 = 1;
3342  int sign2 = 1;
3343 
3344  if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3345  secp256k1_scalar_negate(&neg1, &neg1);
3346  sign1 = -1;
3347  }
3348  sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3349  CHECK(sign1 == sign2);
3350  CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3351 }
3352 
3353 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3354  secp256k1_scalar x, shift;
3355  int wnaf[256] = {0};
3356  int i;
3357  int skew;
3358  int bits = 256;
3359  secp256k1_scalar num = *number;
3360  secp256k1_scalar scalar_skew;
3361 
3362  secp256k1_scalar_set_int(&x, 0);
3363  secp256k1_scalar_set_int(&shift, 1 << w);
3364  for (i = 0; i < 16; ++i) {
3365  secp256k1_scalar_shr_int(&num, 8);
3366  }
3367  bits = 128;
3368  skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
3369 
3370  for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3371  secp256k1_scalar t;
3372  int v = wnaf[i];
3373  CHECK(v != 0); /* check nonzero */
3374  CHECK(v & 1); /* check parity */
3375  CHECK(v > -(1 << w)); /* check range above */
3376  CHECK(v < (1 << w)); /* check range below */
3377 
3378  secp256k1_scalar_mul(&x, &x, &shift);
3379  if (v >= 0) {
3380  secp256k1_scalar_set_int(&t, v);
3381  } else {
3382  secp256k1_scalar_set_int(&t, -v);
3383  secp256k1_scalar_negate(&t, &t);
3384  }
3385  secp256k1_scalar_add(&x, &x, &t);
3386  }
3387  /* Skew num because when encoding numbers as odd we use an offset */
3388  secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
3389  secp256k1_scalar_add(&num, &num, &scalar_skew);
3390  CHECK(secp256k1_scalar_eq(&x, &num));
3391 }
3392 
3393 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3394  secp256k1_scalar x, shift;
3395  int wnaf[256] = {0};
3396  int i;
3397  int skew;
3398  secp256k1_scalar num = *number;
3399 
3400  secp256k1_scalar_set_int(&x, 0);
3401  secp256k1_scalar_set_int(&shift, 1 << w);
3402  for (i = 0; i < 16; ++i) {
3403  secp256k1_scalar_shr_int(&num, 8);
3404  }
3405  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3406 
3407  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3408  secp256k1_scalar t;
3409  int v = wnaf[i];
3410  CHECK(v == 0 || v & 1); /* check parity */
3411  CHECK(v > -(1 << w)); /* check range above */
3412  CHECK(v < (1 << w)); /* check range below */
3413 
3414  secp256k1_scalar_mul(&x, &x, &shift);
3415  if (v >= 0) {
3416  secp256k1_scalar_set_int(&t, v);
3417  } else {
3418  secp256k1_scalar_set_int(&t, -v);
3419  secp256k1_scalar_negate(&t, &t);
3420  }
3421  secp256k1_scalar_add(&x, &x, &t);
3422  }
3423  /* If skew is 1 then add 1 to num */
3424  secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3425  CHECK(secp256k1_scalar_eq(&x, &num));
3426 }
3427 
3428 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3429  * rest is 0.*/
3430 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3431  int i;
3432  for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3433  CHECK(wnaf[i] == 0);
3434  }
3435  for (i = 7; i >= 0; --i) {
3436  CHECK(wnaf[i] == wnaf_expected[i]);
3437  }
3438 }
3439 
3440 void test_fixed_wnaf_small(void) {
3441  int w = 4;
3442  int wnaf[256] = {0};
3443  int i;
3444  int skew;
3445  secp256k1_scalar num;
3446 
3447  secp256k1_scalar_set_int(&num, 0);
3448  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3449  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3450  int v = wnaf[i];
3451  CHECK(v == 0);
3452  }
3453  CHECK(skew == 0);
3454 
3455  secp256k1_scalar_set_int(&num, 1);
3456  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3457  for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3458  int v = wnaf[i];
3459  CHECK(v == 0);
3460  }
3461  CHECK(wnaf[0] == 1);
3462  CHECK(skew == 0);
3463 
3464  {
3465  int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3466  secp256k1_scalar_set_int(&num, 0xffffffff);
3467  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3468  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3469  CHECK(skew == 0);
3470  }
3471  {
3472  int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3473  secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3474  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3475  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3476  CHECK(skew == 1);
3477  }
3478  {
3479  int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3480  secp256k1_scalar_set_int(&num, 0x01010101);
3481  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3482  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3483  CHECK(skew == 0);
3484  }
3485  {
3486  int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3487  secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3488  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3489  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3490  CHECK(skew == 0);
3491  }
3492 }
3493 
3494 void run_wnaf(void) {
3495  int i;
3496  secp256k1_scalar n = {{0}};
3497 
3498  test_constant_wnaf(&n, 4);
3499  /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3500  * have easier-to-diagnose failure modes */
3501  n.d[0] = 1;
3502  test_constant_wnaf(&n, 4);
3503  n.d[0] = 2;
3504  test_constant_wnaf(&n, 4);
3505  /* Test -1, because it's a special case in wnaf_const */
3506  n = secp256k1_scalar_one;
3507  secp256k1_scalar_negate(&n, &n);
3508  test_constant_wnaf(&n, 4);
3509 
3510  /* Test -2, which may not lead to overflows in wnaf_const */
3511  secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
3512  secp256k1_scalar_negate(&n, &n);
3513  test_constant_wnaf(&n, 4);
3514 
3515  /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
3516  as corner cases of negation handling in wnaf_const */
3517  secp256k1_scalar_inverse(&n, &n);
3518  test_constant_wnaf(&n, 4);
3519 
3520  secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
3521  test_constant_wnaf(&n, 4);
3522 
3523  /* Test 0 for fixed wnaf */
3524  test_fixed_wnaf_small();
3525  /* Random tests */
3526  for (i = 0; i < count; i++) {
3527  random_scalar_order(&n);
3528  test_wnaf(&n, 4+(i%10));
3529  test_constant_wnaf_negate(&n);
3530  test_constant_wnaf(&n, 4 + (i % 10));
3531  test_fixed_wnaf(&n, 4 + (i % 10));
3532  }
3533  secp256k1_scalar_set_int(&n, 0);
3534  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3535  CHECK(secp256k1_scalar_is_zero(&n));
3536  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3537  CHECK(secp256k1_scalar_is_zero(&n));
3538 }
3539 
3540 void test_ecmult_constants(void) {
3541  /* Test ecmult_gen() for [0..36) and [order-36..0). */
3542  secp256k1_scalar x;
3543  secp256k1_gej r;
3544  secp256k1_ge ng;
3545  int i;
3546  int j;
3547  secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3548  for (i = 0; i < 36; i++ ) {
3549  secp256k1_scalar_set_int(&x, i);
3550  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3551  for (j = 0; j < i; j++) {
3552  if (j == i - 1) {
3553  ge_equals_gej(&secp256k1_ge_const_g, &r);
3554  }
3555  secp256k1_gej_add_ge(&r, &r, &ng);
3556  }
3557  CHECK(secp256k1_gej_is_infinity(&r));
3558  }
3559  for (i = 1; i <= 36; i++ ) {
3560  secp256k1_scalar_set_int(&x, i);
3561  secp256k1_scalar_negate(&x, &x);
3562  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3563  for (j = 0; j < i; j++) {
3564  if (j == i - 1) {
3565  ge_equals_gej(&ng, &r);
3566  }
3567  secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3568  }
3569  CHECK(secp256k1_gej_is_infinity(&r));
3570  }
3571 }
3572 
3573 void run_ecmult_constants(void) {
3574  test_ecmult_constants();
3575 }
3576 
3577 void test_ecmult_gen_blind(void) {
3578  /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3579  secp256k1_scalar key;
3580  secp256k1_scalar b;
3581  unsigned char seed32[32];
3582  secp256k1_gej pgej;
3583  secp256k1_gej pgej2;
3584  secp256k1_gej i;
3585  secp256k1_ge pge;
3586  random_scalar_order_test(&key);
3587  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3588  secp256k1_testrand256(seed32);
3589  b = ctx->ecmult_gen_ctx.blind;
3590  i = ctx->ecmult_gen_ctx.initial;
3591  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3592  CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3593  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3594  CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3595  CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3596  secp256k1_ge_set_gej(&pge, &pgej);
3597  ge_equals_gej(&pge, &pgej2);
3598 }
3599 
3600 void test_ecmult_gen_blind_reset(void) {
3601  /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3602  secp256k1_scalar b;
3603  secp256k1_gej initial;
3604  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3605  b = ctx->ecmult_gen_ctx.blind;
3606  initial = ctx->ecmult_gen_ctx.initial;
3607  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3608  CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3609  CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3610 }
3611 
3612 void run_ecmult_gen_blind(void) {
3613  int i;
3614  test_ecmult_gen_blind_reset();
3615  for (i = 0; i < 10; i++) {
3616  test_ecmult_gen_blind();
3617  }
3618 }
3619 
3620 /***** ENDOMORPHISH TESTS *****/
3621 void test_scalar_split(const secp256k1_scalar* full) {
3622  secp256k1_scalar s, s1, slam;
3623  const unsigned char zero[32] = {0};
3624  unsigned char tmp[32];
3625 
3626  secp256k1_scalar_split_lambda(&s1, &slam, full);
3627 
3628  /* check slam*lambda + s1 == full */
3629  secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
3630  secp256k1_scalar_add(&s, &s, &s1);
3631  CHECK(secp256k1_scalar_eq(&s, full));
3632 
3633  /* check that both are <= 128 bits in size */
3634  if (secp256k1_scalar_is_high(&s1)) {
3635  secp256k1_scalar_negate(&s1, &s1);
3636  }
3637  if (secp256k1_scalar_is_high(&slam)) {
3638  secp256k1_scalar_negate(&slam, &slam);
3639  }
3640 
3641  secp256k1_scalar_get_b32(tmp, &s1);
3642  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3643  secp256k1_scalar_get_b32(tmp, &slam);
3644  CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3645 }
3646 
3647 
3648 void run_endomorphism_tests(void) {
3649  unsigned i;
3650  static secp256k1_scalar s;
3651  test_scalar_split(&secp256k1_scalar_zero);
3652  test_scalar_split(&secp256k1_scalar_one);
3653  secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
3654  test_scalar_split(&s);
3655  test_scalar_split(&secp256k1_const_lambda);
3656  secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
3657  test_scalar_split(&s);
3658 
3659  for (i = 0; i < 100U * count; ++i) {
3660  secp256k1_scalar full;
3661  random_scalar_order_test(&full);
3662  test_scalar_split(&full);
3663  }
3664  for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
3665  test_scalar_split(&scalars_near_split_bounds[i]);
3666  }
3667 }
3668 
3669 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3670  unsigned char pubkeyc[65];
3671  secp256k1_pubkey pubkey;
3672  secp256k1_ge ge;
3673  size_t pubkeyclen;
3674  int32_t ecount;
3675  ecount = 0;
3676  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3677  for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3678  /* Smaller sizes are tested exhaustively elsewhere. */
3679  int32_t i;
3680  memcpy(&pubkeyc[1], input, 64);
3681  VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3682  for (i = 0; i < 256; i++) {
3683  /* Try all type bytes. */
3684  int xpass;
3685  int ypass;
3686  int ysign;
3687  pubkeyc[0] = i;
3688  /* What sign does this point have? */
3689  ysign = (input[63] & 1) + 2;
3690  /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3691  xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3692  /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3693  ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3694  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3695  if (xpass || ypass) {
3696  /* These cases must parse. */
3697  unsigned char pubkeyo[65];
3698  size_t outl;
3699  memset(&pubkey, 0, sizeof(pubkey));
3700  VG_UNDEF(&pubkey, sizeof(pubkey));
3701  ecount = 0;
3702  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3703  VG_CHECK(&pubkey, sizeof(pubkey));
3704  outl = 65;
3705  VG_UNDEF(pubkeyo, 65);
3706  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3707  VG_CHECK(pubkeyo, outl);
3708  CHECK(outl == 33);
3709  CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3710  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3711  if (ypass) {
3712  /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3713  CHECK(pubkeyo[0] == ysign);
3714  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3715  memset(&pubkey, 0, sizeof(pubkey));
3716  VG_UNDEF(&pubkey, sizeof(pubkey));
3717  secp256k1_pubkey_save(&pubkey, &ge);
3718  VG_CHECK(&pubkey, sizeof(pubkey));
3719  outl = 65;
3720  VG_UNDEF(pubkeyo, 65);
3721  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3722  VG_CHECK(pubkeyo, outl);
3723  CHECK(outl == 65);
3724  CHECK(pubkeyo[0] == 4);
3725  CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
3726  }
3727  CHECK(ecount == 0);
3728  } else {
3729  /* These cases must fail to parse. */
3730  memset(&pubkey, 0xfe, sizeof(pubkey));
3731  ecount = 0;
3732  VG_UNDEF(&pubkey, sizeof(pubkey));
3733  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3734  VG_CHECK(&pubkey, sizeof(pubkey));
3735  CHECK(ecount == 0);
3736  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3737  CHECK(ecount == 1);
3738  }
3739  }
3740  }
3741  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3742 }
3743 
3744 void run_ec_pubkey_parse_test(void) {
3745 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3746  const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3747  {
3748  /* Point with leading and trailing zeros in x and y serialization. */
3749  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3750  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3751  0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3752  0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3753  },
3754  {
3755  /* Point with x equal to a 3rd root of unity.*/
3756  0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3757  0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3758  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3759  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3760  },
3761  {
3762  /* Point with largest x. (1/2) */
3763  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3764  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3765  0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3766  0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3767  },
3768  {
3769  /* Point with largest x. (2/2) */
3770  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3771  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3772  0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3773  0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3774  },
3775  {
3776  /* Point with smallest x. (1/2) */
3777  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3778  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3779  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3780  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3781  },
3782  {
3783  /* Point with smallest x. (2/2) */
3784  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3785  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3786  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3787  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3788  },
3789  {
3790  /* Point with largest y. (1/3) */
3791  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3792  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3793  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3794  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3795  },
3796  {
3797  /* Point with largest y. (2/3) */
3798  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3799  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3800  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3801  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3802  },
3803  {
3804  /* Point with largest y. (3/3) */
3805  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3806  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3807  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3808  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3809  },
3810  {
3811  /* Point with smallest y. (1/3) */
3812  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3813  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3814  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3815  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3816  },
3817  {
3818  /* Point with smallest y. (2/3) */
3819  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3820  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3821  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3822  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3823  },
3824  {
3825  /* Point with smallest y. (3/3) */
3826  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3827  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3828  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3829  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3830  }
3831  };
3832 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3833  const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3834  {
3835  /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3836  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3837  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3838  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3839  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3840  },
3841  {
3842  /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3843  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3844  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3845  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3846  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3847  },
3848  {
3849  /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3850  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3851  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3852  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3853  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3854  },
3855  {
3856  /* x on curve, y is from y^2 = x^3 + 8. */
3857  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3858  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3859  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3860  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3861  }
3862  };
3863 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3864  const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3865  {
3866  /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3867  0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3868  0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3869  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3870  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3871  },
3872  {
3873  /* Valid if x overflow ignored (x = 1 mod p). */
3874  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3875  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3876  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3877  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3878  },
3879  {
3880  /* Valid if x overflow ignored (x = 1 mod p). */
3881  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3882  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3883  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3884  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3885  },
3886  {
3887  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3888  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3889  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3890  0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3891  0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3892  },
3893  {
3894  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3895  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3896  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3897  0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3898  0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3899  },
3900  {
3901  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3902  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3903  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3904  0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3905  0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3906  },
3907  {
3908  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3909  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3910  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3911  0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3912  0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3913  }
3914  };
3915  const unsigned char pubkeyc[66] = {
3916  /* Serialization of G. */
3917  0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3918  0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3919  0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3920  0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3921  0xB8, 0x00
3922  };
3923  unsigned char sout[65];
3924  unsigned char shortkey[2];
3925  secp256k1_ge ge;
3926  secp256k1_pubkey pubkey;
3927  size_t len;
3928  int32_t i;
3929  int32_t ecount;
3930  int32_t ecount2;
3931  ecount = 0;
3932  /* Nothing should be reading this far into pubkeyc. */
3933  VG_UNDEF(&pubkeyc[65], 1);
3934  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3935  /* Zero length claimed, fail, zeroize, no illegal arg error. */
3936  memset(&pubkey, 0xfe, sizeof(pubkey));
3937  ecount = 0;
3938  VG_UNDEF(shortkey, 2);
3939  VG_UNDEF(&pubkey, sizeof(pubkey));
3940  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3941  VG_CHECK(&pubkey, sizeof(pubkey));
3942  CHECK(ecount == 0);
3943  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3944  CHECK(ecount == 1);
3945  /* Length one claimed, fail, zeroize, no illegal arg error. */
3946  for (i = 0; i < 256 ; i++) {
3947  memset(&pubkey, 0xfe, sizeof(pubkey));
3948  ecount = 0;
3949  shortkey[0] = i;
3950  VG_UNDEF(&shortkey[1], 1);
3951  VG_UNDEF(&pubkey, sizeof(pubkey));
3952  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3953  VG_CHECK(&pubkey, sizeof(pubkey));
3954  CHECK(ecount == 0);
3955  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3956  CHECK(ecount == 1);
3957  }
3958  /* Length two claimed, fail, zeroize, no illegal arg error. */
3959  for (i = 0; i < 65536 ; i++) {
3960  memset(&pubkey, 0xfe, sizeof(pubkey));
3961  ecount = 0;
3962  shortkey[0] = i & 255;
3963  shortkey[1] = i >> 8;
3964  VG_UNDEF(&pubkey, sizeof(pubkey));
3965  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3966  VG_CHECK(&pubkey, sizeof(pubkey));
3967  CHECK(ecount == 0);
3968  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3969  CHECK(ecount == 1);
3970  }
3971  memset(&pubkey, 0xfe, sizeof(pubkey));
3972  ecount = 0;
3973  VG_UNDEF(&pubkey, sizeof(pubkey));
3974  /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3975  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3976  VG_CHECK(&pubkey, sizeof(pubkey));
3977  CHECK(ecount == 0);
3978  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3979  CHECK(ecount == 1);
3980  /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3981  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3982  CHECK(ecount == 2);
3983  /* NULL input string. Illegal arg and zeroize output. */
3984  memset(&pubkey, 0xfe, sizeof(pubkey));
3985  ecount = 0;
3986  VG_UNDEF(&pubkey, sizeof(pubkey));
3987  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3988  VG_CHECK(&pubkey, sizeof(pubkey));
3989  CHECK(ecount == 1);
3990  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3991  CHECK(ecount == 2);
3992  /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3993  memset(&pubkey, 0xfe, sizeof(pubkey));
3994  ecount = 0;
3995  VG_UNDEF(&pubkey, sizeof(pubkey));
3996  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3997  VG_CHECK(&pubkey, sizeof(pubkey));
3998  CHECK(ecount == 0);
3999  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4000  CHECK(ecount == 1);
4001  /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
4002  memset(&pubkey, 0xfe, sizeof(pubkey));
4003  ecount = 0;
4004  VG_UNDEF(&pubkey, sizeof(pubkey));
4005  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
4006  VG_CHECK(&pubkey, sizeof(pubkey));
4007  CHECK(ecount == 0);
4008  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4009  CHECK(ecount == 1);
4010  /* Valid parse. */
4011  memset(&pubkey, 0, sizeof(pubkey));
4012  ecount = 0;
4013  VG_UNDEF(&pubkey, sizeof(pubkey));
4014  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
4015  CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
4016  VG_CHECK(&pubkey, sizeof(pubkey));
4017  CHECK(ecount == 0);
4018  VG_UNDEF(&ge, sizeof(ge));
4019  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
4020  VG_CHECK(&ge.x, sizeof(ge.x));
4021  VG_CHECK(&ge.y, sizeof(ge.y));
4022  VG_CHECK(&ge.infinity, sizeof(ge.infinity));
4023  ge_equals_ge(&secp256k1_ge_const_g, &ge);
4024  CHECK(ecount == 0);
4025  /* secp256k1_ec_pubkey_serialize illegal args. */
4026  ecount = 0;
4027  len = 65;
4028  CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4029  CHECK(ecount == 1);
4030  CHECK(len == 0);
4031  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4032  CHECK(ecount == 2);
4033  len = 65;
4034  VG_UNDEF(sout, 65);
4035  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
4036  VG_CHECK(sout, 65);
4037  CHECK(ecount == 3);
4038  CHECK(len == 0);
4039  len = 65;
4040  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
4041  CHECK(ecount == 4);
4042  CHECK(len == 0);
4043  len = 65;
4044  VG_UNDEF(sout, 65);
4045  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
4046  VG_CHECK(sout, 65);
4047  CHECK(ecount == 4);
4048  CHECK(len == 65);
4049  /* Multiple illegal args. Should still set arg error only once. */
4050  ecount = 0;
4051  ecount2 = 11;
4052  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4053  CHECK(ecount == 1);
4054  /* Does the illegal arg callback actually change the behavior? */
4055  secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
4056  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4057  CHECK(ecount == 1);
4058  CHECK(ecount2 == 10);
4059  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4060  /* Try a bunch of prefabbed points with all possible encodings. */
4061  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
4062  ec_pubkey_parse_pointtest(valid[i], 1, 1);
4063  }
4064  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
4065  ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
4066  }
4067  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
4068  ec_pubkey_parse_pointtest(invalid[i], 0, 0);
4069  }
4070 }
4071 
4072 void run_eckey_edge_case_test(void) {
4073  const unsigned char orderc[32] = {
4074  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4075  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4076  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4077  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
4078  };
4079  const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
4080  unsigned char ctmp[33];
4081  unsigned char ctmp2[33];
4082  secp256k1_pubkey pubkey;
4083  secp256k1_pubkey pubkey2;
4084  secp256k1_pubkey pubkey_one;
4085  secp256k1_pubkey pubkey_negone;
4086  const secp256k1_pubkey *pubkeys[3];
4087  size_t len;
4088  int32_t ecount;
4089  /* Group order is too large, reject. */
4090  CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
4091  VG_UNDEF(&pubkey, sizeof(pubkey));
4092  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
4093  VG_CHECK(&pubkey, sizeof(pubkey));
4094  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4095  /* Maximum value is too large, reject. */
4096  memset(ctmp, 255, 32);
4097  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4098  memset(&pubkey, 1, sizeof(pubkey));
4099  VG_UNDEF(&pubkey, sizeof(pubkey));
4100  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4101  VG_CHECK(&pubkey, sizeof(pubkey));
4102  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4103  /* Zero is too small, reject. */
4104  memset(ctmp, 0, 32);
4105  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4106  memset(&pubkey, 1, sizeof(pubkey));
4107  VG_UNDEF(&pubkey, sizeof(pubkey));
4108  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4109  VG_CHECK(&pubkey, sizeof(pubkey));
4110  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4111  /* One must be accepted. */
4112  ctmp[31] = 0x01;
4113  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4114  memset(&pubkey, 0, sizeof(pubkey));
4115  VG_UNDEF(&pubkey, sizeof(pubkey));
4116  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4117  VG_CHECK(&pubkey, sizeof(pubkey));
4118  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4119  pubkey_one = pubkey;
4120  /* Group order + 1 is too large, reject. */
4121  memcpy(ctmp, orderc, 32);
4122  ctmp[31] = 0x42;
4123  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4124  memset(&pubkey, 1, sizeof(pubkey));
4125  VG_UNDEF(&pubkey, sizeof(pubkey));
4126  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4127  VG_CHECK(&pubkey, sizeof(pubkey));
4128  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4129  /* -1 must be accepted. */
4130  ctmp[31] = 0x40;
4131  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4132  memset(&pubkey, 0, sizeof(pubkey));
4133  VG_UNDEF(&pubkey, sizeof(pubkey));
4134  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4135  VG_CHECK(&pubkey, sizeof(pubkey));
4136  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4137  pubkey_negone = pubkey;
4138  /* Tweak of zero leaves the value unchanged. */
4139  memset(ctmp2, 0, 32);
4140  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
4141  CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
4142  memcpy(&pubkey2, &pubkey, sizeof(pubkey));
4143  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4144  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4145  /* Multiply tweak of zero zeroizes the output. */
4146  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4147  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4148  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
4149  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4150  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4151  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4152  seckey, the seckey is zeroized. */
4153  memcpy(ctmp, orderc, 32);
4154  memset(ctmp2, 0, 32);
4155  ctmp2[31] = 0x01;
4156  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
4157  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4158  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
4159  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4160  memcpy(ctmp, orderc, 32);
4161  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4162  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4163  /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4164  tweak, the seckey is zeroized. */
4165  memcpy(ctmp, orderc, 32);
4166  ctmp[31] = 0x40;
4167  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
4168  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4169  memcpy(ctmp, orderc, 32);
4170  ctmp[31] = 0x40;
4171  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
4172  CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4173  memcpy(ctmp, orderc, 32);
4174  ctmp[31] = 0x40;
4175  /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
4176  tweak, the pubkey is zeroized. */
4177  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
4178  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4179  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4180  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
4181  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4182  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4183  /* If the resulting key in secp256k1_ec_seckey_tweak_add and
4184  * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
4185  * case the pubkey is zeroized. */
4186  memcpy(ctmp, orderc, 32);
4187  ctmp[31] = 0x40;
4188  memset(ctmp2, 0, 32);
4189  ctmp2[31] = 1;
4190  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
4191  CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
4192  ctmp2[31] = 1;
4193  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4194  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4195  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4196  /* Tweak computation wraps and results in a key of 1. */
4197  ctmp2[31] = 2;
4198  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
4199  CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
4200  ctmp2[31] = 2;
4201  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4202  ctmp2[31] = 1;
4203  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
4204  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4205  /* Tweak mul * 2 = 1+1. */
4206  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4207  ctmp2[31] = 2;
4208  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
4209  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4210  /* Test argument errors. */
4211  ecount = 0;
4212  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4213  CHECK(ecount == 0);
4214  /* Zeroize pubkey on parse error. */
4215  memset(&pubkey, 0, 32);
4216  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4217  CHECK(ecount == 1);
4218  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4219  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4220  memset(&pubkey2, 0, 32);
4221  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
4222  CHECK(ecount == 2);
4223  CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
4224  /* Plain argument errors. */
4225  ecount = 0;
4226  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4227  CHECK(ecount == 0);
4228  CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
4229  CHECK(ecount == 1);
4230  ecount = 0;
4231  memset(ctmp2, 0, 32);
4232  ctmp2[31] = 4;
4233  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
4234  CHECK(ecount == 1);
4235  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
4236  CHECK(ecount == 2);
4237  ecount = 0;
4238  memset(ctmp2, 0, 32);
4239  ctmp2[31] = 4;
4240  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4241  CHECK(ecount == 1);
4242  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
4243  CHECK(ecount == 2);
4244  ecount = 0;
4245  memset(ctmp2, 0, 32);
4246  CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
4247  CHECK(ecount == 1);
4248  CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
4249  CHECK(ecount == 2);
4250  ecount = 0;
4251  memset(ctmp2, 0, 32);
4252  ctmp2[31] = 1;
4253  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
4254  CHECK(ecount == 1);
4255  CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
4256  CHECK(ecount == 2);
4257  ecount = 0;
4258  CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4259  CHECK(ecount == 1);
4260  memset(&pubkey, 1, sizeof(pubkey));
4261  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4262  CHECK(ecount == 2);
4263  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4264  /* secp256k1_ec_pubkey_combine tests. */
4265  ecount = 0;
4266  pubkeys[0] = &pubkey_one;
4267  VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4268  VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4269  VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4270  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4271  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4272  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4273  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4274  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4275  CHECK(ecount == 1);
4276  CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4277  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4278  CHECK(ecount == 2);
4279  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4280  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4281  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4282  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4283  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4284  CHECK(ecount == 3);
4285  pubkeys[0] = &pubkey_negone;
4286  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4287  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4288  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4289  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4290  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4291  CHECK(ecount == 3);
4292  len = 33;
4293  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4294  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4295  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4296  /* Result is infinity. */
4297  pubkeys[0] = &pubkey_one;
4298  pubkeys[1] = &pubkey_negone;
4299  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4300  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4301  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4302  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4303  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4304  CHECK(ecount == 3);
4305  /* Passes through infinity but comes out one. */
4306  pubkeys[2] = &pubkey_one;
4307  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4308  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4309  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4310  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4311  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4312  CHECK(ecount == 3);
4313  len = 33;
4314  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4315  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4316  CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4317  /* Adds to two. */
4318  pubkeys[1] = &pubkey_one;
4319  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4320  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4321  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4322  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4323  CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4324  CHECK(ecount == 3);
4325  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4326 }
4327 
4328 void run_eckey_negate_test(void) {
4329  unsigned char seckey[32];
4330  unsigned char seckey_tmp[32];
4331 
4332  random_scalar_order_b32(seckey);
4333  memcpy(seckey_tmp, seckey, 32);
4334 
4335  /* Verify negation changes the key and changes it back */
4336  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4337  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
4338  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4339  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4340 
4341  /* Check that privkey alias gives same result */
4342  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4343  CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
4344  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4345 
4346  /* Negating all 0s fails */
4347  memset(seckey, 0, 32);
4348  memset(seckey_tmp, 0, 32);
4349  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4350  /* Check that seckey is not modified */
4351  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4352 
4353  /* Negating an overflowing seckey fails and the seckey is zeroed. In this
4354  * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
4355  * doesn't just set seckey to a constant value in case of failure. */
4356  random_scalar_order_b32(seckey);
4357  memset(seckey, 0xFF, 16);
4358  memset(seckey_tmp, 0, 32);
4359  CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4360  CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4361 }
4362 
4363 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4364  secp256k1_scalar nonce;
4365  do {
4366  random_scalar_order_test(&nonce);
4367  } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
4368 }
4369 
4370 void test_ecdsa_sign_verify(void) {
4371  secp256k1_gej pubj;
4372  secp256k1_ge pub;
4373  secp256k1_scalar one;
4374  secp256k1_scalar msg, key;
4375  secp256k1_scalar sigr, sigs;
4376  int recid;
4377  int getrec;
4378  random_scalar_order_test(&msg);
4379  random_scalar_order_test(&key);
4380  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
4381  secp256k1_ge_set_gej(&pub, &pubj);
4382  getrec = secp256k1_testrand_bits(1);
4383  random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
4384  if (getrec) {
4385  CHECK(recid >= 0 && recid < 4);
4386  }
4387  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4388  secp256k1_scalar_set_int(&one, 1);
4389  secp256k1_scalar_add(&msg, &msg, &one);
4390  CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4391 }
4392 
4393 void run_ecdsa_sign_verify(void) {
4394  int i;
4395  for (i = 0; i < 10*count; i++) {
4396  test_ecdsa_sign_verify();
4397  }
4398 }
4399 
4401 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4402  (void)msg32;
4403  (void)key32;
4404  (void)algo16;
4405  memcpy(nonce32, data, 32);
4406  return (counter == 0);
4407 }
4408 
4409 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4410  /* Dummy nonce generator that has a fatal error on the first counter value. */
4411  if (counter == 0) {
4412  return 0;
4413  }
4414  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4415 }
4416 
4417 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4418  /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4419  if (counter < 3) {
4420  memset(nonce32, counter==0 ? 0 : 255, 32);
4421  if (counter == 2) {
4422  nonce32[31]--;
4423  }
4424  return 1;
4425  }
4426  if (counter < 5) {
4427  static const unsigned char order[] = {
4428  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4429  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4430  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4431  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4432  };
4433  memcpy(nonce32, order, 32);
4434  if (counter == 4) {
4435  nonce32[31]++;
4436  }
4437  return 1;
4438  }
4439  /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4440  /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4441  if (counter > 5) {
4442  return 0;
4443  }
4444  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4445 }
4446 
4447 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4448  static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4449  return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4450 }
4451 
4452 void test_ecdsa_end_to_end(void) {
4453  unsigned char extra[32] = {0x00};
4454  unsigned char privkey[32];
4455  unsigned char message[32];
4456  unsigned char privkey2[32];
4457  secp256k1_ecdsa_signature signature[6];
4458  secp256k1_scalar r, s;
4459  unsigned char sig[74];
4460  size_t siglen = 74;
4461  unsigned char pubkeyc[65];
4462  size_t pubkeyclen = 65;
4463  secp256k1_pubkey pubkey;
4464  secp256k1_pubkey pubkey_tmp;
4465  unsigned char seckey[300];
4466  size_t seckeylen = 300;
4467 
4468  /* Generate a random key and message. */
4469  {
4470  secp256k1_scalar msg, key;
4471  random_scalar_order_test(&msg);
4472  random_scalar_order_test(&key);
4473  secp256k1_scalar_get_b32(privkey, &key);
4474  secp256k1_scalar_get_b32(message, &msg);
4475  }
4476 
4477  /* Construct and verify corresponding public key. */
4478  CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4479  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4480 
4481  /* Verify exporting and importing public key. */
4482  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4483  memset(&pubkey, 0, sizeof(pubkey));
4484  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4485 
4486  /* Verify negation changes the key and changes it back */
4487  memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4488  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4489  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4490  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4491  CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4492 
4493  /* Verify private key import and export. */
4494  CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
4495  CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4496  CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
4497 
4498  /* Optionally tweak the keys using addition. */
4499  if (secp256k1_testrand_int(3) == 0) {
4500  int ret1;
4501  int ret2;
4502  int ret3;
4503  unsigned char rnd[32];
4504  unsigned char privkey_tmp[32];
4505  secp256k1_pubkey pubkey2;
4506  secp256k1_testrand256_test(rnd);
4507  memcpy(privkey_tmp, privkey, 32);
4508  ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
4509  ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4510  /* Check that privkey alias gives same result */
4511  ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
4512  CHECK(ret1 == ret2);
4513  CHECK(ret2 == ret3);
4514  if (ret1 == 0) {
4515  return;
4516  }
4517  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4518  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4519  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4520  }
4521 
4522  /* Optionally tweak the keys using multiplication. */
4523  if (secp256k1_testrand_int(3) == 0) {
4524  int ret1;
4525  int ret2;
4526  int ret3;
4527  unsigned char rnd[32];
4528  unsigned char privkey_tmp[32];
4529  secp256k1_pubkey pubkey2;
4530  secp256k1_testrand256_test(rnd);
4531  memcpy(privkey_tmp, privkey, 32);
4532  ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
4533  ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4534  /* Check that privkey alias gives same result */
4535  ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
4536  CHECK(ret1 == ret2);
4537  CHECK(ret2 == ret3);
4538  if (ret1 == 0) {
4539  return;
4540  }
4541  CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4542  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4543  CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4544  }
4545 
4546  /* Sign. */
4547  CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4548  CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4549  CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4550  extra[31] = 1;
4551  CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4552  extra[31] = 0;
4553  extra[0] = 1;
4554  CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4555  CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4556  CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4557  CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4558  CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4559  CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4560  CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4561  CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4562  /* Verify. */
4563  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4564  CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4565  CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4566  CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4567  /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4568  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4569  secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4570  secp256k1_scalar_negate(&s, &s);
4571  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4572  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4573  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4574  CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4575  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4576  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4577  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4578  secp256k1_scalar_negate(&s, &s);
4579  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4580  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4581  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4582  CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
4583 
4584  /* Serialize/parse DER and verify again */
4585  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4586  memset(&signature[0], 0, sizeof(signature[0]));
4587  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4588  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4589  /* Serialize/destroy/parse DER and verify again. */
4590  siglen = 74;
4591  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4592  sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
4593  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4594  secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4595 }
4596 
4597 void test_random_pubkeys(void) {
4598  secp256k1_ge elem;
4599  secp256k1_ge elem2;
4600  unsigned char in[65];
4601  /* Generate some randomly sized pubkeys. */
4602  size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
4603  if (secp256k1_testrand_bits(2) == 0) {
4604  len = secp256k1_testrand_bits(6);
4605  }
4606  if (len == 65) {
4607  in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
4608  } else {
4609  in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
4610  }
4611  if (secp256k1_testrand_bits(3) == 0) {
4612  in[0] = secp256k1_testrand_bits(8);
4613  }
4614  if (len > 1) {
4615  secp256k1_testrand256(&in[1]);
4616  }
4617  if (len > 33) {
4618  secp256k1_testrand256(&in[33]);
4619  }
4620  if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4621  unsigned char out[65];
4622  unsigned char firstb;
4623  int res;
4624  size_t size = len;
4625  firstb = in[0];
4626  /* If the pubkey can be parsed, it should round-trip... */
4627  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4628  CHECK(size == len);
4629  CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
4630  /* ... except for the type of hybrid inputs. */
4631  if ((in[0] != 6) && (in[0] != 7)) {
4632  CHECK(in[0] == out[0]);
4633  }
4634  size = 65;
4635  CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4636  CHECK(size == 65);
4637  CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4638  ge_equals_ge(&elem,&elem2);
4639  /* Check that the X9.62 hybrid type is checked. */
4640  in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
4641  res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4642  if (firstb == 2 || firstb == 3) {
4643  if (in[0] == firstb + 4) {
4644  CHECK(res);
4645  } else {
4646  CHECK(!res);
4647  }
4648  }
4649  if (res) {
4650  ge_equals_ge(&elem,&elem2);
4651  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4652  CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
4653  }
4654  }
4655 }
4656 
4657 void run_random_pubkeys(void) {
4658  int i;
4659  for (i = 0; i < 10*count; i++) {
4660  test_random_pubkeys();
4661  }
4662 }
4663 
4664 void run_ecdsa_end_to_end(void) {
4665  int i;
4666  for (i = 0; i < 64*count; i++) {
4667  test_ecdsa_end_to_end();
4668  }
4669 }
4670 
4671 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4672  static const unsigned char zeroes[32] = {0};
4673 #ifdef ENABLE_OPENSSL_TESTS
4674  static const unsigned char max_scalar[32] = {
4675  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4676  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4677  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4678  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4679  };
4680 #endif
4681 
4682  int ret = 0;
4683 
4684  secp256k1_ecdsa_signature sig_der;
4685  unsigned char roundtrip_der[2048];
4686  unsigned char compact_der[64];
4687  size_t len_der = 2048;
4688  int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4689 
4690  secp256k1_ecdsa_signature sig_der_lax;
4691  unsigned char roundtrip_der_lax[2048];
4692  unsigned char compact_der_lax[64];
4693  size_t len_der_lax = 2048;
4694  int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4695 
4696 #ifdef ENABLE_OPENSSL_TESTS
4697  ECDSA_SIG *sig_openssl;
4698  const BIGNUM *r = NULL, *s = NULL;
4699  const unsigned char *sigptr;
4700  unsigned char roundtrip_openssl[2048];
4701  int len_openssl = 2048;
4702  int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4703 #endif
4704 
4705  parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4706  if (parsed_der) {
4707  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4708  valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
4709  }
4710  if (valid_der) {
4711  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4712  roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
4713  }
4714 
4715  parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4716  if (parsed_der_lax) {
4717  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4718  valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
4719  }
4720  if (valid_der_lax) {
4721  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4722  roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
4723  }
4724 
4725  if (certainly_der) {
4726  ret |= (!parsed_der) << 2;
4727  }
4728  if (certainly_not_der) {
4729  ret |= (parsed_der) << 17;
4730  }
4731  if (valid_der) {
4732  ret |= (!roundtrips_der) << 3;
4733  }
4734 
4735  if (valid_der) {
4736  ret |= (!roundtrips_der_lax) << 12;
4737  ret |= (len_der != len_der_lax) << 13;
4738  ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
4739  }
4740  ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4741  if (parsed_der) {
4742  ret |= (!parsed_der_lax) << 16;
4743  }
4744 
4745 #ifdef ENABLE_OPENSSL_TESTS
4746  sig_openssl = ECDSA_SIG_new();
4747  sigptr = sig;
4748  parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4749  if (parsed_openssl) {
4750  ECDSA_SIG_get0(sig_openssl, &r, &s);
4751  valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4752  if (valid_openssl) {
4753  unsigned char tmp[32] = {0};
4754  BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4755  valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
4756  }
4757  if (valid_openssl) {
4758  unsigned char tmp[32] = {0};
4759  BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4760  valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
4761  }
4762  }
4763  len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4764  if (len_openssl <= 2048) {
4765  unsigned char *ptr = roundtrip_openssl;
4766  CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4767  roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (secp256k1_memcmp_var(roundtrip_openssl, sig, siglen) == 0);
4768  } else {
4769  len_openssl = 0;
4770  }
4771  ECDSA_SIG_free(sig_openssl);
4772 
4773  ret |= (parsed_der && !parsed_openssl) << 4;
4774  ret |= (valid_der && !valid_openssl) << 5;
4775  ret |= (roundtrips_openssl && !parsed_der) << 6;
4776  ret |= (roundtrips_der != roundtrips_openssl) << 7;
4777  if (roundtrips_openssl) {
4778  ret |= (len_der != (size_t)len_openssl) << 8;
4779  ret |= ((len_der != (size_t)len_openssl) || (secp256k1_memcmp_var(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9;
4780  }
4781 #endif
4782  return ret;
4783 }
4784 
4785 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4786  size_t i;
4787  for (i = 0; i < ptrlen; i++) {
4788  int shift = ptrlen - 1 - i;
4789  if (shift >= 4) {
4790  ptr[i] = 0;
4791  } else {
4792  ptr[i] = (val >> shift) & 0xFF;
4793  }
4794  }
4795 }
4796 
4797 static void damage_array(unsigned char *sig, size_t *len) {
4798  int pos;
4799  int action = secp256k1_testrand_bits(3);
4800  if (action < 1 && *len > 3) {
4801  /* Delete a byte. */
4802  pos = secp256k1_testrand_int(*len);
4803  memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4804  (*len)--;
4805  return;
4806  } else if (action < 2 && *len < 2048) {
4807  /* Insert a byte. */
4808  pos = secp256k1_testrand_int(1 + *len);
4809  memmove(sig + pos + 1, sig + pos, *len - pos);
4810  sig[pos] = secp256k1_testrand_bits(8);
4811  (*len)++;
4812  return;
4813  } else if (action < 4) {
4814  /* Modify a byte. */
4815  sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
4816  return;
4817  } else { /* action < 8 */
4818  /* Modify a bit. */
4819  sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
4820  return;
4821  }
4822 }
4823 
4824 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4825  int der;
4826  int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4827  size_t tlen, elen, glen;
4828  int indet;
4829  int n;
4830 
4831  *len = 0;
4832  der = secp256k1_testrand_bits(2) == 0;
4833  *certainly_der = der;
4834  *certainly_not_der = 0;
4835  indet = der ? 0 : secp256k1_testrand_int(10) == 0;
4836 
4837  for (n = 0; n < 2; n++) {
4838  /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4839  nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
4840  /* The length of the number in bytes (the first byte of which will always be nonzero) */
4841  nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_int(8) / 8;
4842  CHECK(nlen[n] <= 232);
4843  /* The top bit of the number. */
4844  nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
4845  /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4846  nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
4847  /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4848  nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_int(8) / 8);
4849  if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4850  *certainly_not_der = 1;
4851  }
4852  CHECK(nlen[n] + nzlen[n] <= 300);
4853  /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4854  nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4855  if (!der) {
4856  /* nlenlen[n] max 127 bytes */
4857  int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
4858  nlenlen[n] += add;
4859  if (add != 0) {
4860  *certainly_not_der = 1;
4861  }
4862  }
4863  CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4864  }
4865 
4866  /* The total length of the data to go, so far */
4867  tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4868  CHECK(tlen <= 856);
4869 
4870  /* The length of the garbage inside the tuple. */
4871  elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_int(8) / 8;
4872  if (elen != 0) {
4873  *certainly_not_der = 1;
4874  }
4875  tlen += elen;
4876  CHECK(tlen <= 980);
4877 
4878  /* The length of the garbage after the end of the tuple. */
4879  glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_int(8) / 8;
4880  if (glen != 0) {
4881  *certainly_not_der = 1;
4882  }
4883  CHECK(tlen + glen <= 990);
4884 
4885  /* Write the tuple header. */
4886  sig[(*len)++] = 0x30;
4887  if (indet) {
4888  /* Indeterminate length */
4889  sig[(*len)++] = 0x80;
4890  *certainly_not_der = 1;
4891  } else {
4892  int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4893  if (!der) {
4894  int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
4895  tlenlen += add;
4896  if (add != 0) {
4897  *certainly_not_der = 1;
4898  }
4899  }
4900  if (tlenlen == 0) {
4901  /* Short length notation */
4902  sig[(*len)++] = tlen;
4903  } else {
4904  /* Long length notation */
4905  sig[(*len)++] = 128 + tlenlen;
4906  assign_big_endian(sig + *len, tlenlen, tlen);
4907  *len += tlenlen;
4908  }
4909  tlen += tlenlen;
4910  }
4911  tlen += 2;
4912  CHECK(tlen + glen <= 1119);
4913 
4914  for (n = 0; n < 2; n++) {
4915  /* Write the integer header. */
4916  sig[(*len)++] = 0x02;
4917  if (nlenlen[n] == 0) {
4918  /* Short length notation */
4919  sig[(*len)++] = nlen[n] + nzlen[n];
4920  } else {
4921  /* Long length notation. */
4922  sig[(*len)++] = 128 + nlenlen[n];
4923  assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4924  *len += nlenlen[n];
4925  }
4926  /* Write zero padding */
4927  while (nzlen[n] > 0) {
4928  sig[(*len)++] = 0x00;
4929  nzlen[n]--;
4930  }
4931  if (nlen[n] == 32 && !nlow[n]) {
4932  /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4933  int i;
4934  for (i = 0; i < 16; i++) {
4935  sig[(*len)++] = 0xFF;
4936  }
4937  nlen[n] -= 16;
4938  }
4939  /* Write first byte of number */
4940  if (nlen[n] > 0) {
4941  sig[(*len)++] = nhbyte[n];
4942  nlen[n]--;
4943  }
4944  /* Generate remaining random bytes of number */
4945  secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
4946  *len += nlen[n];
4947  nlen[n] = 0;
4948  }
4949 
4950  /* Generate random garbage inside tuple. */
4951  secp256k1_testrand_bytes_test(sig + *len, elen);
4952  *len += elen;
4953 
4954  /* Generate end-of-contents bytes. */
4955  if (indet) {
4956  sig[(*len)++] = 0;
4957  sig[(*len)++] = 0;
4958  tlen += 2;
4959  }
4960  CHECK(tlen + glen <= 1121);
4961 
4962  /* Generate random garbage outside tuple. */
4963  secp256k1_testrand_bytes_test(sig + *len, glen);
4964  *len += glen;
4965  tlen += glen;
4966  CHECK(tlen <= 1121);
4967  CHECK(tlen == *len);
4968 }
4969 
4970 void run_ecdsa_der_parse(void) {
4971  int i,j;
4972  for (i = 0; i < 200 * count; i++) {
4973  unsigned char buffer[2048];
4974  size_t buflen = 0;
4975  int certainly_der = 0;
4976  int certainly_not_der = 0;
4977  random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4978  CHECK(buflen <= 2048);
4979  for (j = 0; j < 16; j++) {
4980  int ret = 0;
4981  if (j > 0) {
4982  damage_array(buffer, &buflen);
4983  /* We don't know anything anymore about the DERness of the result */
4984  certainly_der = 0;
4985  certainly_not_der = 0;
4986  }
4987  ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4988  if (ret != 0) {
4989  size_t k;
4990  fprintf(stderr, "Failure %x on ", ret);
4991  for (k = 0; k < buflen; k++) {
4992  fprintf(stderr, "%02x ", buffer[k]);
4993  }
4994  fprintf(stderr, "\n");
4995  }
4996  CHECK(ret == 0);
4997  }
4998  }
4999 }
5000 
5001 /* Tests several edge cases. */
5002 void test_ecdsa_edge_cases(void) {
5003  int t;
5004  secp256k1_ecdsa_signature sig;
5005 
5006  /* Test the case where ECDSA recomputes a point that is infinity. */
5007  {
5008  secp256k1_gej keyj;
5009  secp256k1_ge key;
5010  secp256k1_scalar msg;
5011  secp256k1_scalar sr, ss;
5012  secp256k1_scalar_set_int(&ss, 1);
5013  secp256k1_scalar_negate(&ss, &ss);
5014  secp256k1_scalar_inverse(&ss, &ss);
5015  secp256k1_scalar_set_int(&sr, 1);
5016  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
5017  secp256k1_ge_set_gej(&key, &keyj);
5018  msg = ss;
5019  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5020  }
5021 
5022  /* Verify signature with r of zero fails. */
5023  {
5024  const unsigned char pubkey_mods_zero[33] = {
5025  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5026  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5027  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5028  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5029  0x41
5030  };
5031  secp256k1_ge key;
5032  secp256k1_scalar msg;
5033  secp256k1_scalar sr, ss;
5034  secp256k1_scalar_set_int(&ss, 1);
5035  secp256k1_scalar_set_int(&msg, 0);
5036  secp256k1_scalar_set_int(&sr, 0);
5037  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
5038  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5039  }
5040 
5041  /* Verify signature with s of zero fails. */
5042  {
5043  const unsigned char pubkey[33] = {
5044  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5045  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5046  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5047  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5048  0x01
5049  };
5050  secp256k1_ge key;
5051  secp256k1_scalar msg;
5052  secp256k1_scalar sr, ss;
5053  secp256k1_scalar_set_int(&ss, 0);
5054  secp256k1_scalar_set_int(&msg, 0);
5055  secp256k1_scalar_set_int(&sr, 1);
5056  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5057  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5058  }
5059 
5060  /* Verify signature with message 0 passes. */
5061  {
5062  const unsigned char pubkey[33] = {
5063  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5064  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5065  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5066  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5067  0x02
5068  };
5069  const unsigned char pubkey2[33] = {
5070  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5071  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5072  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5073  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5074  0x43
5075  };
5076  secp256k1_ge key;
5077  secp256k1_ge key2;
5078  secp256k1_scalar msg;
5079  secp256k1_scalar sr, ss;
5080  secp256k1_scalar_set_int(&ss, 2);
5081  secp256k1_scalar_set_int(&msg, 0);
5082  secp256k1_scalar_set_int(&sr, 2);
5083  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5084  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5085  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5086  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5087  secp256k1_scalar_negate(&ss, &ss);
5088  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5089  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5090  secp256k1_scalar_set_int(&ss, 1);
5091  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5092  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5093  }
5094 
5095  /* Verify signature with message 1 passes. */
5096  {
5097  const unsigned char pubkey[33] = {
5098  0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
5099  0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
5100  0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
5101  0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
5102  0x25
5103  };
5104  const unsigned char pubkey2[33] = {
5105  0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
5106  0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
5107  0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
5108  0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
5109  0x62
5110  };
5111  const unsigned char csr[32] = {
5112  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5113  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5114  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5115  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
5116  };
5117  secp256k1_ge key;
5118  secp256k1_ge key2;
5119  secp256k1_scalar msg;
5120  secp256k1_scalar sr, ss;
5121  secp256k1_scalar_set_int(&ss, 1);
5122  secp256k1_scalar_set_int(&msg, 1);
5123  secp256k1_scalar_set_b32(&sr, csr, NULL);
5124  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5125  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5126  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5127  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5128  secp256k1_scalar_negate(&ss, &ss);
5129  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5130  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5131  secp256k1_scalar_set_int(&ss, 2);
5132  secp256k1_scalar_inverse_var(&ss, &ss);
5133  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5134  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5135  }
5136 
5137  /* Verify signature with message -1 passes. */
5138  {
5139  const unsigned char pubkey[33] = {
5140  0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
5141  0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
5142  0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
5143  0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
5144  0xf1
5145  };
5146  const unsigned char csr[32] = {
5147  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5148  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5149  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5150  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
5151  };
5152  secp256k1_ge key;
5153  secp256k1_scalar msg;
5154  secp256k1_scalar sr, ss;
5155  secp256k1_scalar_set_int(&ss, 1);
5156  secp256k1_scalar_set_int(&msg, 1);
5157  secp256k1_scalar_negate(&msg, &msg);
5158  secp256k1_scalar_set_b32(&sr, csr, NULL);
5159  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5160  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5161  secp256k1_scalar_negate(&ss, &ss);
5162  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5163  secp256k1_scalar_set_int(&ss, 3);
5164  secp256k1_scalar_inverse_var(&ss, &ss);
5165  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5166  }
5167 
5168  /* Signature where s would be zero. */
5169  {
5170  secp256k1_pubkey pubkey;
5171  size_t siglen;
5172  int32_t ecount;
5173  unsigned char signature[72];
5174  static const unsigned char nonce[32] = {
5175  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5176  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5177  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5178  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5179  };
5180  static const unsigned char nonce2[32] = {
5181  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
5182  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
5183  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
5184  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
5185  };
5186  const unsigned char key[32] = {
5187  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5188  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5189  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5190  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5191  };
5192  unsigned char msg[32] = {
5193  0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
5194  0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
5195  0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
5196  0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
5197  };
5198  ecount = 0;
5199  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5200  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
5201  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
5202  msg[31] = 0xaa;
5203  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
5204  CHECK(ecount == 0);
5205  CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
5206  CHECK(ecount == 1);
5207  CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
5208  CHECK(ecount == 2);
5209  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
5210  CHECK(ecount == 3);
5211  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
5212  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
5213  CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
5214  CHECK(ecount == 4);
5215  CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
5216  CHECK(ecount == 5);
5217  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
5218  CHECK(ecount == 6);
5219  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
5220  CHECK(ecount == 6);
5221  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5222  CHECK(ecount == 7);
5223  /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
5224  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
5225  CHECK(ecount == 8);
5226  siglen = 72;
5227  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
5228  CHECK(ecount == 9);
5229  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
5230  CHECK(ecount == 10);
5231  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
5232  CHECK(ecount == 11);
5233  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
5234  CHECK(ecount == 11);
5235  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
5236  CHECK(ecount == 12);
5237  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
5238  CHECK(ecount == 13);
5239  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
5240  CHECK(ecount == 13);
5241  siglen = 10;
5242  /* Too little room for a signature does not fail via ARGCHECK. */
5243  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5244  CHECK(ecount == 13);
5245  ecount = 0;
5246  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
5247  CHECK(ecount == 1);
5248  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
5249  CHECK(ecount == 2);
5250  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
5251  CHECK(ecount == 3);
5252  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
5253  CHECK(ecount == 3);
5254  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
5255  CHECK(ecount == 4);
5256  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
5257  CHECK(ecount == 5);
5258  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
5259  CHECK(ecount == 5);
5260  memset(signature, 255, 64);
5261  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
5262  CHECK(ecount == 5);
5263  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5264  }
5265 
5266  /* Nonce function corner cases. */
5267  for (t = 0; t < 2; t++) {
5268  static const unsigned char zero[32] = {0x00};
5269  int i;
5270  unsigned char key[32];
5271  unsigned char msg[32];
5272  secp256k1_ecdsa_signature sig2;
5273  secp256k1_scalar sr[512], ss;
5274  const unsigned char *extra;
5275  extra = t == 0 ? NULL : zero;
5276  memset(msg, 0, 32);
5277  msg[31] = 1;
5278  /* High key results in signature failure. */
5279  memset(key, 0xFF, 32);
5280  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5281  CHECK(is_empty_signature(&sig));
5282  /* Zero key results in signature failure. */
5283  memset(key, 0, 32);
5284  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5285  CHECK(is_empty_signature(&sig));
5286  /* Nonce function failure results in signature failure. */
5287  key[31] = 1;
5288  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
5289  CHECK(is_empty_signature(&sig));
5290  /* The retry loop successfully makes its way to the first good value. */
5291  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
5292  CHECK(!is_empty_signature(&sig));
5293  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
5294  CHECK(!is_empty_signature(&sig2));
5295  CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
5296  /* The default nonce function is deterministic. */
5297  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5298  CHECK(!is_empty_signature(&sig2));
5299  CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
5300  /* The default nonce function changes output with different messages. */
5301  for(i = 0; i < 256; i++) {
5302  int j;
5303  msg[0] = i;
5304  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5305  CHECK(!is_empty_signature(&sig2));
5306  secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5307  for (j = 0; j < i; j++) {
5308  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5309  }
5310  }
5311  msg[0] = 0;
5312  msg[31] = 2;
5313  /* The default nonce function changes output with different keys. */
5314  for(i = 256; i < 512; i++) {
5315  int j;
5316  key[0] = i - 256;
5317  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5318  CHECK(!is_empty_signature(&sig2));
5319  secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5320  for (j = 0; j < i; j++) {
5321  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5322  }
5323  }
5324  key[0] = 0;
5325  }
5326 
5327  {
5328  /* Check that optional nonce arguments do not have equivalent effect. */
5329  const unsigned char zeros[32] = {0};
5330  unsigned char nonce[32];
5331  unsigned char nonce2[32];
5332  unsigned char nonce3[32];
5333  unsigned char nonce4[32];
5334  VG_UNDEF(nonce,32);
5335  VG_UNDEF(nonce2,32);
5336  VG_UNDEF(nonce3,32);
5337  VG_UNDEF(nonce4,32);
5338  CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
5339  VG_CHECK(nonce,32);
5340  CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
5341  VG_CHECK(nonce2,32);
5342  CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5343  VG_CHECK(nonce3,32);
5344  CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5345  VG_CHECK(nonce4,32);
5346  CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
5347  CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
5348  CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
5349  CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
5350  CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
5351  CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
5352  }
5353 
5354 
5355  /* Privkey export where pubkey is the point at infinity. */
5356  {
5357  unsigned char privkey[300];
5358  unsigned char seckey[32] = {
5359  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5360  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5361  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5362  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5363  };
5364  size_t outlen = 300;
5365  CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
5366  outlen = 300;
5367  CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
5368  }
5369 }
5370 
5371 void run_ecdsa_edge_cases(void) {
5372  test_ecdsa_edge_cases();
5373 }
5374 
5375 #ifdef ENABLE_OPENSSL_TESTS
5376 EC_KEY *get_openssl_key(const unsigned char *key32) {
5377  unsigned char privkey[300];
5378  size_t privkeylen;
5379  const unsigned char* pbegin = privkey;
5380  int compr = secp256k1_testrand_bits(1);
5381  EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
5382  CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
5383  CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5384  CHECK(EC_KEY_check_key(ec_key));
5385  return ec_key;
5386 }
5387 
5388 void test_ecdsa_openssl(void) {
5389  secp256k1_gej qj;
5390  secp256k1_ge q;
5391  secp256k1_scalar sigr, sigs;
5392  secp256k1_scalar one;
5393  secp256k1_scalar msg2;
5394  secp256k1_scalar key, msg;
5395  EC_KEY *ec_key;
5396  unsigned int sigsize = 80;
5397  size_t secp_sigsize = 80;
5398  unsigned char message[32];
5399  unsigned char signature[80];
5400  unsigned char key32[32];
5401  secp256k1_testrand256_test(message);
5402  secp256k1_scalar_set_b32(&msg, message, NULL);
5403  random_scalar_order_test(&key);
5404  secp256k1_scalar_get_b32(key32, &key);
5405  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
5406  secp256k1_ge_set_gej(&q, &qj);
5407  ec_key = get_openssl_key(key32);
5408  CHECK(ec_key != NULL);
5409  CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
5410  CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
5411  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
5412  secp256k1_scalar_set_int(&one, 1);
5413  secp256k1_scalar_add(&msg2, &msg, &one);
5414  CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
5415 
5416  random_sign(&sigr, &sigs, &key, &msg, NULL);
5417  CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
5418  CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
5419 
5420  EC_KEY_free(ec_key);
5421 }
5422 
5423 void run_ecdsa_openssl(void) {
5424  int i;
5425  for (i = 0; i < 10*count; i++) {
5426  test_ecdsa_openssl();
5427  }
5428 }
5429 #endif
5430 
5431 #ifdef ENABLE_MODULE_ECDH
5432 # include "modules/ecdh/tests_impl.h"
5433 #endif
5434 
5435 #ifdef ENABLE_MODULE_RECOVERY
5436 # include "modules/recovery/tests_impl.h"
5437 #endif
5438 
5439 #ifdef ENABLE_MODULE_EXTRAKEYS
5440 # include "modules/extrakeys/tests_impl.h"
5441 #endif
5442 
5443 #ifdef ENABLE_MODULE_SCHNORRSIG
5444 # include "modules/schnorrsig/tests_impl.h"
5445 #endif
5446 
5447 void run_memczero_test(void) {
5448  unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
5449  unsigned char buf2[sizeof(buf1)];
5450 
5451  /* memczero(..., ..., 0) is a noop. */
5452  memcpy(buf2, buf1, sizeof(buf1));
5453  memczero(buf1, sizeof(buf1), 0);
5454  CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
5455 
5456  /* memczero(..., ..., 1) zeros the buffer. */
5457  memset(buf2, 0, sizeof(buf2));
5458  memczero(buf1, sizeof(buf1) , 1);
5459  CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
5460 }
5461 
5462 void int_cmov_test(void) {
5463  int r = INT_MAX;
5464  int a = 0;
5465 
5466  secp256k1_int_cmov(&r, &a, 0);
5467  CHECK(r == INT_MAX);
5468 
5469  r = 0; a = INT_MAX;
5470  secp256k1_int_cmov(&r, &a, 1);
5471  CHECK(r == INT_MAX);
5472 
5473  a = 0;
5474  secp256k1_int_cmov(&r, &a, 1);
5475  CHECK(r == 0);
5476 
5477  a = 1;
5478  secp256k1_int_cmov(&r, &a, 1);
5479  CHECK(r == 1);
5480 
5481  r = 1; a = 0;
5482  secp256k1_int_cmov(&r, &a, 0);
5483  CHECK(r == 1);
5484 
5485 }
5486 
5487 void fe_cmov_test(void) {
5488  static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5489  static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5490  static const secp256k1_fe max = SECP256K1_FE_CONST(
5491  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5492  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5493  );
5494  secp256k1_fe r = max;
5495  secp256k1_fe a = zero;
5496 
5497  secp256k1_fe_cmov(&r, &a, 0);
5498  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5499 
5500  r = zero; a = max;
5501  secp256k1_fe_cmov(&r, &a, 1);
5502  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5503 
5504  a = zero;
5505  secp256k1_fe_cmov(&r, &a, 1);
5506  CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5507 
5508  a = one;
5509  secp256k1_fe_cmov(&r, &a, 1);
5510  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5511 
5512  r = one; a = zero;
5513  secp256k1_fe_cmov(&r, &a, 0);
5514  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5515 }
5516 
5517 void fe_storage_cmov_test(void) {
5518  static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5519  static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5520  static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
5521  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5522  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5523  );
5524  secp256k1_fe_storage r = max;
5525  secp256k1_fe_storage a = zero;
5526 
5527  secp256k1_fe_storage_cmov(&r, &a, 0);
5528  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5529 
5530  r = zero; a = max;
5531  secp256k1_fe_storage_cmov(&r, &a, 1);
5532  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5533 
5534  a = zero;
5535  secp256k1_fe_storage_cmov(&r, &a, 1);
5536  CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5537 
5538  a = one;
5539  secp256k1_fe_storage_cmov(&r, &a, 1);
5540  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5541 
5542  r = one; a = zero;
5543  secp256k1_fe_storage_cmov(&r, &a, 0);
5544  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5545 }
5546 
5547 void scalar_cmov_test(void) {
5548  static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5549  static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5550  static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
5551  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5552  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5553  );
5554  secp256k1_scalar r = max;
5555  secp256k1_scalar a = zero;
5556 
5557  secp256k1_scalar_cmov(&r, &a, 0);
5558  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5559 
5560  r = zero; a = max;
5561  secp256k1_scalar_cmov(&r, &a, 1);
5562  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5563 
5564  a = zero;
5565  secp256k1_scalar_cmov(&r, &a, 1);
5566  CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5567 
5568  a = one;
5569  secp256k1_scalar_cmov(&r, &a, 1);
5570  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5571 
5572  r = one; a = zero;
5573  secp256k1_scalar_cmov(&r, &a, 0);
5574  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5575 }
5576 
5577 void ge_storage_cmov_test(void) {
5578  static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
5579  static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
5580  static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
5581  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5582  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5583  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5584  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5585  );
5586  secp256k1_ge_storage r = max;
5587  secp256k1_ge_storage a = zero;
5588 
5589  secp256k1_ge_storage_cmov(&r, &a, 0);
5590  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5591 
5592  r = zero; a = max;
5593  secp256k1_ge_storage_cmov(&r, &a, 1);
5594  CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5595 
5596  a = zero;
5597  secp256k1_ge_storage_cmov(&r, &a, 1);
5598  CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5599 
5600  a = one;
5601  secp256k1_ge_storage_cmov(&r, &a, 1);
5602  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5603 
5604  r = one; a = zero;
5605  secp256k1_ge_storage_cmov(&r, &a, 0);
5606  CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5607 }
5608 
5609 void run_cmov_tests(void) {
5610  int_cmov_test();
5611  fe_cmov_test();
5612  fe_storage_cmov_test();
5613  scalar_cmov_test();
5614  ge_storage_cmov_test();
5615 }
5616 
5617 int main(int argc, char **argv) {
5618  /* Disable buffering for stdout to improve reliability of getting
5619  * diagnostic information. Happens right at the start of main because
5620  * setbuf must be used before any other operation on the stream. */
5621  setbuf(stdout, NULL);
5622  /* Also disable buffering for stderr because it's not guaranteed that it's
5623  * unbuffered on all systems. */
5624  setbuf(stderr, NULL);
5625 
5626  /* find iteration count */
5627  if (argc > 1) {
5628  count = strtol(argv[1], NULL, 0);
5629  }
5630  printf("test count = %i\n", count);
5631 
5632  /* find random seed */
5633  secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
5634 
5635  /* initialize */
5636  run_context_tests(0);
5637  run_context_tests(1);
5638  run_scratch_tests();
5639  ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5640  if (secp256k1_testrand_bits(1)) {
5641  unsigned char rand32[32];
5642  secp256k1_testrand256(rand32);
5643  CHECK(secp256k1_context_randomize(ctx, secp256k1_testrand_bits(1) ? rand32 : NULL));
5644  }
5645 
5646  run_rand_bits();
5647  run_rand_int();
5648 
5649  run_sha256_tests();
5650  run_hmac_sha256_tests();
5651  run_rfc6979_hmac_sha256_tests();
5652 
5653 #ifndef USE_NUM_NONE
5654  /* num tests */
5655  run_num_smalltests();
5656 #endif
5657 
5658  /* scalar tests */
5659  run_scalar_tests();
5660 
5661  /* field tests */
5662  run_field_inv();
5663  run_field_inv_var();
5664  run_field_inv_all_var();
5665  run_field_misc();
5666  run_field_convert();
5667  run_sqr();
5668  run_sqrt();
5669 
5670  /* group tests */
5671  run_ge();
5672  run_group_decompress();
5673 
5674  /* ecmult tests */
5675  run_wnaf();
5676  run_point_times_order();
5677  run_ecmult_near_split_bound();
5678  run_ecmult_chain();
5679  run_ecmult_constants();
5680  run_ecmult_gen_blind();
5681  run_ecmult_const_tests();
5682  run_ecmult_multi_tests();
5683  run_ec_combine();
5684 
5685  /* endomorphism tests */
5686  run_endomorphism_tests();
5687 
5688  /* EC point parser test */
5689  run_ec_pubkey_parse_test();
5690 
5691  /* EC key edge cases */
5692  run_eckey_edge_case_test();
5693 
5694  /* EC key arithmetic test */
5695  run_eckey_negate_test();
5696 
5697 #ifdef ENABLE_MODULE_ECDH
5698  /* ecdh tests */
5699  run_ecdh_tests();
5700 #endif
5701 
5702  /* ecdsa tests */
5703  run_random_pubkeys();
5704  run_ecdsa_der_parse();
5705  run_ecdsa_sign_verify();
5706  run_ecdsa_end_to_end();
5707  run_ecdsa_edge_cases();
5708 #ifdef ENABLE_OPENSSL_TESTS
5709  run_ecdsa_openssl();
5710 #endif
5711 
5712 #ifdef ENABLE_MODULE_RECOVERY
5713  /* ECDSA pubkey recovery tests */
5714  run_recovery_tests();
5715 #endif
5716 
5717 #ifdef ENABLE_MODULE_EXTRAKEYS
5718  run_extrakeys_tests();
5719 #endif
5720 
5721 #ifdef ENABLE_MODULE_SCHNORRSIG
5722  run_schnorrsig_tests();
5723 #endif
5724 
5725  /* util tests */
5726  run_memczero_test();
5727 
5728  run_cmov_tests();
5729 
5730  secp256k1_testrand_finish();
5731 
5732  /* shutdown */
5733  secp256k1_context_destroy(ctx);
5734 
5735  printf("no problems found\n");
5736  return 0;
5737 }
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_num_is_one
static int secp256k1_num_is_one(const secp256k1_num *a)
Check whether a number is one.
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
test_intialized_inf
void test_intialized_inf(void)
Definition: tests.c:2316
ScriptContext::TOP
Top-level scriptPubKey.
secp256k1_scalar_check_overflow
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
Definition: scalar_4x64_impl.h:57
secp256k1_context_preallocated_create
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:117
run_hmac_sha256_tests
void run_hmac_sha256_tests(void)
Definition: tests.c:457
run_cmov_tests
void run_cmov_tests(void)
Definition: tests.c:5609
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
check_fe_equal
int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:1809
secp256k1_num_eq
static int secp256k1_num_eq(const secp256k1_num *a, const secp256k1_num *b)
Test whether two number are equal (including sign).
test_secp256k1_pippenger_bucket_window_inv
void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:3113
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:662
secp256k1_fe
Definition: field_10x26.h:12
ecmult_multi_data::pt
secp256k1_ge * pt
Definition: tests.c:2836
secp256k1_ec_privkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:700
secp256k1_ecmult_multi_var
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, const secp256k1_ecmult_context *ctx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
secp256k1_fe_is_zero
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
random_fe
void random_fe(secp256k1_fe *x)
Definition: tests.c:1768
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call...
Definition: secp256k1.c:202
test_add_neg_y_diff_x
void test_add_neg_y_diff_x(void)
Definition: tests.c:2348
secp256k1_scalar_is_even
static int secp256k1_scalar_is_even(const secp256k1_scalar *a)
Check whether a scalar, considered as an nonnegative integer, is even.
run_ecmult_const_tests
void run_ecmult_const_tests(void)
Definition: tests.c:2827
secp256k1_pippenger_scratch_size
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:863
secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:391
secp256k1_context_preallocated_destroy
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:187
test_point_times_order
void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:2595
SECP256K1_GEJ_CONST
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:31
secp256k1_gej_has_quad_y_var
static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a)
Check whether a group element's y coordinate is a quadratic residue.
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:404
run_group_decompress
void run_group_decompress(void)
Definition: tests.c:2520
secp256k1_testrand32
static uint32_t secp256k1_testrand32(void)
Generate a pseudorandom number in the range [0..2**32-1].
secp256k1_fe_mul
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe *SECP256K1_RESTRICT b)
Sets a field element to be the product of two others.
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1_fe_normalize_var
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
tests_impl.h
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:25
tests_impl.h
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
secp256k1_num_set_bin
static void secp256k1_num_set_bin(secp256k1_num *r, const unsigned char *a, unsigned int alen)
Set a number to the value of a binary big-endian string.
tinyformat::printf
void printf(const char *fmt, const Args &...args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1079
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
run_scalar_tests
void run_scalar_tests(void)
Definition: tests.c:1108
lax_der_parsing.c
test_sqrt
void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:2005
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:728
nonce_function_test_fail
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:4409
ALIGNMENT
#define ALIGNMENT
Definition: util.h:113
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:445
SECP256K1_GE_STORAGE_CONST
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:39
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Definition: group_impl.h:102
test_random_pubkeys
void test_random_pubkeys(void)
Definition: tests.c:4597
secp256k1_fe_negate
static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m)
Set a field element equal to the additive inverse of another.
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_scalar_get_num
static void secp256k1_scalar_get_num(secp256k1_num *r, const secp256k1_scalar *a)
Convert a scalar to a number.
nonce_function_test_retry
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:4417
secp256k1_hmac_sha256_initialize
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
ec_privkey_export_der
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
Definition: lax_der_privatekey_parsing.c:56
assign_big_endian
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:4785
secp256k1_fe_from_storage
static void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a)
Convert a field element back from the storage type.
test_ecmult_constants
void test_ecmult_constants(void)
Definition: tests.c:3540
secp256k1_num_copy
static void secp256k1_num_copy(secp256k1_num *r, const secp256k1_num *a)
Copy a number.
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:28
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:173
secp256k1_scalar_get_bits
static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
run_field_misc
void run_field_misc(void)
Definition: tests.c:1863
secp256k1_ecdsa_sig_parse
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *r, secp256k1_scalar *s, const unsigned char *sig, size_t size)
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set a batch of group elements equal to the inputs given in jacobian coordinates.
secp256k1_fe_storage_cmov
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
PIPPENGER_MAX_BUCKET_WINDOW
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:73
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
run_ge
void run_ge(void)
Definition: tests.c:2415
run_sqrt
void run_sqrt(void)
Definition: tests.c:2019
secp256k1_ecmult_multi_func
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, const secp256k1_ecmult_context *, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:1034
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
run_random_pubkeys
void run_random_pubkeys(void)
Definition: tests.c:4657
secp256k1_ec_seckey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:589
run_rand_int
void run_rand_int(void)
Definition: tests.c:603
secp256k1_scalar_shr_int
static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n)
Shift a scalar right by some amount strictly between 0 and 16, returning the low bits that were shift...
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:263
secp256k1_fe_cmov
static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
test_wnaf
void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:3304
secp256k1_sha256
Definition: hash.h:13
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv)...
test_ecmult_multi
void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:2854
secp256k1_scratch_checkpoint
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
random_scalar_order
void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:120
SECP256K1_GEJ_CONST_INFINITY
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:32
random_fe_non_zero
void random_fe_non_zero(secp256k1_fe *nz)
Definition: tests.c:1788
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:295
secp256k1_context_preallocated_size
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory...
Definition: secp256k1.c:87
test_fixed_wnaf
void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:3393
secp256k1_wnaf_const
static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size)
Convert a number to WNAF notation.
Definition: ecmult_const_impl.h:57
testrand_impl.h
run_ecmult_constants
void run_ecmult_constants(void)
Definition: tests.c:3573
secp256k1_ecmult
static void secp256k1_ecmult(const secp256k1_ecmult_context *ctx, secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:24
secp256k1_fe_set_int
static void secp256k1_fe_set_int(secp256k1_fe *r, int a)
Set a field element equal to a small integer.
secp256k1_scratch_space_struct::alloc_size
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:20
secp256k1_context_struct
Definition: secp256k1.c:70
run_rand_bits
void run_rand_bits(void)
Definition: tests.c:595
secp256k1_fe_to_storage
static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a)
Convert a field element to the storage type.
ge_equals_ge
void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
Definition: tests.c:2055
secp256k1_num_mod_inverse
static void secp256k1_num_mod_inverse(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *m)
Compute a modular inverse.
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:171
test_num_add_sub
void test_num_add_sub(void)
Definition: tests.c:655
run_ecdsa_sign_verify
void run_ecdsa_sign_verify(void)
Definition: tests.c:4393
random_field_element_test
void random_field_element_test(secp256k1_fe *fe)
Definition: tests.c:54
test_ecmult_multi_pippenger_max_points
void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:3133
scalar_cmov_test
void scalar_cmov_test(void)
Definition: tests.c:5547
secp256k1_ec_privkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:651
test_ec_combine
void test_ec_combine(void)
Definition: tests.c:2424
test_num_negate
void test_num_negate(void)
Definition: tests.c:635
secp256k1_default_illegal_callback_fn
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: secp256k1.c:45
random_sign
void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:4363
test_fixed_wnaf_small_helper
void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:3430
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:332
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:40
test_ecmult_gen_blind_reset
void test_ecmult_gen_blind_reset(void)
Definition: tests.c:3600
secp256k1_fe_clear
static void secp256k1_fe_clear(secp256k1_fe *a)
Sets a field element equal to zero, initializing all fields.
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_scratch_alloc
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_ec_privkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:604
secp256k1_fe_add
static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a)
Adds a field element to another.
damage_array
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:4797
secp256k1_fe_mul_int
static void secp256k1_fe_mul_int(secp256k1_fe *r, int a)
Multiplies the passed field element with a small integer constant.
ge_equals_gej
void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: tests.c:2086
secp256k1_fe_is_odd
static int secp256k1_fe_is_odd(const secp256k1_fe *a)
Check the "oddness" of a field element.
test_num_jacobi
void test_num_jacobi(void)
Definition: tests.c:728
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
run_eckey_edge_case_test
void run_eckey_edge_case_test(void)
Definition: tests.c:4072
secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:32
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
sum
volatile double sum
Definition: examples.cpp:10
ec_privkey_import_der
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
Definition: lax_der_privatekey_parsing.c:12
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:195
test_ecdsa_der_parse
int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:4671
fe_storage_cmov_test
void fe_storage_cmov_test(void)
Definition: tests.c:5517
run_ecdh_tests
void run_ecdh_tests(void)
Definition: tests_impl.h:126
ecmult_multi_data
Definition: tests.c:2834
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Generator for secp256k1, value 'g' defined in "Standards for Efficient Cryptography" (SEC2) 2...
Definition: group_impl.h:53
run_field_inv_all_var
void run_field_inv_all_var(void)
Definition: tests.c:1967
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:571
test_rand_int
void test_rand_int(uint32_t range, uint32_t subrange)
Definition: tests.c:579
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:177
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:176
secp256k1_scalar_mul_shift_var
static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b, unsigned int shift)
Multiply a and b (without taking the modulus!), divide by 2**shift, and round to the nearest integer...
run_extrakeys_tests
void run_extrakeys_tests(void)
Definition: tests_impl.h:512
run_rfc6979_hmac_sha256_tests
void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:501
run_field_inv_var
void run_field_inv_var(void)
Definition: tests.c:1955
random_num_order
void random_num_order(secp256k1_num *num)
Definition: tests.c:629
secp256k1_testrand256_test
static void secp256k1_testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
run_ec_pubkey_parse_test
void run_ec_pubkey_parse_test(void)
Definition: tests.c:3744
secp256k1_ge_set_infinity
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
secp256k1_preallocated.h
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
run_scalar_set_b32_seckey_tests
void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:1091
run_field_inv
void run_field_inv(void)
Definition: tests.c:1943
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:548
secp256k1_ge_storage
Definition: group.h:34
run_ecmult_gen_blind
void run_ecmult_gen_blind(void)
Definition: tests.c:3612
secp256k1_num
Definition: num_gmp.h:14
run_ecdsa_der_parse
void run_ecdsa_der_parse(void)
Definition: tests.c:4970
PIPPENGER_SCRATCH_OBJECTS
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:70
secp256k1_ecmult_gen_context::blind
secp256k1_scalar blind
Definition: ecmult_gen.h:34
secp256k1_num_sub
static void secp256k1_num_sub(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *b)
Subtract two (signed) numbers.
run_context_tests
void run_context_tests(int use_prealloc)
Definition: tests.c:139
secp256k1_scratch_space_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t size) SECP256K1_ARG_NONNULL(1)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:220
secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q, int bits)
Multiply: R = q*A (in constant-time) Here bits should be set to the maximum bitlength of the absolute...
ecmult_multi_callback
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:2839
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:72
secp256k1_pippenger_bucket_window_inv
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:825
run_field_convert
void run_field_convert(void)
Definition: tests.c:1824
secp256k1_testrand_init
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL...
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
ECMULT_PIPPENGER_THRESHOLD
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:76
run_num_smalltests
void run_num_smalltests(void)
Definition: tests.c:789
ecmult_const_mult_zero_one
void ecmult_const_mult_zero_one(void)
Definition: tests.c:2779
ge_storage_cmov_test
void ge_storage_cmov_test(void)
Definition: tests.c:5577
ctx
static secp256k1_context * ctx
Definition: tests.c:36
run_ecmult_chain
void run_ecmult_chain(void)
Definition: tests.c:2531
is_empty_signature
int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:4447
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:534
test_ecmult_multi_batch_size_helper
void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:3166
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
tests_impl.h
WNAF_SIZE_BITS
#define WNAF_SIZE_BITS(bits, w)
Definition: ecmult_impl.h:63
secp256k1_gej::infinity
int infinity
Definition: group.h:28
secp256k1_gej_double
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_num_add
static void secp256k1_num_add(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *b)
Add two (signed) numbers.
secp256k1_num_jacobi
static int secp256k1_num_jacobi(const secp256k1_num *a, const secp256k1_num *b)
Compute the jacobi symbol (a|b).
secp256k1_ec_pubkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:704
secp256k1_hmac_sha256_write
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise...
secp256k1_num_shift
static void secp256k1_num_shift(secp256k1_num *r, int bits)
Right-shift the passed number by bits bits.
secp256k1_scalar_sqr
static void secp256k1_scalar_sqr(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the square of a scalar (modulo the group order).
secp256k1_pippenger_bucket_window
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:796
test_group_decompress
void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:2456
run_ecdsa_end_to_end
void run_ecdsa_end_to_end(void)
Definition: tests.c:4664
secp256k1_wnaf_fixed
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:636
secp256k1_num_mul
static void secp256k1_num_mul(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *b)
Multiply two (signed) numbers.
test_constant_wnaf_negate
void test_constant_wnaf_negate(const secp256k1_scalar *number)
Definition: tests.c:3338
tests_impl.h
ECMULT_MAX_POINTS_PER_BATCH
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:78
secp256k1_fe_is_quad_var
static int secp256k1_fe_is_quad_var(const secp256k1_fe *a)
Checks whether a field element is a quadratic residue.
ec_pubkey_parse_pointtest
void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:3669
test_ecmult_multi_batching
void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:3214
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:277
secp256k1_scalar_cadd_bit
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
secp256k1_context_struct::ecmult_ctx
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:71
secp256k1_ge_set_xquad
static int secp256k1_ge_set_xquad(secp256k1_ge *r, const secp256k1_fe *x)
Set a group element (affine) equal to the point with the given X coordinate and a Y coordinate that i...
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
secp256k1_ge
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14
secp256k1_scalar_split_lambda
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:80
fe_cmov_test
void fe_cmov_test(void)
Definition: tests.c:5487
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:15
run_sqr
void run_sqr(void)
Definition: tests.c:1989
secp256k1_fe_normalize_weak
static void secp256k1_fe_normalize_weak(secp256k1_fe *r)
Weakly normalize a field element: reduce its magnitude to 1, but don't fully normalize.
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
secp256k1_testrand_bits
static uint32_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
secp256k1_ge_storage_cmov
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
test_scalar_split
void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:3621
SECP256K1_EC_PARSE_TEST_NINVALID
#define SECP256K1_EC_PARSE_TEST_NINVALID
secp256k1_num_negate
static void secp256k1_num_negate(secp256k1_num *r)
Change a number's sign.
secp256k1_hmac_sha256_finalize
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
secp256k1_strauss_scratch_size
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:577
CHECK
#define CHECK(cond)
Definition: util.h:53
test_fixed_wnaf_small
void test_fixed_wnaf_small(void)
Definition: tests.c:3440
secp256k1_ge_mul_lambda
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast...
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:211
secp256k1_ge::infinity
int infinity
Definition: group.h:17
secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
main
int main(int argc, char **argv)
Definition: tests.c:5617
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:318
secp256k1_scratch_max_allocation
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:342
run_sha256_tests
void run_sha256_tests(void)
Definition: tests.c:421
STRAUSS_SCRATCH_OBJECTS
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:71
secp256k1_ec_seckey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:680
secp256k1_scratch_apply_checkpoint
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
lax_der_privatekey_parsing.c
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_fe_inv_all_var
static void secp256k1_fe_inv_all_var(secp256k1_fe *r, const secp256k1_fe *a, size_t len)
Calculate the (modular) inverses of a batch of field elements.
secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y...
test_ecdsa_edge_cases
void test_ecdsa_edge_cases(void)
Definition: tests.c:5002
secp256k1_fe_sqr
static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the square of another.
SECP256K1_GE_CONST
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:20
secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
secp256k1_fe_cmp_var
static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
Compare two field elements.
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:170
ecmult_multi_false_callback
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:2846
secp256k1_context_preallocated_clone_size
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory...
Definition: secp256k1.c:105
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:176
secp256k1_fe_equal_var
static int secp256k1_fe_equal_var(const secp256k1_fe *a, const secp256k1_fe *b)
Same as secp256k1_fe_equal, but may be variable time.
random_group_element_jacobian_test
void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:92
run_scratch_tests
void run_scratch_tests(void)
Definition: tests.c:336
secp256k1_scalar::d
uint64_t d[4]
Definition: scalar_4x64.h:14
secp256k1_num_cmp
static int secp256k1_num_cmp(const secp256k1_num *a, const secp256k1_num *b)
Compare the absolute value of two numbers.
secp256k1_ecdsa_signature_serialize_der
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:379
random_scalar_order_test
void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:107
test_ecmult_multi_batch_single
void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:3093
secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
random_scalar_order_b32
void random_scalar_order_b32(unsigned char *b32)
Definition: tests.c:133
secp256k1_ec_pubkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:608
random_group_element_test
void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:80
secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
secp256k1_ecmult_strauss_batch_single
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, const secp256k1_ecmult_context *actx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:621
secp256k1_pippenger_max_points
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space...
Definition: ecmult_impl.h:953
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:358
test_ecmult_target
void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:2659
secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
run_wnaf
void run_wnaf(void)
Definition: tests.c:3494
ecmult_const_random_mult
void ecmult_const_random_mult(void)
Definition: tests.c:2731
random_ber_signature
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:4824
secp256k1_gej::z
secp256k1_fe z
Definition: group.h:27
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
SECP256K1_EC_PARSE_TEST_NVALID
#define SECP256K1_EC_PARSE_TEST_NVALID
memcpy
void * memcpy(void *a, const void *b, size_t c)
Definition: glibc_compat.cpp:14
random_fe_test
void random_fe_test(secp256k1_fe *x)
Definition: tests.c:1778
secp256k1_fe_normalize
static void secp256k1_fe_normalize(secp256k1_fe *r)
Field element module.
SECP256K1_FE_STORAGE_CONST
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:47
WNAF_SIZE
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:64
secp256k1_hmac_sha256
Definition: hash.h:23
secp256k1_context_no_precomp
SECP256K1_API const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:85
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:224
test_ecdsa_sign_verify
void test_ecdsa_sign_verify(void)
Definition: tests.c:4370
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
VG_CHECK
#define VG_CHECK(x, y)
Definition: util.h:80
secp256k1_num_is_zero
static int secp256k1_num_is_zero(const secp256k1_num *a)
Check whether a number is zero.
ecmult_multi_data::sc
secp256k1_scalar * sc
Definition: tests.c:2835
precomputed_nonce_function
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted...
Definition: tests.c:4401
fe_secp256k1_memcmp_var
int fe_secp256k1_memcmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:1854
secp256k1_scalar_get_bits_var
static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
test_ecdsa_end_to_end
void test_ecdsa_end_to_end(void)
Definition: tests.c:4452
secp256k1_ecmult_pippenger_batch_single
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, const secp256k1_ecmult_context *actx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:944
secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
scalars_near_split_bounds
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:2636
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
count
static int count
Definition: tests.c:35
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:244
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:74
secp256k1_ec_pubkey_combine
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:736
test_constant_wnaf
void test_constant_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:3353
secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
VG_UNDEF
#define VG_UNDEF(x, y)
Definition: util.h:79
secp256k1_num_mod
static void secp256k1_num_mod(secp256k1_num *r, const secp256k1_num *m)
Replace a number by its remainder modulo m.
random_num_negate
void random_num_negate(secp256k1_num *num)
Definition: tests.c:617
random_field_element_magnitude
void random_field_element_magnitude(secp256k1_fe *fe)
Definition: tests.c:64
run_ecmult_near_split_bound
void run_ecmult_near_split_bound(void)
Definition: tests.c:2698
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
ecmult_const_commutativity
void ecmult_const_commutativity(void)
Definition: tests.c:2758
run_endomorphism_tests
void run_endomorphism_tests(void)
Definition: tests.c:3648
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:38
secp256k1_ecmult_multi_batch_size_helper
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:1016
secp256k1_scratch_space_struct
Definition: scratch.h:12
random_num_order_test
void random_num_order_test(secp256k1_num *num)
Definition: tests.c:623
ecmult_const_chain_multiply
void ecmult_const_chain_multiply(void)
Definition: tests.c:2801
secp256k1_gej::y
secp256k1_fe y
Definition: group.h:26
secp256k1_ecmult_wnaf
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:377
secp256k1_scalar_order_get_num
static void secp256k1_scalar_order_get_num(secp256k1_num *r)
Get the order of the group as a number.
secp256k1_fe_storage
Definition: field_10x26.h:43
test_ecmult_gen_blind
void test_ecmult_gen_blind(void)
Definition: tests.c:3577
secp256k1_int_cmov
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:238
gej_xyz_equals_gej
int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:2065
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
test_ge
void test_ge(void)
Definition: tests.c:2103
run_ecmult_multi_tests
void run_ecmult_multi_tests(void)
Definition: tests.c:3281
secp256k1_ge_is_valid_var
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
secp256k1_context_preallocated_clone
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:162
secp256k1_fe_sqrt
static int secp256k1_fe_sqrt(secp256k1_fe *r, const secp256k1_fe *a)
If a has a square root, it is computed in r and 1 is returned.
secp256k1_const_lambda
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is: ...
Definition: scalar_impl.h:283
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:16
secp256k1_ecmult_gen_context::initial
secp256k1_gej initial
Definition: ecmult_gen.h:35
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:31
secp256k1_scratch_space_destroy
SECP256K1_API void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:225
random_fe_non_square
void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:1801
memmove
void * memmove(void *a, const void *b, size_t c)
secp256k1_ec_seckey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:635
secp256k1_fe_inv_var
static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *a)
Potentially faster version of secp256k1_fe_inv, without constant-time guarantee.
int_cmov_test
void int_cmov_test(void)
Definition: tests.c:5462
memczero
static SECP256K1_INLINE void memczero(void *s, size_t len, int flag)
Definition: util.h:205
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:91
secp256k1_num_get_bin
static void secp256k1_num_get_bin(unsigned char *r, unsigned int rlen, const secp256k1_num *a)
Convert a number's absolute value to a binary big-endian string.
secp256k1_fe_inv
static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the (modular) inverse of another.
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:151
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
run_ec_combine
void run_ec_combine(void)
Definition: tests.c:2449
uncounting_illegal_callback_fn
static void uncounting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:46
run_ecdsa_edge_cases
void run_ecdsa_edge_cases(void)
Definition: tests.c:5371
secp256k1_scalar_is_one
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
test_num_mod
void test_num_mod(void)
Definition: tests.c:697
test_rand_bits
void test_rand_bits(int rand32, int bits)
Definition: tests.c:544
run_recovery_tests
void run_recovery_tests(void)
Definition: tests_impl.h:382
secp256k1_num_is_neg
static int secp256k1_num_is_neg(const secp256k1_num *a)
Check whether a number is strictly negative.
check_fe_inverse
int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai)
Definition: tests.c:1817
SECP256K1_EC_PARSE_TEST_NXVALID
#define SECP256K1_EC_PARSE_TEST_NXVALID
run_schnorrsig_tests
void run_schnorrsig_tests(void)
Definition: tests_impl.h:792
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
run_memczero_test
void run_memczero_test(void)
Definition: tests.c:5447
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
secp256k1_ecdsa_sig_serialize
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar *r, const secp256k1_scalar *s)
run_point_times_order
void run_point_times_order(void)
Definition: tests.c:2710
scalar_test
void scalar_test(void)
Definition: tests.c:802
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:67
secp256k1_testrand_finish
static void secp256k1_testrand_finish(void)
Print final test information.
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
run_eckey_negate_test
void run_eckey_negate_test(void)
Definition: tests.c:4328
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:423
Generated on Fri Apr 30 2021 13:53:45 for Bitcoin Core by   doxygen 1.8.8