github.com/aquanetwork/aquachain@v1.7.8/crypto/secp256k1/libsecp256k1/src/tests.c (about) 1 /********************************************************************** 2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.* 5 **********************************************************************/ 6 7 #if defined HAVE_CONFIG_H 8 #include "libsecp256k1-config.h" 9 #endif 10 11 #include <stdio.h> 12 #include <stdlib.h> 13 #include <string.h> 14 15 #include <time.h> 16 17 #include "secp256k1.c" 18 #include "include/secp256k1.h" 19 #include "testrand_impl.h" 20 21 #ifdef ENABLE_OPENSSL_TESTS 22 #include "openssl/bn.h" 23 #include "openssl/ec.h" 24 #include "openssl/ecdsa.h" 25 #include "openssl/obj_mac.h" 26 # if OPENSSL_VERSION_NUMBER < 0x10100000L 27 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;} 28 # endif 29 #endif 30 31 #include "contrib/lax_der_parsing.c" 32 #include "contrib/lax_der_privatekey_parsing.c" 33 34 #if !defined(VG_CHECK) 35 # if defined(VALGRIND) 36 # include <valgrind/memcheck.h> 37 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y)) 38 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y)) 39 # else 40 # define VG_UNDEF(x,y) 41 # define VG_CHECK(x,y) 42 # endif 43 #endif 44 45 static int count = 64; 46 static secp256k1_context *ctx = NULL; 47 48 static void counting_illegal_callback_fn(const char* str, void* data) { 49 /* Dummy callback function that just counts. */ 50 int32_t *p; 51 (void)str; 52 p = data; 53 (*p)++; 54 } 55 56 static void uncounting_illegal_callback_fn(const char* str, void* data) { 57 /* Dummy callback function that just counts (backwards). */ 58 int32_t *p; 59 (void)str; 60 p = data; 61 (*p)--; 62 } 63 64 void random_field_element_test(secp256k1_fe *fe) { 65 do { 66 unsigned char b32[32]; 67 secp256k1_rand256_test(b32); 68 if (secp256k1_fe_set_b32(fe, b32)) { 69 break; 70 } 71 } while(1); 72 } 73 74 void random_field_element_magnitude(secp256k1_fe *fe) { 75 secp256k1_fe zero; 76 int n = secp256k1_rand_int(9); 77 secp256k1_fe_normalize(fe); 78 if (n == 0) { 79 return; 80 } 81 secp256k1_fe_clear(&zero); 82 secp256k1_fe_negate(&zero, &zero, 0); 83 secp256k1_fe_mul_int(&zero, n - 1); 84 secp256k1_fe_add(fe, &zero); 85 VERIFY_CHECK(fe->magnitude == n); 86 } 87 88 void random_group_element_test(secp256k1_ge *ge) { 89 secp256k1_fe fe; 90 do { 91 random_field_element_test(&fe); 92 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) { 93 secp256k1_fe_normalize(&ge->y); 94 break; 95 } 96 } while(1); 97 } 98 99 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) { 100 secp256k1_fe z2, z3; 101 do { 102 random_field_element_test(&gej->z); 103 if (!secp256k1_fe_is_zero(&gej->z)) { 104 break; 105 } 106 } while(1); 107 secp256k1_fe_sqr(&z2, &gej->z); 108 secp256k1_fe_mul(&z3, &z2, &gej->z); 109 secp256k1_fe_mul(&gej->x, &ge->x, &z2); 110 secp256k1_fe_mul(&gej->y, &ge->y, &z3); 111 gej->infinity = ge->infinity; 112 } 113 114 void random_scalar_order_test(secp256k1_scalar *num) { 115 do { 116 unsigned char b32[32]; 117 int overflow = 0; 118 secp256k1_rand256_test(b32); 119 secp256k1_scalar_set_b32(num, b32, &overflow); 120 if (overflow || secp256k1_scalar_is_zero(num)) { 121 continue; 122 } 123 break; 124 } while(1); 125 } 126 127 void random_scalar_order(secp256k1_scalar *num) { 128 do { 129 unsigned char b32[32]; 130 int overflow = 0; 131 secp256k1_rand256(b32); 132 secp256k1_scalar_set_b32(num, b32, &overflow); 133 if (overflow || secp256k1_scalar_is_zero(num)) { 134 continue; 135 } 136 break; 137 } while(1); 138 } 139 140 void run_context_tests(void) { 141 secp256k1_pubkey pubkey; 142 secp256k1_pubkey zero_pubkey; 143 secp256k1_ecdsa_signature sig; 144 unsigned char ctmp[32]; 145 int32_t ecount; 146 int32_t ecount2; 147 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE); 148 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN); 149 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY); 150 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); 151 152 secp256k1_gej pubj; 153 secp256k1_ge pub; 154 secp256k1_scalar msg, key, nonce; 155 secp256k1_scalar sigr, sigs; 156 157 memset(&zero_pubkey, 0, sizeof(zero_pubkey)); 158 159 ecount = 0; 160 ecount2 = 10; 161 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); 162 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2); 163 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL); 164 CHECK(vrfy->error_callback.fn != sign->error_callback.fn); 165 166 /*** clone and destroy all of them to make sure cloning was complete ***/ 167 { 168 secp256k1_context *ctx_tmp; 169 170 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp); 171 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp); 172 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp); 173 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp); 174 } 175 176 /* Verify that the error callback makes it across the clone. */ 177 CHECK(vrfy->error_callback.fn != sign->error_callback.fn); 178 /* And that it resets back to default. */ 179 secp256k1_context_set_error_callback(sign, NULL, NULL); 180 CHECK(vrfy->error_callback.fn == sign->error_callback.fn); 181 182 /*** attempt to use them ***/ 183 random_scalar_order_test(&msg); 184 random_scalar_order_test(&key); 185 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key); 186 secp256k1_ge_set_gej(&pub, &pubj); 187 188 /* Verify context-type checking illegal-argument errors. */ 189 memset(ctmp, 1, 32); 190 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0); 191 CHECK(ecount == 1); 192 VG_UNDEF(&pubkey, sizeof(pubkey)); 193 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1); 194 VG_CHECK(&pubkey, sizeof(pubkey)); 195 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0); 196 CHECK(ecount == 2); 197 VG_UNDEF(&sig, sizeof(sig)); 198 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1); 199 VG_CHECK(&sig, sizeof(sig)); 200 CHECK(ecount2 == 10); 201 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0); 202 CHECK(ecount2 == 11); 203 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1); 204 CHECK(ecount == 2); 205 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0); 206 CHECK(ecount2 == 12); 207 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1); 208 CHECK(ecount == 2); 209 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0); 210 CHECK(ecount2 == 13); 211 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1); 212 CHECK(ecount == 2); 213 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1); 214 CHECK(ecount == 2); 215 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0); 216 CHECK(ecount2 == 14); 217 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0); 218 CHECK(ecount == 3); 219 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1); 220 CHECK(ecount == 3); 221 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 0); 222 CHECK(ecount == 4); 223 CHECK(secp256k1_context_randomize(sign, NULL) == 1); 224 CHECK(ecount2 == 14); 225 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL); 226 secp256k1_context_set_illegal_callback(sign, NULL, NULL); 227 228 /* This shouldn't leak memory, due to already-set tests. */ 229 secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL); 230 secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL); 231 232 /* obtain a working nonce */ 233 do { 234 random_scalar_order_test(&nonce); 235 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); 236 237 /* try signing */ 238 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); 239 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); 240 241 /* try verifying */ 242 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg)); 243 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg)); 244 245 /* cleanup */ 246 secp256k1_context_destroy(none); 247 secp256k1_context_destroy(sign); 248 secp256k1_context_destroy(vrfy); 249 secp256k1_context_destroy(both); 250 /* Defined as no-op. */ 251 secp256k1_context_destroy(NULL); 252 } 253 254 void run_scratch_tests(void) { 255 int32_t ecount = 0; 256 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE); 257 secp256k1_scratch_space *scratch; 258 259 /* Test public API */ 260 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); 261 262 scratch = secp256k1_scratch_space_create(none, 1000); 263 CHECK(scratch != NULL); 264 CHECK(ecount == 0); 265 266 /* Test internal API */ 267 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000); 268 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 1000); 269 270 /* Allocating 500 bytes with no frame fails */ 271 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL); 272 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000); 273 274 /* ...but pushing a new stack frame does affect the max allocation */ 275 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1 == 1)); 276 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 500); /* 500 - ALIGNMENT */ 277 CHECK(secp256k1_scratch_alloc(scratch, 500) != NULL); 278 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL); 279 280 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1) == 0); 281 282 /* ...and this effect is undone by popping the frame */ 283 secp256k1_scratch_deallocate_frame(scratch); 284 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000); 285 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL); 286 287 /* cleanup */ 288 secp256k1_scratch_space_destroy(scratch); 289 secp256k1_context_destroy(none); 290 } 291 292 /***** HASH TESTS *****/ 293 294 void run_sha256_tests(void) { 295 static const char *inputs[8] = { 296 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe", 297 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 298 "For this sample, this 63-byte string will be used as input data", 299 "This is exactly 64 bytes long, not counting the terminating byte" 300 }; 301 static const unsigned char outputs[8][32] = { 302 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}, 303 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad}, 304 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50}, 305 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d}, 306 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30}, 307 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1}, 308 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42}, 309 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8} 310 }; 311 int i; 312 for (i = 0; i < 8; i++) { 313 unsigned char out[32]; 314 secp256k1_sha256 hasher; 315 secp256k1_sha256_initialize(&hasher); 316 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); 317 secp256k1_sha256_finalize(&hasher, out); 318 CHECK(memcmp(out, outputs[i], 32) == 0); 319 if (strlen(inputs[i]) > 0) { 320 int split = secp256k1_rand_int(strlen(inputs[i])); 321 secp256k1_sha256_initialize(&hasher); 322 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); 323 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); 324 secp256k1_sha256_finalize(&hasher, out); 325 CHECK(memcmp(out, outputs[i], 32) == 0); 326 } 327 } 328 } 329 330 void run_hmac_sha256_tests(void) { 331 static const char *keys[6] = { 332 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 333 "\x4a\x65\x66\x65", 334 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 335 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19", 336 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 337 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 338 }; 339 static const char *inputs[6] = { 340 "\x48\x69\x20\x54\x68\x65\x72\x65", 341 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f", 342 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd", 343 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd", 344 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74", 345 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e" 346 }; 347 static const unsigned char outputs[6][32] = { 348 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7}, 349 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43}, 350 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe}, 351 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b}, 352 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54}, 353 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2} 354 }; 355 int i; 356 for (i = 0; i < 6; i++) { 357 secp256k1_hmac_sha256 hasher; 358 unsigned char out[32]; 359 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); 360 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); 361 secp256k1_hmac_sha256_finalize(&hasher, out); 362 CHECK(memcmp(out, outputs[i], 32) == 0); 363 if (strlen(inputs[i]) > 0) { 364 int split = secp256k1_rand_int(strlen(inputs[i])); 365 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); 366 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); 367 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); 368 secp256k1_hmac_sha256_finalize(&hasher, out); 369 CHECK(memcmp(out, outputs[i], 32) == 0); 370 } 371 } 372 } 373 374 void run_rfc6979_hmac_sha256_tests(void) { 375 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0}; 376 static const unsigned char out1[3][32] = { 377 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb}, 378 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a}, 379 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e} 380 }; 381 382 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}; 383 static const unsigned char out2[3][32] = { 384 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95}, 385 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9}, 386 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94} 387 }; 388 389 secp256k1_rfc6979_hmac_sha256 rng; 390 unsigned char out[32]; 391 int i; 392 393 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64); 394 for (i = 0; i < 3; i++) { 395 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32); 396 CHECK(memcmp(out, out1[i], 32) == 0); 397 } 398 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 399 400 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65); 401 for (i = 0; i < 3; i++) { 402 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32); 403 CHECK(memcmp(out, out1[i], 32) != 0); 404 } 405 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 406 407 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64); 408 for (i = 0; i < 3; i++) { 409 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32); 410 CHECK(memcmp(out, out2[i], 32) == 0); 411 } 412 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 413 } 414 415 /***** RANDOM TESTS *****/ 416 417 void test_rand_bits(int rand32, int bits) { 418 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to 419 * get a false negative chance below once in a billion */ 420 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316}; 421 /* We try multiplying the results with various odd numbers, which shouldn't 422 * influence the uniform distribution modulo a power of 2. */ 423 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011}; 424 /* We only select up to 6 bits from the output to analyse */ 425 unsigned int usebits = bits > 6 ? 6 : bits; 426 unsigned int maxshift = bits - usebits; 427 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit 428 number, track all observed outcomes, one per bit in a uint64_t. */ 429 uint64_t x[6][27] = {{0}}; 430 unsigned int i, shift, m; 431 /* Multiply the output of all rand calls with the odd number m, which 432 should not change the uniformity of its distribution. */ 433 for (i = 0; i < rounds[usebits]; i++) { 434 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits)); 435 CHECK((((uint64_t)r) >> bits) == 0); 436 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) { 437 uint32_t rm = r * mults[m]; 438 for (shift = 0; shift <= maxshift; shift++) { 439 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1))); 440 } 441 } 442 } 443 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) { 444 for (shift = 0; shift <= maxshift; shift++) { 445 /* Test that the lower usebits bits of x[shift] are 1 */ 446 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0); 447 } 448 } 449 } 450 451 /* Subrange must be a whole divisor of range, and at most 64 */ 452 void test_rand_int(uint32_t range, uint32_t subrange) { 453 /* (1-1/subrange)^rounds < 1/10^9 */ 454 int rounds = (subrange * 2073) / 100; 455 int i; 456 uint64_t x = 0; 457 CHECK((range % subrange) == 0); 458 for (i = 0; i < rounds; i++) { 459 uint32_t r = secp256k1_rand_int(range); 460 CHECK(r < range); 461 r = r % subrange; 462 x |= (((uint64_t)1) << r); 463 } 464 /* Test that the lower subrange bits of x are 1. */ 465 CHECK(((~x) << (64 - subrange)) == 0); 466 } 467 468 void run_rand_bits(void) { 469 size_t b; 470 test_rand_bits(1, 32); 471 for (b = 1; b <= 32; b++) { 472 test_rand_bits(0, b); 473 } 474 } 475 476 void run_rand_int(void) { 477 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432}; 478 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64}; 479 unsigned int m, s; 480 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) { 481 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) { 482 test_rand_int(ms[m] * ss[s], ss[s]); 483 } 484 } 485 } 486 487 /***** NUM TESTS *****/ 488 489 #ifndef USE_NUM_NONE 490 void random_num_negate(secp256k1_num *num) { 491 if (secp256k1_rand_bits(1)) { 492 secp256k1_num_negate(num); 493 } 494 } 495 496 void random_num_order_test(secp256k1_num *num) { 497 secp256k1_scalar sc; 498 random_scalar_order_test(&sc); 499 secp256k1_scalar_get_num(num, &sc); 500 } 501 502 void random_num_order(secp256k1_num *num) { 503 secp256k1_scalar sc; 504 random_scalar_order(&sc); 505 secp256k1_scalar_get_num(num, &sc); 506 } 507 508 void test_num_negate(void) { 509 secp256k1_num n1; 510 secp256k1_num n2; 511 random_num_order_test(&n1); /* n1 = R */ 512 random_num_negate(&n1); 513 secp256k1_num_copy(&n2, &n1); /* n2 = R */ 514 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */ 515 CHECK(secp256k1_num_is_zero(&n1)); 516 secp256k1_num_copy(&n1, &n2); /* n1 = R */ 517 secp256k1_num_negate(&n1); /* n1 = -R */ 518 CHECK(!secp256k1_num_is_zero(&n1)); 519 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */ 520 CHECK(secp256k1_num_is_zero(&n1)); 521 secp256k1_num_copy(&n1, &n2); /* n1 = R */ 522 secp256k1_num_negate(&n1); /* n1 = -R */ 523 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2)); 524 secp256k1_num_negate(&n1); /* n1 = R */ 525 CHECK(secp256k1_num_eq(&n1, &n2)); 526 } 527 528 void test_num_add_sub(void) { 529 int i; 530 secp256k1_scalar s; 531 secp256k1_num n1; 532 secp256k1_num n2; 533 secp256k1_num n1p2, n2p1, n1m2, n2m1; 534 random_num_order_test(&n1); /* n1 = R1 */ 535 if (secp256k1_rand_bits(1)) { 536 random_num_negate(&n1); 537 } 538 random_num_order_test(&n2); /* n2 = R2 */ 539 if (secp256k1_rand_bits(1)) { 540 random_num_negate(&n2); 541 } 542 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */ 543 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */ 544 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */ 545 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */ 546 CHECK(secp256k1_num_eq(&n1p2, &n2p1)); 547 CHECK(!secp256k1_num_eq(&n1p2, &n1m2)); 548 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */ 549 CHECK(secp256k1_num_eq(&n2m1, &n1m2)); 550 CHECK(!secp256k1_num_eq(&n2m1, &n1)); 551 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */ 552 CHECK(secp256k1_num_eq(&n2m1, &n1)); 553 CHECK(!secp256k1_num_eq(&n2p1, &n1)); 554 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */ 555 CHECK(secp256k1_num_eq(&n2p1, &n1)); 556 557 /* check is_one */ 558 secp256k1_scalar_set_int(&s, 1); 559 secp256k1_scalar_get_num(&n1, &s); 560 CHECK(secp256k1_num_is_one(&n1)); 561 /* check that 2^n + 1 is never 1 */ 562 secp256k1_scalar_get_num(&n2, &s); 563 for (i = 0; i < 250; ++i) { 564 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */ 565 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */ 566 CHECK(!secp256k1_num_is_one(&n1p2)); 567 } 568 } 569 570 void test_num_mod(void) { 571 int i; 572 secp256k1_scalar s; 573 secp256k1_num order, n; 574 575 /* check that 0 mod anything is 0 */ 576 random_scalar_order_test(&s); 577 secp256k1_scalar_get_num(&order, &s); 578 secp256k1_scalar_set_int(&s, 0); 579 secp256k1_scalar_get_num(&n, &s); 580 secp256k1_num_mod(&n, &order); 581 CHECK(secp256k1_num_is_zero(&n)); 582 583 /* check that anything mod 1 is 0 */ 584 secp256k1_scalar_set_int(&s, 1); 585 secp256k1_scalar_get_num(&order, &s); 586 secp256k1_scalar_get_num(&n, &s); 587 secp256k1_num_mod(&n, &order); 588 CHECK(secp256k1_num_is_zero(&n)); 589 590 /* check that increasing the number past 2^256 does not break this */ 591 random_scalar_order_test(&s); 592 secp256k1_scalar_get_num(&n, &s); 593 /* multiply by 2^8, which'll test this case with high probability */ 594 for (i = 0; i < 8; ++i) { 595 secp256k1_num_add(&n, &n, &n); 596 } 597 secp256k1_num_mod(&n, &order); 598 CHECK(secp256k1_num_is_zero(&n)); 599 } 600 601 void test_num_jacobi(void) { 602 secp256k1_scalar sqr; 603 secp256k1_scalar small; 604 secp256k1_scalar five; /* five is not a quadratic residue */ 605 secp256k1_num order, n; 606 int i; 607 /* squares mod 5 are 1, 4 */ 608 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 }; 609 610 /* check some small values with 5 as the order */ 611 secp256k1_scalar_set_int(&five, 5); 612 secp256k1_scalar_get_num(&order, &five); 613 for (i = 0; i < 10; ++i) { 614 secp256k1_scalar_set_int(&small, i); 615 secp256k1_scalar_get_num(&n, &small); 616 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]); 617 } 618 619 /** test large values with 5 as group order */ 620 secp256k1_scalar_get_num(&order, &five); 621 /* we first need a scalar which is not a multiple of 5 */ 622 do { 623 secp256k1_num fiven; 624 random_scalar_order_test(&sqr); 625 secp256k1_scalar_get_num(&fiven, &five); 626 secp256k1_scalar_get_num(&n, &sqr); 627 secp256k1_num_mod(&n, &fiven); 628 } while (secp256k1_num_is_zero(&n)); 629 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can 630 * just multiply by two, i.e. add the number to itself */ 631 if (secp256k1_num_jacobi(&n, &order) == -1) { 632 secp256k1_num_add(&n, &n, &n); 633 } 634 635 /* test residue */ 636 CHECK(secp256k1_num_jacobi(&n, &order) == 1); 637 /* test nonresidue */ 638 secp256k1_num_add(&n, &n, &n); 639 CHECK(secp256k1_num_jacobi(&n, &order) == -1); 640 641 /** test with secp group order as order */ 642 secp256k1_scalar_order_get_num(&order); 643 random_scalar_order_test(&sqr); 644 secp256k1_scalar_sqr(&sqr, &sqr); 645 /* test residue */ 646 secp256k1_scalar_get_num(&n, &sqr); 647 CHECK(secp256k1_num_jacobi(&n, &order) == 1); 648 /* test nonresidue */ 649 secp256k1_scalar_mul(&sqr, &sqr, &five); 650 secp256k1_scalar_get_num(&n, &sqr); 651 CHECK(secp256k1_num_jacobi(&n, &order) == -1); 652 /* test multiple of the order*/ 653 CHECK(secp256k1_num_jacobi(&order, &order) == 0); 654 655 /* check one less than the order */ 656 secp256k1_scalar_set_int(&small, 1); 657 secp256k1_scalar_get_num(&n, &small); 658 secp256k1_num_sub(&n, &order, &n); 659 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */ 660 } 661 662 void run_num_smalltests(void) { 663 int i; 664 for (i = 0; i < 100*count; i++) { 665 test_num_negate(); 666 test_num_add_sub(); 667 test_num_mod(); 668 test_num_jacobi(); 669 } 670 } 671 #endif 672 673 /***** SCALAR TESTS *****/ 674 675 void scalar_test(void) { 676 secp256k1_scalar s; 677 secp256k1_scalar s1; 678 secp256k1_scalar s2; 679 #ifndef USE_NUM_NONE 680 secp256k1_num snum, s1num, s2num; 681 secp256k1_num order, half_order; 682 #endif 683 unsigned char c[32]; 684 685 /* Set 's' to a random scalar, with value 'snum'. */ 686 random_scalar_order_test(&s); 687 688 /* Set 's1' to a random scalar, with value 's1num'. */ 689 random_scalar_order_test(&s1); 690 691 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */ 692 random_scalar_order_test(&s2); 693 secp256k1_scalar_get_b32(c, &s2); 694 695 #ifndef USE_NUM_NONE 696 secp256k1_scalar_get_num(&snum, &s); 697 secp256k1_scalar_get_num(&s1num, &s1); 698 secp256k1_scalar_get_num(&s2num, &s2); 699 700 secp256k1_scalar_order_get_num(&order); 701 half_order = order; 702 secp256k1_num_shift(&half_order, 1); 703 #endif 704 705 { 706 int i; 707 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */ 708 secp256k1_scalar n; 709 secp256k1_scalar_set_int(&n, 0); 710 for (i = 0; i < 256; i += 4) { 711 secp256k1_scalar t; 712 int j; 713 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4)); 714 for (j = 0; j < 4; j++) { 715 secp256k1_scalar_add(&n, &n, &n); 716 } 717 secp256k1_scalar_add(&n, &n, &t); 718 } 719 CHECK(secp256k1_scalar_eq(&n, &s)); 720 } 721 722 { 723 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */ 724 secp256k1_scalar n; 725 int i = 0; 726 secp256k1_scalar_set_int(&n, 0); 727 while (i < 256) { 728 secp256k1_scalar t; 729 int j; 730 int now = secp256k1_rand_int(15) + 1; 731 if (now + i > 256) { 732 now = 256 - i; 733 } 734 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now)); 735 for (j = 0; j < now; j++) { 736 secp256k1_scalar_add(&n, &n, &n); 737 } 738 secp256k1_scalar_add(&n, &n, &t); 739 i += now; 740 } 741 CHECK(secp256k1_scalar_eq(&n, &s)); 742 } 743 744 #ifndef USE_NUM_NONE 745 { 746 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */ 747 secp256k1_num rnum; 748 secp256k1_num r2num; 749 secp256k1_scalar r; 750 secp256k1_num_add(&rnum, &snum, &s2num); 751 secp256k1_num_mod(&rnum, &order); 752 secp256k1_scalar_add(&r, &s, &s2); 753 secp256k1_scalar_get_num(&r2num, &r); 754 CHECK(secp256k1_num_eq(&rnum, &r2num)); 755 } 756 757 { 758 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */ 759 secp256k1_scalar r; 760 secp256k1_num r2num; 761 secp256k1_num rnum; 762 secp256k1_num_mul(&rnum, &snum, &s2num); 763 secp256k1_num_mod(&rnum, &order); 764 secp256k1_scalar_mul(&r, &s, &s2); 765 secp256k1_scalar_get_num(&r2num, &r); 766 CHECK(secp256k1_num_eq(&rnum, &r2num)); 767 /* The result can only be zero if at least one of the factors was zero. */ 768 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2))); 769 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */ 770 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2))); 771 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s))); 772 } 773 774 { 775 secp256k1_scalar neg; 776 secp256k1_num negnum; 777 secp256k1_num negnum2; 778 /* Check that comparison with zero matches comparison with zero on the number. */ 779 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s)); 780 /* Check that comparison with the half order is equal to testing for high scalar. */ 781 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0)); 782 secp256k1_scalar_negate(&neg, &s); 783 secp256k1_num_sub(&negnum, &order, &snum); 784 secp256k1_num_mod(&negnum, &order); 785 /* Check that comparison with the half order is equal to testing for high scalar after negation. */ 786 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0)); 787 /* Negating should change the high property, unless the value was already zero. */ 788 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s)); 789 secp256k1_scalar_get_num(&negnum2, &neg); 790 /* Negating a scalar should be equal to (order - n) mod order on the number. */ 791 CHECK(secp256k1_num_eq(&negnum, &negnum2)); 792 secp256k1_scalar_add(&neg, &neg, &s); 793 /* Adding a number to its negation should result in zero. */ 794 CHECK(secp256k1_scalar_is_zero(&neg)); 795 secp256k1_scalar_negate(&neg, &neg); 796 /* Negating zero should still result in zero. */ 797 CHECK(secp256k1_scalar_is_zero(&neg)); 798 } 799 800 { 801 /* Test secp256k1_scalar_mul_shift_var. */ 802 secp256k1_scalar r; 803 secp256k1_num one; 804 secp256k1_num rnum; 805 secp256k1_num rnum2; 806 unsigned char cone[1] = {0x01}; 807 unsigned int shift = 256 + secp256k1_rand_int(257); 808 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift); 809 secp256k1_num_mul(&rnum, &s1num, &s2num); 810 secp256k1_num_shift(&rnum, shift - 1); 811 secp256k1_num_set_bin(&one, cone, 1); 812 secp256k1_num_add(&rnum, &rnum, &one); 813 secp256k1_num_shift(&rnum, 1); 814 secp256k1_scalar_get_num(&rnum2, &r); 815 CHECK(secp256k1_num_eq(&rnum, &rnum2)); 816 } 817 818 { 819 /* test secp256k1_scalar_shr_int */ 820 secp256k1_scalar r; 821 int i; 822 random_scalar_order_test(&r); 823 for (i = 0; i < 100; ++i) { 824 int low; 825 int shift = 1 + secp256k1_rand_int(15); 826 int expected = r.d[0] % (1 << shift); 827 low = secp256k1_scalar_shr_int(&r, shift); 828 CHECK(expected == low); 829 } 830 } 831 #endif 832 833 { 834 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */ 835 if (!secp256k1_scalar_is_zero(&s)) { 836 secp256k1_scalar inv; 837 #ifndef USE_NUM_NONE 838 secp256k1_num invnum; 839 secp256k1_num invnum2; 840 #endif 841 secp256k1_scalar_inverse(&inv, &s); 842 #ifndef USE_NUM_NONE 843 secp256k1_num_mod_inverse(&invnum, &snum, &order); 844 secp256k1_scalar_get_num(&invnum2, &inv); 845 CHECK(secp256k1_num_eq(&invnum, &invnum2)); 846 #endif 847 secp256k1_scalar_mul(&inv, &inv, &s); 848 /* Multiplying a scalar with its inverse must result in one. */ 849 CHECK(secp256k1_scalar_is_one(&inv)); 850 secp256k1_scalar_inverse(&inv, &inv); 851 /* Inverting one must result in one. */ 852 CHECK(secp256k1_scalar_is_one(&inv)); 853 #ifndef USE_NUM_NONE 854 secp256k1_scalar_get_num(&invnum, &inv); 855 CHECK(secp256k1_num_is_one(&invnum)); 856 #endif 857 } 858 } 859 860 { 861 /* Test commutativity of add. */ 862 secp256k1_scalar r1, r2; 863 secp256k1_scalar_add(&r1, &s1, &s2); 864 secp256k1_scalar_add(&r2, &s2, &s1); 865 CHECK(secp256k1_scalar_eq(&r1, &r2)); 866 } 867 868 { 869 secp256k1_scalar r1, r2; 870 secp256k1_scalar b; 871 int i; 872 /* Test add_bit. */ 873 int bit = secp256k1_rand_bits(8); 874 secp256k1_scalar_set_int(&b, 1); 875 CHECK(secp256k1_scalar_is_one(&b)); 876 for (i = 0; i < bit; i++) { 877 secp256k1_scalar_add(&b, &b, &b); 878 } 879 r1 = s1; 880 r2 = s1; 881 if (!secp256k1_scalar_add(&r1, &r1, &b)) { 882 /* No overflow happened. */ 883 secp256k1_scalar_cadd_bit(&r2, bit, 1); 884 CHECK(secp256k1_scalar_eq(&r1, &r2)); 885 /* cadd is a noop when flag is zero */ 886 secp256k1_scalar_cadd_bit(&r2, bit, 0); 887 CHECK(secp256k1_scalar_eq(&r1, &r2)); 888 } 889 } 890 891 { 892 /* Test commutativity of mul. */ 893 secp256k1_scalar r1, r2; 894 secp256k1_scalar_mul(&r1, &s1, &s2); 895 secp256k1_scalar_mul(&r2, &s2, &s1); 896 CHECK(secp256k1_scalar_eq(&r1, &r2)); 897 } 898 899 { 900 /* Test associativity of add. */ 901 secp256k1_scalar r1, r2; 902 secp256k1_scalar_add(&r1, &s1, &s2); 903 secp256k1_scalar_add(&r1, &r1, &s); 904 secp256k1_scalar_add(&r2, &s2, &s); 905 secp256k1_scalar_add(&r2, &s1, &r2); 906 CHECK(secp256k1_scalar_eq(&r1, &r2)); 907 } 908 909 { 910 /* Test associativity of mul. */ 911 secp256k1_scalar r1, r2; 912 secp256k1_scalar_mul(&r1, &s1, &s2); 913 secp256k1_scalar_mul(&r1, &r1, &s); 914 secp256k1_scalar_mul(&r2, &s2, &s); 915 secp256k1_scalar_mul(&r2, &s1, &r2); 916 CHECK(secp256k1_scalar_eq(&r1, &r2)); 917 } 918 919 { 920 /* Test distributitivity of mul over add. */ 921 secp256k1_scalar r1, r2, t; 922 secp256k1_scalar_add(&r1, &s1, &s2); 923 secp256k1_scalar_mul(&r1, &r1, &s); 924 secp256k1_scalar_mul(&r2, &s1, &s); 925 secp256k1_scalar_mul(&t, &s2, &s); 926 secp256k1_scalar_add(&r2, &r2, &t); 927 CHECK(secp256k1_scalar_eq(&r1, &r2)); 928 } 929 930 { 931 /* Test square. */ 932 secp256k1_scalar r1, r2; 933 secp256k1_scalar_sqr(&r1, &s1); 934 secp256k1_scalar_mul(&r2, &s1, &s1); 935 CHECK(secp256k1_scalar_eq(&r1, &r2)); 936 } 937 938 { 939 /* Test multiplicative identity. */ 940 secp256k1_scalar r1, v1; 941 secp256k1_scalar_set_int(&v1,1); 942 secp256k1_scalar_mul(&r1, &s1, &v1); 943 CHECK(secp256k1_scalar_eq(&r1, &s1)); 944 } 945 946 { 947 /* Test additive identity. */ 948 secp256k1_scalar r1, v0; 949 secp256k1_scalar_set_int(&v0,0); 950 secp256k1_scalar_add(&r1, &s1, &v0); 951 CHECK(secp256k1_scalar_eq(&r1, &s1)); 952 } 953 954 { 955 /* Test zero product property. */ 956 secp256k1_scalar r1, v0; 957 secp256k1_scalar_set_int(&v0,0); 958 secp256k1_scalar_mul(&r1, &s1, &v0); 959 CHECK(secp256k1_scalar_eq(&r1, &v0)); 960 } 961 962 } 963 964 void run_scalar_tests(void) { 965 int i; 966 for (i = 0; i < 128 * count; i++) { 967 scalar_test(); 968 } 969 970 { 971 /* (-1)+1 should be zero. */ 972 secp256k1_scalar s, o; 973 secp256k1_scalar_set_int(&s, 1); 974 CHECK(secp256k1_scalar_is_one(&s)); 975 secp256k1_scalar_negate(&o, &s); 976 secp256k1_scalar_add(&o, &o, &s); 977 CHECK(secp256k1_scalar_is_zero(&o)); 978 secp256k1_scalar_negate(&o, &o); 979 CHECK(secp256k1_scalar_is_zero(&o)); 980 } 981 982 #ifndef USE_NUM_NONE 983 { 984 /* A scalar with value of the curve order should be 0. */ 985 secp256k1_num order; 986 secp256k1_scalar zero; 987 unsigned char bin[32]; 988 int overflow = 0; 989 secp256k1_scalar_order_get_num(&order); 990 secp256k1_num_get_bin(bin, 32, &order); 991 secp256k1_scalar_set_b32(&zero, bin, &overflow); 992 CHECK(overflow == 1); 993 CHECK(secp256k1_scalar_is_zero(&zero)); 994 } 995 #endif 996 997 { 998 /* Does check_overflow check catch all ones? */ 999 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST( 1000 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 1001 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL 1002 ); 1003 CHECK(secp256k1_scalar_check_overflow(&overflowed)); 1004 } 1005 1006 { 1007 /* Static test vectors. 1008 * These were reduced from ~10^12 random vectors based on comparison-decision 1009 * and edge-case coverage on 32-bit and 64-bit implementations. 1010 * The responses were generated with Sage 5.9. 1011 */ 1012 secp256k1_scalar x; 1013 secp256k1_scalar y; 1014 secp256k1_scalar z; 1015 secp256k1_scalar zz; 1016 secp256k1_scalar one; 1017 secp256k1_scalar r1; 1018 secp256k1_scalar r2; 1019 #if defined(USE_SCALAR_INV_NUM) 1020 secp256k1_scalar zzv; 1021 #endif 1022 int overflow; 1023 unsigned char chal[33][2][32] = { 1024 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00, 1025 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 1026 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 1027 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff}, 1028 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00, 1029 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 1030 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1031 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}}, 1032 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00, 1033 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 1034 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1035 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 1036 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 1037 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 1038 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff, 1039 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}}, 1040 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 1041 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 1042 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00, 1043 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00}, 1044 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80, 1045 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0, 1046 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00, 1047 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}}, 1048 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 1049 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 1050 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 1051 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff}, 1052 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 1053 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0, 1054 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff, 1055 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}}, 1056 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00, 1057 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 1058 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00, 1059 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff}, 1060 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 1061 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1062 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f, 1063 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}}, 1064 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f, 1065 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80, 1066 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00, 1067 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 1068 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 1069 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff, 1070 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 1071 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}}, 1072 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 1073 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 1074 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00, 1075 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0}, 1076 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 1077 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 1078 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 1079 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 1080 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00, 1081 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 1082 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 1083 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff}, 1084 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 1085 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0, 1086 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1087 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 1088 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1089 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 1090 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 1091 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 1092 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1093 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1094 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1095 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 1096 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff, 1097 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1098 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80, 1099 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f}, 1100 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 1101 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff, 1102 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00, 1103 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}}, 1104 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff, 1105 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 1106 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80, 1107 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff}, 1108 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 1109 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1110 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 1111 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}}, 1112 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 1113 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1114 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1115 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80}, 1116 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1117 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff, 1118 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 1119 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 1120 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1121 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1123 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00}, 1124 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 1125 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f, 1126 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff, 1127 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}}, 1128 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 1129 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 1130 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1131 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00}, 1132 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 1133 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1134 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00, 1135 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}}, 1136 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00, 1137 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03, 1138 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1139 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 1140 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff, 1141 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1142 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1143 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}}, 1144 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 1145 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1146 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1147 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 1148 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1149 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff, 1150 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 1151 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}}, 1152 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 1153 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1154 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00, 1155 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80}, 1156 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1157 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 1158 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e, 1159 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 1160 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1161 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 1162 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 1163 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00}, 1164 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 1165 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00, 1166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 1167 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}}, 1168 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80, 1169 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 1170 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 1171 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 1172 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1173 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80, 1174 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 1175 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}}, 1176 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff, 1177 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00, 1178 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1179 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07}, 1180 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 1181 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 1182 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff, 1183 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}}, 1184 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1185 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1186 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1187 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 1188 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1189 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 1190 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 1191 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}}, 1192 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1194 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1195 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, 1196 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1197 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1199 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 1200 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1201 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1202 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1203 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 1204 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1205 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1206 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1207 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 1208 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0, 1209 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1210 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 1211 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f}, 1212 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 1213 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00, 1214 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 1215 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}}, 1216 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1217 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1218 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1219 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 1220 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1221 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1222 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1223 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}}, 1224 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1225 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 1226 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 1227 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}, 1228 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1229 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1230 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1231 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}, 1232 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1233 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00, 1234 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 1235 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 1236 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 1237 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80, 1238 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 1239 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 1240 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00, 1241 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 1242 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 1243 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff}, 1244 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 1245 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff, 1246 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1247 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}}, 1248 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 1249 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff, 1250 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 1251 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00}, 1252 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 1253 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 1254 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f, 1255 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}}, 1256 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 1257 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01, 1258 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff, 1259 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 1260 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 1261 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80, 1262 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff, 1263 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}}, 1264 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 1265 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1266 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8, 1267 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80}, 1268 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1269 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00, 1270 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f, 1271 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}}, 1272 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00, 1273 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83, 1274 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 1275 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0}, 1276 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 1277 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00, 1278 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 1279 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}}, 1280 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 1281 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 1282 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb, 1283 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}, 1284 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 1285 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 1286 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb, 1287 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}} 1288 }; 1289 unsigned char res[33][2][32] = { 1290 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9, 1291 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1, 1292 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6, 1293 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35}, 1294 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d, 1295 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c, 1296 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49, 1297 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}}, 1298 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22, 1299 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c, 1300 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f, 1301 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8}, 1302 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77, 1303 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4, 1304 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59, 1305 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}}, 1306 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef, 1307 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab, 1308 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55, 1309 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c}, 1310 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96, 1311 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f, 1312 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12, 1313 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}}, 1314 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c, 1315 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf, 1316 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9, 1317 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48}, 1318 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42, 1319 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5, 1320 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c, 1321 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}}, 1322 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb, 1323 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74, 1324 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6, 1325 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63}, 1326 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3, 1327 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99, 1328 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58, 1329 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}}, 1330 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b, 1331 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7, 1332 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f, 1333 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0}, 1334 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d, 1335 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d, 1336 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9, 1337 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}}, 1338 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7, 1339 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70, 1340 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06, 1341 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e}, 1342 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9, 1343 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79, 1344 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e, 1345 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}}, 1346 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb, 1347 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5, 1348 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a, 1349 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe}, 1350 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48, 1351 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e, 1352 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc, 1353 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}}, 1354 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b, 1355 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0, 1356 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53, 1357 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8}, 1358 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c, 1359 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01, 1360 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f, 1361 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}}, 1362 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7, 1363 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c, 1364 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92, 1365 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30}, 1366 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62, 1367 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e, 1368 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb, 1369 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}}, 1370 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25, 1371 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d, 1372 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0, 1373 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13}, 1374 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60, 1375 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00, 1376 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4, 1377 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}}, 1378 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31, 1379 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4, 1380 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88, 1381 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa}, 1382 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57, 1383 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38, 1384 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51, 1385 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}}, 1386 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c, 1387 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f, 1388 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2, 1389 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4}, 1390 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01, 1391 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4, 1392 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86, 1393 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}}, 1394 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5, 1395 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51, 1396 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3, 1397 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62}, 1398 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c, 1399 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91, 1400 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c, 1401 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}}, 1402 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e, 1403 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56, 1404 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58, 1405 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4}, 1406 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41, 1407 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7, 1408 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92, 1409 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}}, 1410 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec, 1411 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19, 1412 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3, 1413 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4}, 1414 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87, 1415 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a, 1416 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92, 1417 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}}, 1418 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64, 1419 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3, 1420 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f, 1421 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33}, 1422 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c, 1423 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d, 1424 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea, 1425 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}}, 1426 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7, 1427 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a, 1428 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae, 1429 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe}, 1430 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc, 1431 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39, 1432 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14, 1433 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}}, 1434 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23, 1435 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d, 1436 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2, 1437 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16}, 1438 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c, 1439 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84, 1440 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0, 1441 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}}, 1442 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb, 1443 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94, 1444 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b, 1445 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e}, 1446 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54, 1447 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00, 1448 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb, 1449 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}}, 1450 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1451 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1452 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1453 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 1454 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1455 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1457 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 1458 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1461 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 1462 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1463 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1464 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1465 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}, 1466 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1, 1467 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0, 1468 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59, 1469 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}, 1470 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1, 1471 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0, 1472 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59, 1473 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}}, 1474 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0, 1475 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b, 1476 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94, 1477 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8}, 1478 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26, 1479 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d, 1480 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a, 1481 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}}, 1482 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1483 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 1484 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 1485 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd}, 1486 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1, 1487 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0, 1488 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59, 1489 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}}, 1490 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 1491 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 1492 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 1493 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}, 1494 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1495 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1497 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}, 1498 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39, 1499 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea, 1500 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf, 1501 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae}, 1502 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b, 1503 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb, 1504 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6, 1505 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}}, 1506 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a, 1507 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f, 1508 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9, 1509 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56}, 1510 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93, 1511 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07, 1512 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71, 1513 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}}, 1514 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87, 1515 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9, 1516 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55, 1517 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73}, 1518 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d, 1519 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86, 1520 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb, 1521 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}}, 1522 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2, 1523 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7, 1524 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41, 1525 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7}, 1526 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06, 1527 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04, 1528 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08, 1529 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}}, 1530 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2, 1531 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b, 1532 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40, 1533 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68}, 1534 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e, 1535 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a, 1536 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b, 1537 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}}, 1538 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67, 1539 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f, 1540 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a, 1541 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51}, 1542 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2, 1543 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38, 1544 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34, 1545 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}}, 1546 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34, 1547 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13, 1548 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46, 1549 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}, 1550 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34, 1551 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13, 1552 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46, 1553 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}} 1554 }; 1555 secp256k1_scalar_set_int(&one, 1); 1556 for (i = 0; i < 33; i++) { 1557 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow); 1558 CHECK(!overflow); 1559 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow); 1560 CHECK(!overflow); 1561 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow); 1562 CHECK(!overflow); 1563 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow); 1564 CHECK(!overflow); 1565 secp256k1_scalar_mul(&z, &x, &y); 1566 CHECK(!secp256k1_scalar_check_overflow(&z)); 1567 CHECK(secp256k1_scalar_eq(&r1, &z)); 1568 if (!secp256k1_scalar_is_zero(&y)) { 1569 secp256k1_scalar_inverse(&zz, &y); 1570 CHECK(!secp256k1_scalar_check_overflow(&zz)); 1571 #if defined(USE_SCALAR_INV_NUM) 1572 secp256k1_scalar_inverse_var(&zzv, &y); 1573 CHECK(secp256k1_scalar_eq(&zzv, &zz)); 1574 #endif 1575 secp256k1_scalar_mul(&z, &z, &zz); 1576 CHECK(!secp256k1_scalar_check_overflow(&z)); 1577 CHECK(secp256k1_scalar_eq(&x, &z)); 1578 secp256k1_scalar_mul(&zz, &zz, &y); 1579 CHECK(!secp256k1_scalar_check_overflow(&zz)); 1580 CHECK(secp256k1_scalar_eq(&one, &zz)); 1581 } 1582 secp256k1_scalar_mul(&z, &x, &x); 1583 CHECK(!secp256k1_scalar_check_overflow(&z)); 1584 secp256k1_scalar_sqr(&zz, &x); 1585 CHECK(!secp256k1_scalar_check_overflow(&zz)); 1586 CHECK(secp256k1_scalar_eq(&zz, &z)); 1587 CHECK(secp256k1_scalar_eq(&r2, &zz)); 1588 } 1589 } 1590 } 1591 1592 /***** FIELD TESTS *****/ 1593 1594 void random_fe(secp256k1_fe *x) { 1595 unsigned char bin[32]; 1596 do { 1597 secp256k1_rand256(bin); 1598 if (secp256k1_fe_set_b32(x, bin)) { 1599 return; 1600 } 1601 } while(1); 1602 } 1603 1604 void random_fe_test(secp256k1_fe *x) { 1605 unsigned char bin[32]; 1606 do { 1607 secp256k1_rand256_test(bin); 1608 if (secp256k1_fe_set_b32(x, bin)) { 1609 return; 1610 } 1611 } while(1); 1612 } 1613 1614 void random_fe_non_zero(secp256k1_fe *nz) { 1615 int tries = 10; 1616 while (--tries >= 0) { 1617 random_fe(nz); 1618 secp256k1_fe_normalize(nz); 1619 if (!secp256k1_fe_is_zero(nz)) { 1620 break; 1621 } 1622 } 1623 /* Infinitesimal probability of spurious failure here */ 1624 CHECK(tries >= 0); 1625 } 1626 1627 void random_fe_non_square(secp256k1_fe *ns) { 1628 secp256k1_fe r; 1629 random_fe_non_zero(ns); 1630 if (secp256k1_fe_sqrt(&r, ns)) { 1631 secp256k1_fe_negate(ns, ns, 1); 1632 } 1633 } 1634 1635 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) { 1636 secp256k1_fe an = *a; 1637 secp256k1_fe bn = *b; 1638 secp256k1_fe_normalize_weak(&an); 1639 secp256k1_fe_normalize_var(&bn); 1640 return secp256k1_fe_equal_var(&an, &bn); 1641 } 1642 1643 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) { 1644 secp256k1_fe x; 1645 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); 1646 secp256k1_fe_mul(&x, a, ai); 1647 return check_fe_equal(&x, &one); 1648 } 1649 1650 void run_field_convert(void) { 1651 static const unsigned char b32[32] = { 1652 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1653 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 1654 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 1655 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40 1656 }; 1657 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST( 1658 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, 1659 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL 1660 ); 1661 static const secp256k1_fe fe = SECP256K1_FE_CONST( 1662 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, 1663 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL 1664 ); 1665 secp256k1_fe fe2; 1666 unsigned char b322[32]; 1667 secp256k1_fe_storage fes2; 1668 /* Check conversions to fe. */ 1669 CHECK(secp256k1_fe_set_b32(&fe2, b32)); 1670 CHECK(secp256k1_fe_equal_var(&fe, &fe2)); 1671 secp256k1_fe_from_storage(&fe2, &fes); 1672 CHECK(secp256k1_fe_equal_var(&fe, &fe2)); 1673 /* Check conversion from fe. */ 1674 secp256k1_fe_get_b32(b322, &fe); 1675 CHECK(memcmp(b322, b32, 32) == 0); 1676 secp256k1_fe_to_storage(&fes2, &fe); 1677 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0); 1678 } 1679 1680 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) { 1681 secp256k1_fe t = *b; 1682 #ifdef VERIFY 1683 t.magnitude = a->magnitude; 1684 t.normalized = a->normalized; 1685 #endif 1686 return memcmp(a, &t, sizeof(secp256k1_fe)); 1687 } 1688 1689 void run_field_misc(void) { 1690 secp256k1_fe x; 1691 secp256k1_fe y; 1692 secp256k1_fe z; 1693 secp256k1_fe q; 1694 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5); 1695 int i, j; 1696 for (i = 0; i < 5*count; i++) { 1697 secp256k1_fe_storage xs, ys, zs; 1698 random_fe(&x); 1699 random_fe_non_zero(&y); 1700 /* Test the fe equality and comparison operations. */ 1701 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0); 1702 CHECK(secp256k1_fe_equal_var(&x, &x)); 1703 z = x; 1704 secp256k1_fe_add(&z,&y); 1705 /* Test fe conditional move; z is not normalized here. */ 1706 q = x; 1707 secp256k1_fe_cmov(&x, &z, 0); 1708 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude); 1709 secp256k1_fe_cmov(&x, &x, 1); 1710 CHECK(fe_memcmp(&x, &z) != 0); 1711 CHECK(fe_memcmp(&x, &q) == 0); 1712 secp256k1_fe_cmov(&q, &z, 1); 1713 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude); 1714 CHECK(fe_memcmp(&q, &z) == 0); 1715 secp256k1_fe_normalize_var(&x); 1716 secp256k1_fe_normalize_var(&z); 1717 CHECK(!secp256k1_fe_equal_var(&x, &z)); 1718 secp256k1_fe_normalize_var(&q); 1719 secp256k1_fe_cmov(&q, &z, (i&1)); 1720 VERIFY_CHECK(q.normalized && q.magnitude == 1); 1721 for (j = 0; j < 6; j++) { 1722 secp256k1_fe_negate(&z, &z, j+1); 1723 secp256k1_fe_normalize_var(&q); 1724 secp256k1_fe_cmov(&q, &z, (j&1)); 1725 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2)); 1726 } 1727 secp256k1_fe_normalize_var(&z); 1728 /* Test storage conversion and conditional moves. */ 1729 secp256k1_fe_to_storage(&xs, &x); 1730 secp256k1_fe_to_storage(&ys, &y); 1731 secp256k1_fe_to_storage(&zs, &z); 1732 secp256k1_fe_storage_cmov(&zs, &xs, 0); 1733 secp256k1_fe_storage_cmov(&zs, &zs, 1); 1734 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0); 1735 secp256k1_fe_storage_cmov(&ys, &xs, 1); 1736 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0); 1737 secp256k1_fe_from_storage(&x, &xs); 1738 secp256k1_fe_from_storage(&y, &ys); 1739 secp256k1_fe_from_storage(&z, &zs); 1740 /* Test that mul_int, mul, and add agree. */ 1741 secp256k1_fe_add(&y, &x); 1742 secp256k1_fe_add(&y, &x); 1743 z = x; 1744 secp256k1_fe_mul_int(&z, 3); 1745 CHECK(check_fe_equal(&y, &z)); 1746 secp256k1_fe_add(&y, &x); 1747 secp256k1_fe_add(&z, &x); 1748 CHECK(check_fe_equal(&z, &y)); 1749 z = x; 1750 secp256k1_fe_mul_int(&z, 5); 1751 secp256k1_fe_mul(&q, &x, &fe5); 1752 CHECK(check_fe_equal(&z, &q)); 1753 secp256k1_fe_negate(&x, &x, 1); 1754 secp256k1_fe_add(&z, &x); 1755 secp256k1_fe_add(&q, &x); 1756 CHECK(check_fe_equal(&y, &z)); 1757 CHECK(check_fe_equal(&q, &y)); 1758 } 1759 } 1760 1761 void run_field_inv(void) { 1762 secp256k1_fe x, xi, xii; 1763 int i; 1764 for (i = 0; i < 10*count; i++) { 1765 random_fe_non_zero(&x); 1766 secp256k1_fe_inv(&xi, &x); 1767 CHECK(check_fe_inverse(&x, &xi)); 1768 secp256k1_fe_inv(&xii, &xi); 1769 CHECK(check_fe_equal(&x, &xii)); 1770 } 1771 } 1772 1773 void run_field_inv_var(void) { 1774 secp256k1_fe x, xi, xii; 1775 int i; 1776 for (i = 0; i < 10*count; i++) { 1777 random_fe_non_zero(&x); 1778 secp256k1_fe_inv_var(&xi, &x); 1779 CHECK(check_fe_inverse(&x, &xi)); 1780 secp256k1_fe_inv_var(&xii, &xi); 1781 CHECK(check_fe_equal(&x, &xii)); 1782 } 1783 } 1784 1785 void run_field_inv_all_var(void) { 1786 secp256k1_fe x[16], xi[16], xii[16]; 1787 int i; 1788 /* Check it's safe to call for 0 elements */ 1789 secp256k1_fe_inv_all_var(xi, x, 0); 1790 for (i = 0; i < count; i++) { 1791 size_t j; 1792 size_t len = secp256k1_rand_int(15) + 1; 1793 for (j = 0; j < len; j++) { 1794 random_fe_non_zero(&x[j]); 1795 } 1796 secp256k1_fe_inv_all_var(xi, x, len); 1797 for (j = 0; j < len; j++) { 1798 CHECK(check_fe_inverse(&x[j], &xi[j])); 1799 } 1800 secp256k1_fe_inv_all_var(xii, xi, len); 1801 for (j = 0; j < len; j++) { 1802 CHECK(check_fe_equal(&x[j], &xii[j])); 1803 } 1804 } 1805 } 1806 1807 void run_sqr(void) { 1808 secp256k1_fe x, s; 1809 1810 { 1811 int i; 1812 secp256k1_fe_set_int(&x, 1); 1813 secp256k1_fe_negate(&x, &x, 1); 1814 1815 for (i = 1; i <= 512; ++i) { 1816 secp256k1_fe_mul_int(&x, 2); 1817 secp256k1_fe_normalize(&x); 1818 secp256k1_fe_sqr(&s, &x); 1819 } 1820 } 1821 } 1822 1823 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) { 1824 secp256k1_fe r1, r2; 1825 int v = secp256k1_fe_sqrt(&r1, a); 1826 CHECK((v == 0) == (k == NULL)); 1827 1828 if (k != NULL) { 1829 /* Check that the returned root is +/- the given known answer */ 1830 secp256k1_fe_negate(&r2, &r1, 1); 1831 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k); 1832 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2); 1833 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2)); 1834 } 1835 } 1836 1837 void run_sqrt(void) { 1838 secp256k1_fe ns, x, s, t; 1839 int i; 1840 1841 /* Check sqrt(0) is 0 */ 1842 secp256k1_fe_set_int(&x, 0); 1843 secp256k1_fe_sqr(&s, &x); 1844 test_sqrt(&s, &x); 1845 1846 /* Check sqrt of small squares (and their negatives) */ 1847 for (i = 1; i <= 100; i++) { 1848 secp256k1_fe_set_int(&x, i); 1849 secp256k1_fe_sqr(&s, &x); 1850 test_sqrt(&s, &x); 1851 secp256k1_fe_negate(&t, &s, 1); 1852 test_sqrt(&t, NULL); 1853 } 1854 1855 /* Consistency checks for large random values */ 1856 for (i = 0; i < 10; i++) { 1857 int j; 1858 random_fe_non_square(&ns); 1859 for (j = 0; j < count; j++) { 1860 random_fe(&x); 1861 secp256k1_fe_sqr(&s, &x); 1862 test_sqrt(&s, &x); 1863 secp256k1_fe_negate(&t, &s, 1); 1864 test_sqrt(&t, NULL); 1865 secp256k1_fe_mul(&t, &s, &ns); 1866 test_sqrt(&t, NULL); 1867 } 1868 } 1869 } 1870 1871 /***** GROUP TESTS *****/ 1872 1873 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) { 1874 CHECK(a->infinity == b->infinity); 1875 if (a->infinity) { 1876 return; 1877 } 1878 CHECK(secp256k1_fe_equal_var(&a->x, &b->x)); 1879 CHECK(secp256k1_fe_equal_var(&a->y, &b->y)); 1880 } 1881 1882 /* This compares jacobian points including their Z, not just their geometric meaning. */ 1883 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) { 1884 secp256k1_gej a2; 1885 secp256k1_gej b2; 1886 int ret = 1; 1887 ret &= a->infinity == b->infinity; 1888 if (ret && !a->infinity) { 1889 a2 = *a; 1890 b2 = *b; 1891 secp256k1_fe_normalize(&a2.x); 1892 secp256k1_fe_normalize(&a2.y); 1893 secp256k1_fe_normalize(&a2.z); 1894 secp256k1_fe_normalize(&b2.x); 1895 secp256k1_fe_normalize(&b2.y); 1896 secp256k1_fe_normalize(&b2.z); 1897 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0; 1898 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0; 1899 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0; 1900 } 1901 return ret; 1902 } 1903 1904 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) { 1905 secp256k1_fe z2s; 1906 secp256k1_fe u1, u2, s1, s2; 1907 CHECK(a->infinity == b->infinity); 1908 if (a->infinity) { 1909 return; 1910 } 1911 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */ 1912 secp256k1_fe_sqr(&z2s, &b->z); 1913 secp256k1_fe_mul(&u1, &a->x, &z2s); 1914 u2 = b->x; secp256k1_fe_normalize_weak(&u2); 1915 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z); 1916 s2 = b->y; secp256k1_fe_normalize_weak(&s2); 1917 CHECK(secp256k1_fe_equal_var(&u1, &u2)); 1918 CHECK(secp256k1_fe_equal_var(&s1, &s2)); 1919 } 1920 1921 void test_ge(void) { 1922 int i, i1; 1923 #ifdef USE_ENDOMORPHISM 1924 int runs = 6; 1925 #else 1926 int runs = 4; 1927 #endif 1928 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4). 1929 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form. 1930 * All magnitudes are randomized. 1931 * All 17*17 combinations of points are added to each other, using all applicable methods. 1932 * 1933 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well. 1934 */ 1935 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs)); 1936 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs)); 1937 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs)); 1938 secp256k1_fe zf; 1939 secp256k1_fe zfi2, zfi3; 1940 1941 secp256k1_gej_set_infinity(&gej[0]); 1942 secp256k1_ge_clear(&ge[0]); 1943 secp256k1_ge_set_gej_var(&ge[0], &gej[0]); 1944 for (i = 0; i < runs; i++) { 1945 int j; 1946 secp256k1_ge g; 1947 random_group_element_test(&g); 1948 #ifdef USE_ENDOMORPHISM 1949 if (i >= runs - 2) { 1950 secp256k1_ge_mul_lambda(&g, &ge[1]); 1951 } 1952 if (i >= runs - 1) { 1953 secp256k1_ge_mul_lambda(&g, &g); 1954 } 1955 #endif 1956 ge[1 + 4 * i] = g; 1957 ge[2 + 4 * i] = g; 1958 secp256k1_ge_neg(&ge[3 + 4 * i], &g); 1959 secp256k1_ge_neg(&ge[4 + 4 * i], &g); 1960 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]); 1961 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]); 1962 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]); 1963 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]); 1964 for (j = 0; j < 4; j++) { 1965 random_field_element_magnitude(&ge[1 + j + 4 * i].x); 1966 random_field_element_magnitude(&ge[1 + j + 4 * i].y); 1967 random_field_element_magnitude(&gej[1 + j + 4 * i].x); 1968 random_field_element_magnitude(&gej[1 + j + 4 * i].y); 1969 random_field_element_magnitude(&gej[1 + j + 4 * i].z); 1970 } 1971 } 1972 1973 /* Compute z inverses. */ 1974 { 1975 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs)); 1976 for (i = 0; i < 4 * runs + 1; i++) { 1977 if (i == 0) { 1978 /* The point at infinity does not have a meaningful z inverse. Any should do. */ 1979 do { 1980 random_field_element_test(&zs[i]); 1981 } while(secp256k1_fe_is_zero(&zs[i])); 1982 } else { 1983 zs[i] = gej[i].z; 1984 } 1985 } 1986 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1); 1987 free(zs); 1988 } 1989 1990 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */ 1991 do { 1992 random_field_element_test(&zf); 1993 } while(secp256k1_fe_is_zero(&zf)); 1994 random_field_element_magnitude(&zf); 1995 secp256k1_fe_inv_var(&zfi3, &zf); 1996 secp256k1_fe_sqr(&zfi2, &zfi3); 1997 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2); 1998 1999 for (i1 = 0; i1 < 1 + 4 * runs; i1++) { 2000 int i2; 2001 for (i2 = 0; i2 < 1 + 4 * runs; i2++) { 2002 /* Compute reference result using gej + gej (var). */ 2003 secp256k1_gej refj, resj; 2004 secp256k1_ge ref; 2005 secp256k1_fe zr; 2006 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr); 2007 /* Check Z ratio. */ 2008 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) { 2009 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z); 2010 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z)); 2011 } 2012 secp256k1_ge_set_gej_var(&ref, &refj); 2013 2014 /* Test gej + ge with Z ratio result (var). */ 2015 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr); 2016 ge_equals_gej(&ref, &resj); 2017 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) { 2018 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z); 2019 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z)); 2020 } 2021 2022 /* Test gej + ge (var, with additional Z factor). */ 2023 { 2024 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */ 2025 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2); 2026 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3); 2027 random_field_element_magnitude(&ge2_zfi.x); 2028 random_field_element_magnitude(&ge2_zfi.y); 2029 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf); 2030 ge_equals_gej(&ref, &resj); 2031 } 2032 2033 /* Test gej + ge (const). */ 2034 if (i2 != 0) { 2035 /* secp256k1_gej_add_ge does not support its second argument being infinity. */ 2036 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]); 2037 ge_equals_gej(&ref, &resj); 2038 } 2039 2040 /* Test doubling (var). */ 2041 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) { 2042 secp256k1_fe zr2; 2043 /* Normal doubling with Z ratio result. */ 2044 secp256k1_gej_double_var(&resj, &gej[i1], &zr2); 2045 ge_equals_gej(&ref, &resj); 2046 /* Check Z ratio. */ 2047 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z); 2048 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z)); 2049 /* Normal doubling. */ 2050 secp256k1_gej_double_var(&resj, &gej[i2], NULL); 2051 ge_equals_gej(&ref, &resj); 2052 } 2053 2054 /* Test adding opposites. */ 2055 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) { 2056 CHECK(secp256k1_ge_is_infinity(&ref)); 2057 } 2058 2059 /* Test adding infinity. */ 2060 if (i1 == 0) { 2061 CHECK(secp256k1_ge_is_infinity(&ge[i1])); 2062 CHECK(secp256k1_gej_is_infinity(&gej[i1])); 2063 ge_equals_gej(&ref, &gej[i2]); 2064 } 2065 if (i2 == 0) { 2066 CHECK(secp256k1_ge_is_infinity(&ge[i2])); 2067 CHECK(secp256k1_gej_is_infinity(&gej[i2])); 2068 ge_equals_gej(&ref, &gej[i1]); 2069 } 2070 } 2071 } 2072 2073 /* Test adding all points together in random order equals infinity. */ 2074 { 2075 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY; 2076 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej)); 2077 for (i = 0; i < 4 * runs + 1; i++) { 2078 gej_shuffled[i] = gej[i]; 2079 } 2080 for (i = 0; i < 4 * runs + 1; i++) { 2081 int swap = i + secp256k1_rand_int(4 * runs + 1 - i); 2082 if (swap != i) { 2083 secp256k1_gej t = gej_shuffled[i]; 2084 gej_shuffled[i] = gej_shuffled[swap]; 2085 gej_shuffled[swap] = t; 2086 } 2087 } 2088 for (i = 0; i < 4 * runs + 1; i++) { 2089 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL); 2090 } 2091 CHECK(secp256k1_gej_is_infinity(&sum)); 2092 free(gej_shuffled); 2093 } 2094 2095 /* Test batch gej -> ge conversion with and without known z ratios. */ 2096 { 2097 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe)); 2098 secp256k1_ge *ge_set_table = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge)); 2099 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge)); 2100 for (i = 0; i < 4 * runs + 1; i++) { 2101 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */ 2102 if (i < 4 * runs) { 2103 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z); 2104 } 2105 } 2106 secp256k1_ge_set_table_gej_var(ge_set_table, gej, zr, 4 * runs + 1); 2107 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1, &ctx->error_callback); 2108 for (i = 0; i < 4 * runs + 1; i++) { 2109 secp256k1_fe s; 2110 random_fe_non_zero(&s); 2111 secp256k1_gej_rescale(&gej[i], &s); 2112 ge_equals_gej(&ge_set_table[i], &gej[i]); 2113 ge_equals_gej(&ge_set_all[i], &gej[i]); 2114 } 2115 free(ge_set_table); 2116 free(ge_set_all); 2117 free(zr); 2118 } 2119 2120 free(ge); 2121 free(gej); 2122 free(zinv); 2123 } 2124 2125 void test_add_neg_y_diff_x(void) { 2126 /* The point of this test is to check that we can add two points 2127 * whose y-coordinates are negatives of each other but whose x 2128 * coordinates differ. If the x-coordinates were the same, these 2129 * points would be negatives of each other and their sum is 2130 * infinity. This is cool because it "covers up" any degeneracy 2131 * in the addition algorithm that would cause the xy coordinates 2132 * of the sum to be wrong (since infinity has no xy coordinates). 2133 * HOWEVER, if the x-coordinates are different, infinity is the 2134 * wrong answer, and such degeneracies are exposed. This is the 2135 * root of https://github.com/bitcoin-core/secp256k1/issues/257 2136 * which this test is a regression test for. 2137 * 2138 * These points were generated in sage as 2139 * # secp256k1 params 2140 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) 2141 * C = EllipticCurve ([F (0), F (7)]) 2142 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798) 2143 * N = FiniteField(G.order()) 2144 * 2145 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F) 2146 * x = polygen(N) 2147 * lam = (1 - x^3).roots()[1][0] 2148 * 2149 * # random "bad pair" 2150 * P = C.random_element() 2151 * Q = -int(lam) * P 2152 * print " P: %x %x" % P.xy() 2153 * print " Q: %x %x" % Q.xy() 2154 * print "P + Q: %x %x" % (P + Q).xy() 2155 */ 2156 secp256k1_gej aj = SECP256K1_GEJ_CONST( 2157 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30, 2158 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb, 2159 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8, 2160 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d 2161 ); 2162 secp256k1_gej bj = SECP256K1_GEJ_CONST( 2163 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86, 2164 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7, 2165 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57, 2166 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2 2167 ); 2168 secp256k1_gej sumj = SECP256K1_GEJ_CONST( 2169 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027, 2170 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a, 2171 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08, 2172 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe 2173 ); 2174 secp256k1_ge b; 2175 secp256k1_gej resj; 2176 secp256k1_ge res; 2177 secp256k1_ge_set_gej(&b, &bj); 2178 2179 secp256k1_gej_add_var(&resj, &aj, &bj, NULL); 2180 secp256k1_ge_set_gej(&res, &resj); 2181 ge_equals_gej(&res, &sumj); 2182 2183 secp256k1_gej_add_ge(&resj, &aj, &b); 2184 secp256k1_ge_set_gej(&res, &resj); 2185 ge_equals_gej(&res, &sumj); 2186 2187 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL); 2188 secp256k1_ge_set_gej(&res, &resj); 2189 ge_equals_gej(&res, &sumj); 2190 } 2191 2192 void run_ge(void) { 2193 int i; 2194 for (i = 0; i < count * 32; i++) { 2195 test_ge(); 2196 } 2197 test_add_neg_y_diff_x(); 2198 } 2199 2200 void test_ec_combine(void) { 2201 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); 2202 secp256k1_pubkey data[6]; 2203 const secp256k1_pubkey* d[6]; 2204 secp256k1_pubkey sd; 2205 secp256k1_pubkey sd2; 2206 secp256k1_gej Qj; 2207 secp256k1_ge Q; 2208 int i; 2209 for (i = 1; i <= 6; i++) { 2210 secp256k1_scalar s; 2211 random_scalar_order_test(&s); 2212 secp256k1_scalar_add(&sum, &sum, &s); 2213 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s); 2214 secp256k1_ge_set_gej(&Q, &Qj); 2215 secp256k1_pubkey_save(&data[i - 1], &Q); 2216 d[i - 1] = &data[i - 1]; 2217 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum); 2218 secp256k1_ge_set_gej(&Q, &Qj); 2219 secp256k1_pubkey_save(&sd, &Q); 2220 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1); 2221 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0); 2222 } 2223 } 2224 2225 void run_ec_combine(void) { 2226 int i; 2227 for (i = 0; i < count * 8; i++) { 2228 test_ec_combine(); 2229 } 2230 } 2231 2232 void test_group_decompress(const secp256k1_fe* x) { 2233 /* The input itself, normalized. */ 2234 secp256k1_fe fex = *x; 2235 secp256k1_fe fez; 2236 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */ 2237 secp256k1_ge ge_quad, ge_even, ge_odd; 2238 secp256k1_gej gej_quad; 2239 /* Return values of the above calls. */ 2240 int res_quad, res_even, res_odd; 2241 2242 secp256k1_fe_normalize_var(&fex); 2243 2244 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex); 2245 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0); 2246 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1); 2247 2248 CHECK(res_quad == res_even); 2249 CHECK(res_quad == res_odd); 2250 2251 if (res_quad) { 2252 secp256k1_fe_normalize_var(&ge_quad.x); 2253 secp256k1_fe_normalize_var(&ge_odd.x); 2254 secp256k1_fe_normalize_var(&ge_even.x); 2255 secp256k1_fe_normalize_var(&ge_quad.y); 2256 secp256k1_fe_normalize_var(&ge_odd.y); 2257 secp256k1_fe_normalize_var(&ge_even.y); 2258 2259 /* No infinity allowed. */ 2260 CHECK(!ge_quad.infinity); 2261 CHECK(!ge_even.infinity); 2262 CHECK(!ge_odd.infinity); 2263 2264 /* Check that the x coordinates check out. */ 2265 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x)); 2266 CHECK(secp256k1_fe_equal_var(&ge_even.x, x)); 2267 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x)); 2268 2269 /* Check that the Y coordinate result in ge_quad is a square. */ 2270 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y)); 2271 2272 /* Check odd/even Y in ge_odd, ge_even. */ 2273 CHECK(secp256k1_fe_is_odd(&ge_odd.y)); 2274 CHECK(!secp256k1_fe_is_odd(&ge_even.y)); 2275 2276 /* Check secp256k1_gej_has_quad_y_var. */ 2277 secp256k1_gej_set_ge(&gej_quad, &ge_quad); 2278 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad)); 2279 do { 2280 random_fe_test(&fez); 2281 } while (secp256k1_fe_is_zero(&fez)); 2282 secp256k1_gej_rescale(&gej_quad, &fez); 2283 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad)); 2284 secp256k1_gej_neg(&gej_quad, &gej_quad); 2285 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad)); 2286 do { 2287 random_fe_test(&fez); 2288 } while (secp256k1_fe_is_zero(&fez)); 2289 secp256k1_gej_rescale(&gej_quad, &fez); 2290 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad)); 2291 secp256k1_gej_neg(&gej_quad, &gej_quad); 2292 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad)); 2293 } 2294 } 2295 2296 void run_group_decompress(void) { 2297 int i; 2298 for (i = 0; i < count * 4; i++) { 2299 secp256k1_fe fe; 2300 random_fe_test(&fe); 2301 test_group_decompress(&fe); 2302 } 2303 } 2304 2305 /***** ECMULT TESTS *****/ 2306 2307 void run_ecmult_chain(void) { 2308 /* random starting point A (on the curve) */ 2309 secp256k1_gej a = SECP256K1_GEJ_CONST( 2310 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3, 2311 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004, 2312 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f, 2313 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f 2314 ); 2315 /* two random initial factors xn and gn */ 2316 secp256k1_scalar xn = SECP256K1_SCALAR_CONST( 2317 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c, 2318 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407 2319 ); 2320 secp256k1_scalar gn = SECP256K1_SCALAR_CONST( 2321 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9, 2322 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de 2323 ); 2324 /* two small multipliers to be applied to xn and gn in every iteration: */ 2325 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337); 2326 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113); 2327 /* accumulators with the resulting coefficients to A and G */ 2328 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); 2329 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); 2330 /* actual points */ 2331 secp256k1_gej x; 2332 secp256k1_gej x2; 2333 int i; 2334 2335 /* the point being computed */ 2336 x = a; 2337 for (i = 0; i < 200*count; i++) { 2338 /* in each iteration, compute X = xn*X + gn*G; */ 2339 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn); 2340 /* also compute ae and ge: the actual accumulated factors for A and G */ 2341 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */ 2342 secp256k1_scalar_mul(&ae, &ae, &xn); 2343 secp256k1_scalar_mul(&ge, &ge, &xn); 2344 secp256k1_scalar_add(&ge, &ge, &gn); 2345 /* modify xn and gn */ 2346 secp256k1_scalar_mul(&xn, &xn, &xf); 2347 secp256k1_scalar_mul(&gn, &gn, &gf); 2348 2349 /* verify */ 2350 if (i == 19999) { 2351 /* expected result after 19999 iterations */ 2352 secp256k1_gej rp = SECP256K1_GEJ_CONST( 2353 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE, 2354 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830, 2355 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D, 2356 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88 2357 ); 2358 2359 secp256k1_gej_neg(&rp, &rp); 2360 secp256k1_gej_add_var(&rp, &rp, &x, NULL); 2361 CHECK(secp256k1_gej_is_infinity(&rp)); 2362 } 2363 } 2364 /* redo the computation, but directly with the resulting ae and ge coefficients: */ 2365 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge); 2366 secp256k1_gej_neg(&x2, &x2); 2367 secp256k1_gej_add_var(&x2, &x2, &x, NULL); 2368 CHECK(secp256k1_gej_is_infinity(&x2)); 2369 } 2370 2371 void test_point_times_order(const secp256k1_gej *point) { 2372 /* X * (point + G) + (order-X) * (pointer + G) = 0 */ 2373 secp256k1_scalar x; 2374 secp256k1_scalar nx; 2375 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); 2376 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); 2377 secp256k1_gej res1, res2; 2378 secp256k1_ge res3; 2379 unsigned char pub[65]; 2380 size_t psize = 65; 2381 random_scalar_order_test(&x); 2382 secp256k1_scalar_negate(&nx, &x); 2383 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */ 2384 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */ 2385 secp256k1_gej_add_var(&res1, &res1, &res2, NULL); 2386 CHECK(secp256k1_gej_is_infinity(&res1)); 2387 CHECK(secp256k1_gej_is_valid_var(&res1) == 0); 2388 secp256k1_ge_set_gej(&res3, &res1); 2389 CHECK(secp256k1_ge_is_infinity(&res3)); 2390 CHECK(secp256k1_ge_is_valid_var(&res3) == 0); 2391 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0); 2392 psize = 65; 2393 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0); 2394 /* check zero/one edge cases */ 2395 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero); 2396 secp256k1_ge_set_gej(&res3, &res1); 2397 CHECK(secp256k1_ge_is_infinity(&res3)); 2398 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero); 2399 secp256k1_ge_set_gej(&res3, &res1); 2400 ge_equals_gej(&res3, point); 2401 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one); 2402 secp256k1_ge_set_gej(&res3, &res1); 2403 ge_equals_ge(&res3, &secp256k1_ge_const_g); 2404 } 2405 2406 void run_point_times_order(void) { 2407 int i; 2408 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2); 2409 static const secp256k1_fe xr = SECP256K1_FE_CONST( 2410 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C, 2411 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45 2412 ); 2413 for (i = 0; i < 500; i++) { 2414 secp256k1_ge p; 2415 if (secp256k1_ge_set_xo_var(&p, &x, 1)) { 2416 secp256k1_gej j; 2417 CHECK(secp256k1_ge_is_valid_var(&p)); 2418 secp256k1_gej_set_ge(&j, &p); 2419 CHECK(secp256k1_gej_is_valid_var(&j)); 2420 test_point_times_order(&j); 2421 } 2422 secp256k1_fe_sqr(&x, &x); 2423 } 2424 secp256k1_fe_normalize_var(&x); 2425 CHECK(secp256k1_fe_equal_var(&x, &xr)); 2426 } 2427 2428 void ecmult_const_random_mult(void) { 2429 /* random starting point A (on the curve) */ 2430 secp256k1_ge a = SECP256K1_GE_CONST( 2431 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b, 2432 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a, 2433 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c, 2434 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d 2435 ); 2436 /* random initial factor xn */ 2437 secp256k1_scalar xn = SECP256K1_SCALAR_CONST( 2438 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327, 2439 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b 2440 ); 2441 /* expected xn * A (from sage) */ 2442 secp256k1_ge expected_b = SECP256K1_GE_CONST( 2443 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd, 2444 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786, 2445 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f, 2446 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956 2447 ); 2448 secp256k1_gej b; 2449 secp256k1_ecmult_const(&b, &a, &xn, 256); 2450 2451 CHECK(secp256k1_ge_is_valid_var(&a)); 2452 ge_equals_gej(&expected_b, &b); 2453 } 2454 2455 void ecmult_const_commutativity(void) { 2456 secp256k1_scalar a; 2457 secp256k1_scalar b; 2458 secp256k1_gej res1; 2459 secp256k1_gej res2; 2460 secp256k1_ge mid1; 2461 secp256k1_ge mid2; 2462 random_scalar_order_test(&a); 2463 random_scalar_order_test(&b); 2464 2465 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256); 2466 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256); 2467 secp256k1_ge_set_gej(&mid1, &res1); 2468 secp256k1_ge_set_gej(&mid2, &res2); 2469 secp256k1_ecmult_const(&res1, &mid1, &b, 256); 2470 secp256k1_ecmult_const(&res2, &mid2, &a, 256); 2471 secp256k1_ge_set_gej(&mid1, &res1); 2472 secp256k1_ge_set_gej(&mid2, &res2); 2473 ge_equals_ge(&mid1, &mid2); 2474 } 2475 2476 void ecmult_const_mult_zero_one(void) { 2477 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); 2478 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); 2479 secp256k1_scalar negone; 2480 secp256k1_gej res1; 2481 secp256k1_ge res2; 2482 secp256k1_ge point; 2483 secp256k1_scalar_negate(&negone, &one); 2484 2485 random_group_element_test(&point); 2486 secp256k1_ecmult_const(&res1, &point, &zero, 3); 2487 secp256k1_ge_set_gej(&res2, &res1); 2488 CHECK(secp256k1_ge_is_infinity(&res2)); 2489 secp256k1_ecmult_const(&res1, &point, &one, 2); 2490 secp256k1_ge_set_gej(&res2, &res1); 2491 ge_equals_ge(&res2, &point); 2492 secp256k1_ecmult_const(&res1, &point, &negone, 256); 2493 secp256k1_gej_neg(&res1, &res1); 2494 secp256k1_ge_set_gej(&res2, &res1); 2495 ge_equals_ge(&res2, &point); 2496 } 2497 2498 void ecmult_const_chain_multiply(void) { 2499 /* Check known result (randomly generated test problem from sage) */ 2500 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST( 2501 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d, 2502 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b 2503 ); 2504 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST( 2505 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd, 2506 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f, 2507 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196, 2508 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435 2509 ); 2510 secp256k1_gej point; 2511 secp256k1_ge res; 2512 int i; 2513 2514 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g); 2515 for (i = 0; i < 100; ++i) { 2516 secp256k1_ge tmp; 2517 secp256k1_ge_set_gej(&tmp, &point); 2518 secp256k1_ecmult_const(&point, &tmp, &scalar, 256); 2519 } 2520 secp256k1_ge_set_gej(&res, &point); 2521 ge_equals_gej(&res, &expected_point); 2522 } 2523 2524 void run_ecmult_const_tests(void) { 2525 ecmult_const_mult_zero_one(); 2526 ecmult_const_random_mult(); 2527 ecmult_const_commutativity(); 2528 ecmult_const_chain_multiply(); 2529 } 2530 2531 typedef struct { 2532 secp256k1_scalar *sc; 2533 secp256k1_ge *pt; 2534 } ecmult_multi_data; 2535 2536 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) { 2537 ecmult_multi_data *data = (ecmult_multi_data*) cbdata; 2538 *sc = data->sc[idx]; 2539 *pt = data->pt[idx]; 2540 return 1; 2541 } 2542 2543 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) { 2544 (void)sc; 2545 (void)pt; 2546 (void)idx; 2547 (void)cbdata; 2548 return 0; 2549 } 2550 2551 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) { 2552 int ncount; 2553 secp256k1_scalar szero; 2554 secp256k1_scalar sc[32]; 2555 secp256k1_ge pt[32]; 2556 secp256k1_gej r; 2557 secp256k1_gej r2; 2558 ecmult_multi_data data; 2559 secp256k1_scratch *scratch_empty; 2560 2561 data.sc = sc; 2562 data.pt = pt; 2563 secp256k1_scalar_set_int(&szero, 0); 2564 2565 /* No points to multiply */ 2566 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0)); 2567 2568 /* Check 1- and 2-point multiplies against ecmult */ 2569 for (ncount = 0; ncount < count; ncount++) { 2570 secp256k1_ge ptg; 2571 secp256k1_gej ptgj; 2572 random_scalar_order(&sc[0]); 2573 random_scalar_order(&sc[1]); 2574 2575 random_group_element_test(&ptg); 2576 secp256k1_gej_set_ge(&ptgj, &ptg); 2577 pt[0] = ptg; 2578 pt[1] = secp256k1_ge_const_g; 2579 2580 /* only G scalar */ 2581 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]); 2582 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0)); 2583 secp256k1_gej_neg(&r2, &r2); 2584 secp256k1_gej_add_var(&r, &r, &r2, NULL); 2585 CHECK(secp256k1_gej_is_infinity(&r)); 2586 2587 /* 1-point */ 2588 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero); 2589 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1)); 2590 secp256k1_gej_neg(&r2, &r2); 2591 secp256k1_gej_add_var(&r, &r, &r2, NULL); 2592 CHECK(secp256k1_gej_is_infinity(&r)); 2593 2594 /* Try to multiply 1 point, but scratch space is empty */ 2595 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0); 2596 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1)); 2597 secp256k1_scratch_destroy(scratch_empty); 2598 2599 /* Try to multiply 1 point, but callback returns false */ 2600 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1)); 2601 2602 /* 2-point */ 2603 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]); 2604 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2)); 2605 secp256k1_gej_neg(&r2, &r2); 2606 secp256k1_gej_add_var(&r, &r, &r2, NULL); 2607 CHECK(secp256k1_gej_is_infinity(&r)); 2608 2609 /* 2-point with G scalar */ 2610 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]); 2611 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1)); 2612 secp256k1_gej_neg(&r2, &r2); 2613 secp256k1_gej_add_var(&r, &r, &r2, NULL); 2614 CHECK(secp256k1_gej_is_infinity(&r)); 2615 } 2616 2617 /* Check infinite outputs of various forms */ 2618 for (ncount = 0; ncount < count; ncount++) { 2619 secp256k1_ge ptg; 2620 size_t i, j; 2621 size_t sizes[] = { 2, 10, 32 }; 2622 2623 for (j = 0; j < 3; j++) { 2624 for (i = 0; i < 32; i++) { 2625 random_scalar_order(&sc[i]); 2626 secp256k1_ge_set_infinity(&pt[i]); 2627 } 2628 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); 2629 CHECK(secp256k1_gej_is_infinity(&r)); 2630 } 2631 2632 for (j = 0; j < 3; j++) { 2633 for (i = 0; i < 32; i++) { 2634 random_group_element_test(&ptg); 2635 pt[i] = ptg; 2636 secp256k1_scalar_set_int(&sc[i], 0); 2637 } 2638 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); 2639 CHECK(secp256k1_gej_is_infinity(&r)); 2640 } 2641 2642 for (j = 0; j < 3; j++) { 2643 random_group_element_test(&ptg); 2644 for (i = 0; i < 16; i++) { 2645 random_scalar_order(&sc[2*i]); 2646 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]); 2647 pt[2 * i] = ptg; 2648 pt[2 * i + 1] = ptg; 2649 } 2650 2651 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); 2652 CHECK(secp256k1_gej_is_infinity(&r)); 2653 2654 random_scalar_order(&sc[0]); 2655 for (i = 0; i < 16; i++) { 2656 random_group_element_test(&ptg); 2657 2658 sc[2*i] = sc[0]; 2659 sc[2*i+1] = sc[0]; 2660 pt[2 * i] = ptg; 2661 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]); 2662 } 2663 2664 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); 2665 CHECK(secp256k1_gej_is_infinity(&r)); 2666 } 2667 2668 random_group_element_test(&ptg); 2669 secp256k1_scalar_set_int(&sc[0], 0); 2670 pt[0] = ptg; 2671 for (i = 1; i < 32; i++) { 2672 pt[i] = ptg; 2673 2674 random_scalar_order(&sc[i]); 2675 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]); 2676 secp256k1_scalar_negate(&sc[i], &sc[i]); 2677 } 2678 2679 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32)); 2680 CHECK(secp256k1_gej_is_infinity(&r)); 2681 } 2682 2683 /* Check random points, constant scalar */ 2684 for (ncount = 0; ncount < count; ncount++) { 2685 size_t i; 2686 secp256k1_gej_set_infinity(&r); 2687 2688 random_scalar_order(&sc[0]); 2689 for (i = 0; i < 20; i++) { 2690 secp256k1_ge ptg; 2691 sc[i] = sc[0]; 2692 random_group_element_test(&ptg); 2693 pt[i] = ptg; 2694 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL); 2695 } 2696 2697 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero); 2698 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20)); 2699 secp256k1_gej_neg(&r2, &r2); 2700 secp256k1_gej_add_var(&r, &r, &r2, NULL); 2701 CHECK(secp256k1_gej_is_infinity(&r)); 2702 } 2703 2704 /* Check random scalars, constant point */ 2705 for (ncount = 0; ncount < count; ncount++) { 2706 size_t i; 2707 secp256k1_ge ptg; 2708 secp256k1_gej p0j; 2709 secp256k1_scalar rs; 2710 secp256k1_scalar_set_int(&rs, 0); 2711 2712 random_group_element_test(&ptg); 2713 for (i = 0; i < 20; i++) { 2714 random_scalar_order(&sc[i]); 2715 pt[i] = ptg; 2716 secp256k1_scalar_add(&rs, &rs, &sc[i]); 2717 } 2718 2719 secp256k1_gej_set_ge(&p0j, &pt[0]); 2720 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero); 2721 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20)); 2722 secp256k1_gej_neg(&r2, &r2); 2723 secp256k1_gej_add_var(&r, &r, &r2, NULL); 2724 CHECK(secp256k1_gej_is_infinity(&r)); 2725 } 2726 2727 /* Sanity check that zero scalars don't cause problems */ 2728 secp256k1_scalar_clear(&sc[0]); 2729 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20)); 2730 secp256k1_scalar_clear(&sc[1]); 2731 secp256k1_scalar_clear(&sc[2]); 2732 secp256k1_scalar_clear(&sc[3]); 2733 secp256k1_scalar_clear(&sc[4]); 2734 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6)); 2735 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5)); 2736 CHECK(secp256k1_gej_is_infinity(&r)); 2737 2738 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */ 2739 { 2740 const size_t TOP = 8; 2741 size_t s0i, s1i; 2742 size_t t0i, t1i; 2743 secp256k1_ge ptg; 2744 secp256k1_gej ptgj; 2745 2746 random_group_element_test(&ptg); 2747 secp256k1_gej_set_ge(&ptgj, &ptg); 2748 2749 for(t0i = 0; t0i < TOP; t0i++) { 2750 for(t1i = 0; t1i < TOP; t1i++) { 2751 secp256k1_gej t0p, t1p; 2752 secp256k1_scalar t0, t1; 2753 2754 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2); 2755 secp256k1_scalar_cond_negate(&t0, t0i & 1); 2756 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2); 2757 secp256k1_scalar_cond_negate(&t1, t1i & 1); 2758 2759 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero); 2760 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero); 2761 2762 for(s0i = 0; s0i < TOP; s0i++) { 2763 for(s1i = 0; s1i < TOP; s1i++) { 2764 secp256k1_scalar tmp1, tmp2; 2765 secp256k1_gej expected, actual; 2766 2767 secp256k1_ge_set_gej(&pt[0], &t0p); 2768 secp256k1_ge_set_gej(&pt[1], &t1p); 2769 2770 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2); 2771 secp256k1_scalar_cond_negate(&sc[0], s0i & 1); 2772 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2); 2773 secp256k1_scalar_cond_negate(&sc[1], s1i & 1); 2774 2775 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]); 2776 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]); 2777 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2); 2778 2779 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero); 2780 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2)); 2781 secp256k1_gej_neg(&expected, &expected); 2782 secp256k1_gej_add_var(&actual, &actual, &expected, NULL); 2783 CHECK(secp256k1_gej_is_infinity(&actual)); 2784 } 2785 } 2786 } 2787 } 2788 } 2789 } 2790 2791 void test_secp256k1_pippenger_bucket_window_inv(void) { 2792 int i; 2793 2794 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0); 2795 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) { 2796 #ifdef USE_ENDOMORPHISM 2797 /* Bucket_window of 8 is not used with endo */ 2798 if (i == 8) { 2799 continue; 2800 } 2801 #endif 2802 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i); 2803 if (i != PIPPENGER_MAX_BUCKET_WINDOW) { 2804 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i); 2805 } 2806 } 2807 } 2808 2809 /** 2810 * Probabilistically test the function returning the maximum number of possible points 2811 * for a given scratch space. 2812 */ 2813 void test_ecmult_multi_pippenger_max_points(void) { 2814 size_t scratch_size = secp256k1_rand_int(256); 2815 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12); 2816 secp256k1_scratch *scratch; 2817 size_t n_points_supported; 2818 int bucket_window = 0; 2819 2820 for(; scratch_size < max_size; scratch_size+=256) { 2821 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size); 2822 CHECK(scratch != NULL); 2823 n_points_supported = secp256k1_pippenger_max_points(scratch); 2824 if (n_points_supported == 0) { 2825 secp256k1_scratch_destroy(scratch); 2826 continue; 2827 } 2828 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported); 2829 CHECK(secp256k1_scratch_allocate_frame(scratch, secp256k1_pippenger_scratch_size(n_points_supported, bucket_window), PIPPENGER_SCRATCH_OBJECTS)); 2830 secp256k1_scratch_deallocate_frame(scratch); 2831 secp256k1_scratch_destroy(scratch); 2832 } 2833 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW); 2834 } 2835 2836 /** 2837 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 2838 * 1 <= i <= num points. 2839 */ 2840 void test_ecmult_multi_batching(void) { 2841 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD; 2842 secp256k1_scalar scG; 2843 secp256k1_scalar szero; 2844 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points); 2845 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points); 2846 secp256k1_gej r; 2847 secp256k1_gej r2; 2848 ecmult_multi_data data; 2849 int i; 2850 secp256k1_scratch *scratch; 2851 2852 secp256k1_gej_set_infinity(&r2); 2853 secp256k1_scalar_set_int(&szero, 0); 2854 2855 /* Get random scalars and group elements and compute result */ 2856 random_scalar_order(&scG); 2857 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG); 2858 for(i = 0; i < n_points; i++) { 2859 secp256k1_ge ptg; 2860 secp256k1_gej ptgj; 2861 random_group_element_test(&ptg); 2862 secp256k1_gej_set_ge(&ptgj, &ptg); 2863 pt[i] = ptg; 2864 random_scalar_order(&sc[i]); 2865 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL); 2866 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL); 2867 } 2868 data.sc = sc; 2869 data.pt = pt; 2870 2871 /* Test with empty scratch space */ 2872 scratch = secp256k1_scratch_create(&ctx->error_callback, 0); 2873 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1)); 2874 secp256k1_scratch_destroy(scratch); 2875 2876 /* Test with space for 1 point in pippenger. That's not enough because 2877 * ecmult_multi selects strauss which requires more memory. */ 2878 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); 2879 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1)); 2880 secp256k1_scratch_destroy(scratch); 2881 2882 secp256k1_gej_neg(&r2, &r2); 2883 for(i = 1; i <= n_points; i++) { 2884 if (i > ECMULT_PIPPENGER_THRESHOLD) { 2885 int bucket_window = secp256k1_pippenger_bucket_window(i); 2886 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window); 2887 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); 2888 } else { 2889 size_t scratch_size = secp256k1_strauss_scratch_size(i); 2890 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); 2891 } 2892 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); 2893 secp256k1_gej_add_var(&r, &r, &r2, NULL); 2894 CHECK(secp256k1_gej_is_infinity(&r)); 2895 secp256k1_scratch_destroy(scratch); 2896 } 2897 free(sc); 2898 free(pt); 2899 } 2900 2901 void run_ecmult_multi_tests(void) { 2902 secp256k1_scratch *scratch; 2903 2904 test_secp256k1_pippenger_bucket_window_inv(); 2905 test_ecmult_multi_pippenger_max_points(); 2906 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200); 2907 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var); 2908 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single); 2909 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single); 2910 secp256k1_scratch_destroy(scratch); 2911 2912 /* Run test_ecmult_multi with space for exactly one point */ 2913 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); 2914 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var); 2915 secp256k1_scratch_destroy(scratch); 2916 2917 test_ecmult_multi_batching(); 2918 } 2919 2920 void test_wnaf(const secp256k1_scalar *number, int w) { 2921 secp256k1_scalar x, two, t; 2922 int wnaf[256]; 2923 int zeroes = -1; 2924 int i; 2925 int bits; 2926 secp256k1_scalar_set_int(&x, 0); 2927 secp256k1_scalar_set_int(&two, 2); 2928 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w); 2929 CHECK(bits <= 256); 2930 for (i = bits-1; i >= 0; i--) { 2931 int v = wnaf[i]; 2932 secp256k1_scalar_mul(&x, &x, &two); 2933 if (v) { 2934 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */ 2935 zeroes=0; 2936 CHECK((v & 1) == 1); /* check non-zero elements are odd */ 2937 CHECK(v <= (1 << (w-1)) - 1); /* check range below */ 2938 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */ 2939 } else { 2940 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */ 2941 zeroes++; 2942 } 2943 if (v >= 0) { 2944 secp256k1_scalar_set_int(&t, v); 2945 } else { 2946 secp256k1_scalar_set_int(&t, -v); 2947 secp256k1_scalar_negate(&t, &t); 2948 } 2949 secp256k1_scalar_add(&x, &x, &t); 2950 } 2951 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */ 2952 } 2953 2954 void test_constant_wnaf_negate(const secp256k1_scalar *number) { 2955 secp256k1_scalar neg1 = *number; 2956 secp256k1_scalar neg2 = *number; 2957 int sign1 = 1; 2958 int sign2 = 1; 2959 2960 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) { 2961 secp256k1_scalar_negate(&neg1, &neg1); 2962 sign1 = -1; 2963 } 2964 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2)); 2965 CHECK(sign1 == sign2); 2966 CHECK(secp256k1_scalar_eq(&neg1, &neg2)); 2967 } 2968 2969 void test_constant_wnaf(const secp256k1_scalar *number, int w) { 2970 secp256k1_scalar x, shift; 2971 int wnaf[256] = {0}; 2972 int i; 2973 int skew; 2974 int bits = 256; 2975 secp256k1_scalar num = *number; 2976 2977 secp256k1_scalar_set_int(&x, 0); 2978 secp256k1_scalar_set_int(&shift, 1 << w); 2979 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */ 2980 #ifdef USE_ENDOMORPHISM 2981 for (i = 0; i < 16; ++i) { 2982 secp256k1_scalar_shr_int(&num, 8); 2983 } 2984 bits = 128; 2985 #endif 2986 skew = secp256k1_wnaf_const(wnaf, num, w, bits); 2987 2988 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) { 2989 secp256k1_scalar t; 2990 int v = wnaf[i]; 2991 CHECK(v != 0); /* check nonzero */ 2992 CHECK(v & 1); /* check parity */ 2993 CHECK(v > -(1 << w)); /* check range above */ 2994 CHECK(v < (1 << w)); /* check range below */ 2995 2996 secp256k1_scalar_mul(&x, &x, &shift); 2997 if (v >= 0) { 2998 secp256k1_scalar_set_int(&t, v); 2999 } else { 3000 secp256k1_scalar_set_int(&t, -v); 3001 secp256k1_scalar_negate(&t, &t); 3002 } 3003 secp256k1_scalar_add(&x, &x, &t); 3004 } 3005 /* Skew num because when encoding numbers as odd we use an offset */ 3006 secp256k1_scalar_cadd_bit(&num, skew == 2, 1); 3007 CHECK(secp256k1_scalar_eq(&x, &num)); 3008 } 3009 3010 void test_fixed_wnaf(const secp256k1_scalar *number, int w) { 3011 secp256k1_scalar x, shift; 3012 int wnaf[256] = {0}; 3013 int i; 3014 int skew; 3015 secp256k1_scalar num = *number; 3016 3017 secp256k1_scalar_set_int(&x, 0); 3018 secp256k1_scalar_set_int(&shift, 1 << w); 3019 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */ 3020 #ifdef USE_ENDOMORPHISM 3021 for (i = 0; i < 16; ++i) { 3022 secp256k1_scalar_shr_int(&num, 8); 3023 } 3024 #endif 3025 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 3026 3027 for (i = WNAF_SIZE(w)-1; i >= 0; --i) { 3028 secp256k1_scalar t; 3029 int v = wnaf[i]; 3030 CHECK(v == 0 || v & 1); /* check parity */ 3031 CHECK(v > -(1 << w)); /* check range above */ 3032 CHECK(v < (1 << w)); /* check range below */ 3033 3034 secp256k1_scalar_mul(&x, &x, &shift); 3035 if (v >= 0) { 3036 secp256k1_scalar_set_int(&t, v); 3037 } else { 3038 secp256k1_scalar_set_int(&t, -v); 3039 secp256k1_scalar_negate(&t, &t); 3040 } 3041 secp256k1_scalar_add(&x, &x, &t); 3042 } 3043 /* If skew is 1 then add 1 to num */ 3044 secp256k1_scalar_cadd_bit(&num, 0, skew == 1); 3045 CHECK(secp256k1_scalar_eq(&x, &num)); 3046 } 3047 3048 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the 3049 * rest is 0.*/ 3050 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) { 3051 int i; 3052 for (i = WNAF_SIZE(w)-1; i >= 8; --i) { 3053 CHECK(wnaf[i] == 0); 3054 } 3055 for (i = 7; i >= 0; --i) { 3056 CHECK(wnaf[i] == wnaf_expected[i]); 3057 } 3058 } 3059 3060 void test_fixed_wnaf_small(void) { 3061 int w = 4; 3062 int wnaf[256] = {0}; 3063 int i; 3064 int skew; 3065 secp256k1_scalar num; 3066 3067 secp256k1_scalar_set_int(&num, 0); 3068 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 3069 for (i = WNAF_SIZE(w)-1; i >= 0; --i) { 3070 int v = wnaf[i]; 3071 CHECK(v == 0); 3072 } 3073 CHECK(skew == 0); 3074 3075 secp256k1_scalar_set_int(&num, 1); 3076 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 3077 for (i = WNAF_SIZE(w)-1; i >= 1; --i) { 3078 int v = wnaf[i]; 3079 CHECK(v == 0); 3080 } 3081 CHECK(wnaf[0] == 1); 3082 CHECK(skew == 0); 3083 3084 { 3085 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf }; 3086 secp256k1_scalar_set_int(&num, 0xffffffff); 3087 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 3088 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 3089 CHECK(skew == 0); 3090 } 3091 { 3092 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf }; 3093 secp256k1_scalar_set_int(&num, 0xeeeeeeee); 3094 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 3095 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 3096 CHECK(skew == 1); 3097 } 3098 { 3099 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 }; 3100 secp256k1_scalar_set_int(&num, 0x01010101); 3101 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 3102 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 3103 CHECK(skew == 0); 3104 } 3105 { 3106 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 }; 3107 secp256k1_scalar_set_int(&num, 0x01ef1ef1); 3108 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 3109 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 3110 CHECK(skew == 0); 3111 } 3112 } 3113 3114 void run_wnaf(void) { 3115 int i; 3116 secp256k1_scalar n = {{0}}; 3117 3118 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should 3119 * have easier-to-diagnose failure modes */ 3120 n.d[0] = 1; 3121 test_constant_wnaf(&n, 4); 3122 n.d[0] = 2; 3123 test_constant_wnaf(&n, 4); 3124 /* Test 0 */ 3125 test_fixed_wnaf_small(); 3126 /* Random tests */ 3127 for (i = 0; i < count; i++) { 3128 random_scalar_order(&n); 3129 test_wnaf(&n, 4+(i%10)); 3130 test_constant_wnaf_negate(&n); 3131 test_constant_wnaf(&n, 4 + (i % 10)); 3132 test_fixed_wnaf(&n, 4 + (i % 10)); 3133 } 3134 secp256k1_scalar_set_int(&n, 0); 3135 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1); 3136 CHECK(secp256k1_scalar_is_zero(&n)); 3137 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1); 3138 CHECK(secp256k1_scalar_is_zero(&n)); 3139 } 3140 3141 void test_ecmult_constants(void) { 3142 /* Test ecmult_gen() for [0..36) and [order-36..0). */ 3143 secp256k1_scalar x; 3144 secp256k1_gej r; 3145 secp256k1_ge ng; 3146 int i; 3147 int j; 3148 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g); 3149 for (i = 0; i < 36; i++ ) { 3150 secp256k1_scalar_set_int(&x, i); 3151 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x); 3152 for (j = 0; j < i; j++) { 3153 if (j == i - 1) { 3154 ge_equals_gej(&secp256k1_ge_const_g, &r); 3155 } 3156 secp256k1_gej_add_ge(&r, &r, &ng); 3157 } 3158 CHECK(secp256k1_gej_is_infinity(&r)); 3159 } 3160 for (i = 1; i <= 36; i++ ) { 3161 secp256k1_scalar_set_int(&x, i); 3162 secp256k1_scalar_negate(&x, &x); 3163 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x); 3164 for (j = 0; j < i; j++) { 3165 if (j == i - 1) { 3166 ge_equals_gej(&ng, &r); 3167 } 3168 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g); 3169 } 3170 CHECK(secp256k1_gej_is_infinity(&r)); 3171 } 3172 } 3173 3174 void run_ecmult_constants(void) { 3175 test_ecmult_constants(); 3176 } 3177 3178 void test_ecmult_gen_blind(void) { 3179 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */ 3180 secp256k1_scalar key; 3181 secp256k1_scalar b; 3182 unsigned char seed32[32]; 3183 secp256k1_gej pgej; 3184 secp256k1_gej pgej2; 3185 secp256k1_gej i; 3186 secp256k1_ge pge; 3187 random_scalar_order_test(&key); 3188 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key); 3189 secp256k1_rand256(seed32); 3190 b = ctx->ecmult_gen_ctx.blind; 3191 i = ctx->ecmult_gen_ctx.initial; 3192 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); 3193 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind)); 3194 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key); 3195 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2)); 3196 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial)); 3197 secp256k1_ge_set_gej(&pge, &pgej); 3198 ge_equals_gej(&pge, &pgej2); 3199 } 3200 3201 void test_ecmult_gen_blind_reset(void) { 3202 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */ 3203 secp256k1_scalar b; 3204 secp256k1_gej initial; 3205 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0); 3206 b = ctx->ecmult_gen_ctx.blind; 3207 initial = ctx->ecmult_gen_ctx.initial; 3208 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0); 3209 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind)); 3210 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial)); 3211 } 3212 3213 void run_ecmult_gen_blind(void) { 3214 int i; 3215 test_ecmult_gen_blind_reset(); 3216 for (i = 0; i < 10; i++) { 3217 test_ecmult_gen_blind(); 3218 } 3219 } 3220 3221 #ifdef USE_ENDOMORPHISM 3222 /***** ENDOMORPHISH TESTS *****/ 3223 void test_scalar_split(void) { 3224 secp256k1_scalar full; 3225 secp256k1_scalar s1, slam; 3226 const unsigned char zero[32] = {0}; 3227 unsigned char tmp[32]; 3228 3229 random_scalar_order_test(&full); 3230 secp256k1_scalar_split_lambda(&s1, &slam, &full); 3231 3232 /* check that both are <= 128 bits in size */ 3233 if (secp256k1_scalar_is_high(&s1)) { 3234 secp256k1_scalar_negate(&s1, &s1); 3235 } 3236 if (secp256k1_scalar_is_high(&slam)) { 3237 secp256k1_scalar_negate(&slam, &slam); 3238 } 3239 3240 secp256k1_scalar_get_b32(tmp, &s1); 3241 CHECK(memcmp(zero, tmp, 16) == 0); 3242 secp256k1_scalar_get_b32(tmp, &slam); 3243 CHECK(memcmp(zero, tmp, 16) == 0); 3244 } 3245 3246 void run_endomorphism_tests(void) { 3247 test_scalar_split(); 3248 } 3249 #endif 3250 3251 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) { 3252 unsigned char pubkeyc[65]; 3253 secp256k1_pubkey pubkey; 3254 secp256k1_ge ge; 3255 size_t pubkeyclen; 3256 int32_t ecount; 3257 ecount = 0; 3258 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); 3259 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) { 3260 /* Smaller sizes are tested exhaustively elsewhere. */ 3261 int32_t i; 3262 memcpy(&pubkeyc[1], input, 64); 3263 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen); 3264 for (i = 0; i < 256; i++) { 3265 /* Try all type bytes. */ 3266 int xpass; 3267 int ypass; 3268 int ysign; 3269 pubkeyc[0] = i; 3270 /* What sign does this point have? */ 3271 ysign = (input[63] & 1) + 2; 3272 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */ 3273 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2); 3274 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */ 3275 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) && 3276 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65)); 3277 if (xpass || ypass) { 3278 /* These cases must parse. */ 3279 unsigned char pubkeyo[65]; 3280 size_t outl; 3281 memset(&pubkey, 0, sizeof(pubkey)); 3282 VG_UNDEF(&pubkey, sizeof(pubkey)); 3283 ecount = 0; 3284 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1); 3285 VG_CHECK(&pubkey, sizeof(pubkey)); 3286 outl = 65; 3287 VG_UNDEF(pubkeyo, 65); 3288 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1); 3289 VG_CHECK(pubkeyo, outl); 3290 CHECK(outl == 33); 3291 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0); 3292 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0])); 3293 if (ypass) { 3294 /* This test isn't always done because we decode with alternative signs, so the y won't match. */ 3295 CHECK(pubkeyo[0] == ysign); 3296 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1); 3297 memset(&pubkey, 0, sizeof(pubkey)); 3298 VG_UNDEF(&pubkey, sizeof(pubkey)); 3299 secp256k1_pubkey_save(&pubkey, &ge); 3300 VG_CHECK(&pubkey, sizeof(pubkey)); 3301 outl = 65; 3302 VG_UNDEF(pubkeyo, 65); 3303 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); 3304 VG_CHECK(pubkeyo, outl); 3305 CHECK(outl == 65); 3306 CHECK(pubkeyo[0] == 4); 3307 CHECK(memcmp(&pubkeyo[1], input, 64) == 0); 3308 } 3309 CHECK(ecount == 0); 3310 } else { 3311 /* These cases must fail to parse. */ 3312 memset(&pubkey, 0xfe, sizeof(pubkey)); 3313 ecount = 0; 3314 VG_UNDEF(&pubkey, sizeof(pubkey)); 3315 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0); 3316 VG_CHECK(&pubkey, sizeof(pubkey)); 3317 CHECK(ecount == 0); 3318 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); 3319 CHECK(ecount == 1); 3320 } 3321 } 3322 } 3323 secp256k1_context_set_illegal_callback(ctx, NULL, NULL); 3324 } 3325 3326 void run_ec_pubkey_parse_test(void) { 3327 #define SECP256K1_EC_PARSE_TEST_NVALID (12) 3328 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = { 3329 { 3330 /* Point with leading and trailing zeros in x and y serialization. */ 3331 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52, 3332 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3333 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83, 3334 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00 3335 }, 3336 { 3337 /* Point with x equal to a 3rd root of unity.*/ 3338 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9, 3339 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee, 3340 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14, 3341 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee, 3342 }, 3343 { 3344 /* Point with largest x. (1/2) */ 3345 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3346 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c, 3347 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e, 3348 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d, 3349 }, 3350 { 3351 /* Point with largest x. (2/2) */ 3352 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3353 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c, 3354 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1, 3355 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2, 3356 }, 3357 { 3358 /* Point with smallest x. (1/2) */ 3359 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3360 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 3361 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14, 3362 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee, 3363 }, 3364 { 3365 /* Point with smallest x. (2/2) */ 3366 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3367 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 3368 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb, 3369 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41, 3370 }, 3371 { 3372 /* Point with largest y. (1/3) */ 3373 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6, 3374 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07, 3375 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3376 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 3377 }, 3378 { 3379 /* Point with largest y. (2/3) */ 3380 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c, 3381 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73, 3382 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3383 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 3384 }, 3385 { 3386 /* Point with largest y. (3/3) */ 3387 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc, 3388 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5, 3389 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3390 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 3391 }, 3392 { 3393 /* Point with smallest y. (1/3) */ 3394 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6, 3395 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07, 3396 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3397 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 3398 }, 3399 { 3400 /* Point with smallest y. (2/3) */ 3401 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c, 3402 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73, 3403 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3404 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 3405 }, 3406 { 3407 /* Point with smallest y. (3/3) */ 3408 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc, 3409 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5, 3410 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3411 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 3412 } 3413 }; 3414 #define SECP256K1_EC_PARSE_TEST_NXVALID (4) 3415 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = { 3416 { 3417 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */ 3418 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6, 3419 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07, 3420 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3421 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 3422 }, 3423 { 3424 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */ 3425 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c, 3426 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73, 3427 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3428 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 3429 }, 3430 { 3431 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/ 3432 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc, 3433 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5, 3434 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3435 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 3436 }, 3437 { 3438 /* x on curve, y is from y^2 = x^3 + 8. */ 3439 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3440 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 3441 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3442 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03 3443 } 3444 }; 3445 #define SECP256K1_EC_PARSE_TEST_NINVALID (7) 3446 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = { 3447 { 3448 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */ 3449 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c, 3450 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53, 3451 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3452 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 3453 }, 3454 { 3455 /* Valid if x overflow ignored (x = 1 mod p). */ 3456 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3457 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 3458 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14, 3459 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee, 3460 }, 3461 { 3462 /* Valid if x overflow ignored (x = 1 mod p). */ 3463 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3464 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 3465 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb, 3466 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41, 3467 }, 3468 { 3469 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */ 3470 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3471 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 3472 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f, 3473 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28, 3474 }, 3475 { 3476 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */ 3477 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3478 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 3479 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0, 3480 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07, 3481 }, 3482 { 3483 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */ 3484 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3485 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3486 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d, 3487 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc, 3488 }, 3489 { 3490 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */ 3491 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3492 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3493 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2, 3494 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53 3495 } 3496 }; 3497 const unsigned char pubkeyc[66] = { 3498 /* Serialization of G. */ 3499 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B, 3500 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 3501 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08, 3502 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4, 3503 0xB8, 0x00 3504 }; 3505 unsigned char sout[65]; 3506 unsigned char shortkey[2]; 3507 secp256k1_ge ge; 3508 secp256k1_pubkey pubkey; 3509 size_t len; 3510 int32_t i; 3511 int32_t ecount; 3512 int32_t ecount2; 3513 ecount = 0; 3514 /* Nothing should be reading this far into pubkeyc. */ 3515 VG_UNDEF(&pubkeyc[65], 1); 3516 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); 3517 /* Zero length claimed, fail, zeroize, no illegal arg error. */ 3518 memset(&pubkey, 0xfe, sizeof(pubkey)); 3519 ecount = 0; 3520 VG_UNDEF(shortkey, 2); 3521 VG_UNDEF(&pubkey, sizeof(pubkey)); 3522 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0); 3523 VG_CHECK(&pubkey, sizeof(pubkey)); 3524 CHECK(ecount == 0); 3525 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); 3526 CHECK(ecount == 1); 3527 /* Length one claimed, fail, zeroize, no illegal arg error. */ 3528 for (i = 0; i < 256 ; i++) { 3529 memset(&pubkey, 0xfe, sizeof(pubkey)); 3530 ecount = 0; 3531 shortkey[0] = i; 3532 VG_UNDEF(&shortkey[1], 1); 3533 VG_UNDEF(&pubkey, sizeof(pubkey)); 3534 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0); 3535 VG_CHECK(&pubkey, sizeof(pubkey)); 3536 CHECK(ecount == 0); 3537 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); 3538 CHECK(ecount == 1); 3539 } 3540 /* Length two claimed, fail, zeroize, no illegal arg error. */ 3541 for (i = 0; i < 65536 ; i++) { 3542 memset(&pubkey, 0xfe, sizeof(pubkey)); 3543 ecount = 0; 3544 shortkey[0] = i & 255; 3545 shortkey[1] = i >> 8; 3546 VG_UNDEF(&pubkey, sizeof(pubkey)); 3547 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0); 3548 VG_CHECK(&pubkey, sizeof(pubkey)); 3549 CHECK(ecount == 0); 3550 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); 3551 CHECK(ecount == 1); 3552 } 3553 memset(&pubkey, 0xfe, sizeof(pubkey)); 3554 ecount = 0; 3555 VG_UNDEF(&pubkey, sizeof(pubkey)); 3556 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */ 3557 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0); 3558 VG_CHECK(&pubkey, sizeof(pubkey)); 3559 CHECK(ecount == 0); 3560 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); 3561 CHECK(ecount == 1); 3562 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */ 3563 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0); 3564 CHECK(ecount == 2); 3565 /* NULL input string. Illegal arg and zeroize output. */ 3566 memset(&pubkey, 0xfe, sizeof(pubkey)); 3567 ecount = 0; 3568 VG_UNDEF(&pubkey, sizeof(pubkey)); 3569 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0); 3570 VG_CHECK(&pubkey, sizeof(pubkey)); 3571 CHECK(ecount == 1); 3572 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); 3573 CHECK(ecount == 2); 3574 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */ 3575 memset(&pubkey, 0xfe, sizeof(pubkey)); 3576 ecount = 0; 3577 VG_UNDEF(&pubkey, sizeof(pubkey)); 3578 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0); 3579 VG_CHECK(&pubkey, sizeof(pubkey)); 3580 CHECK(ecount == 0); 3581 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); 3582 CHECK(ecount == 1); 3583 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */ 3584 memset(&pubkey, 0xfe, sizeof(pubkey)); 3585 ecount = 0; 3586 VG_UNDEF(&pubkey, sizeof(pubkey)); 3587 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0); 3588 VG_CHECK(&pubkey, sizeof(pubkey)); 3589 CHECK(ecount == 0); 3590 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0); 3591 CHECK(ecount == 1); 3592 /* Valid parse. */ 3593 memset(&pubkey, 0, sizeof(pubkey)); 3594 ecount = 0; 3595 VG_UNDEF(&pubkey, sizeof(pubkey)); 3596 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1); 3597 VG_CHECK(&pubkey, sizeof(pubkey)); 3598 CHECK(ecount == 0); 3599 VG_UNDEF(&ge, sizeof(ge)); 3600 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1); 3601 VG_CHECK(&ge.x, sizeof(ge.x)); 3602 VG_CHECK(&ge.y, sizeof(ge.y)); 3603 VG_CHECK(&ge.infinity, sizeof(ge.infinity)); 3604 ge_equals_ge(&secp256k1_ge_const_g, &ge); 3605 CHECK(ecount == 0); 3606 /* secp256k1_ec_pubkey_serialize illegal args. */ 3607 ecount = 0; 3608 len = 65; 3609 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0); 3610 CHECK(ecount == 1); 3611 CHECK(len == 0); 3612 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0); 3613 CHECK(ecount == 2); 3614 len = 65; 3615 VG_UNDEF(sout, 65); 3616 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0); 3617 VG_CHECK(sout, 65); 3618 CHECK(ecount == 3); 3619 CHECK(len == 0); 3620 len = 65; 3621 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0); 3622 CHECK(ecount == 4); 3623 CHECK(len == 0); 3624 len = 65; 3625 VG_UNDEF(sout, 65); 3626 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); 3627 VG_CHECK(sout, 65); 3628 CHECK(ecount == 4); 3629 CHECK(len == 65); 3630 /* Multiple illegal args. Should still set arg error only once. */ 3631 ecount = 0; 3632 ecount2 = 11; 3633 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0); 3634 CHECK(ecount == 1); 3635 /* Does the illegal arg callback actually change the behavior? */ 3636 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2); 3637 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0); 3638 CHECK(ecount == 1); 3639 CHECK(ecount2 == 10); 3640 secp256k1_context_set_illegal_callback(ctx, NULL, NULL); 3641 /* Try a bunch of prefabbed points with all possible encodings. */ 3642 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) { 3643 ec_pubkey_parse_pointtest(valid[i], 1, 1); 3644 } 3645 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) { 3646 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0); 3647 } 3648 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) { 3649 ec_pubkey_parse_pointtest(invalid[i], 0, 0); 3650 } 3651 } 3652 3653 void run_eckey_edge_case_test(void) { 3654 const unsigned char orderc[32] = { 3655 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 3656 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 3657 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 3658 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41 3659 }; 3660 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00}; 3661 unsigned char ctmp[33]; 3662 unsigned char ctmp2[33]; 3663 secp256k1_pubkey pubkey; 3664 secp256k1_pubkey pubkey2; 3665 secp256k1_pubkey pubkey_one; 3666 secp256k1_pubkey pubkey_negone; 3667 const secp256k1_pubkey *pubkeys[3]; 3668 size_t len; 3669 int32_t ecount; 3670 /* Group order is too large, reject. */ 3671 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0); 3672 VG_UNDEF(&pubkey, sizeof(pubkey)); 3673 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0); 3674 VG_CHECK(&pubkey, sizeof(pubkey)); 3675 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 3676 /* Maximum value is too large, reject. */ 3677 memset(ctmp, 255, 32); 3678 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0); 3679 memset(&pubkey, 1, sizeof(pubkey)); 3680 VG_UNDEF(&pubkey, sizeof(pubkey)); 3681 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); 3682 VG_CHECK(&pubkey, sizeof(pubkey)); 3683 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 3684 /* Zero is too small, reject. */ 3685 memset(ctmp, 0, 32); 3686 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0); 3687 memset(&pubkey, 1, sizeof(pubkey)); 3688 VG_UNDEF(&pubkey, sizeof(pubkey)); 3689 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); 3690 VG_CHECK(&pubkey, sizeof(pubkey)); 3691 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 3692 /* One must be accepted. */ 3693 ctmp[31] = 0x01; 3694 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1); 3695 memset(&pubkey, 0, sizeof(pubkey)); 3696 VG_UNDEF(&pubkey, sizeof(pubkey)); 3697 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1); 3698 VG_CHECK(&pubkey, sizeof(pubkey)); 3699 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); 3700 pubkey_one = pubkey; 3701 /* Group order + 1 is too large, reject. */ 3702 memcpy(ctmp, orderc, 32); 3703 ctmp[31] = 0x42; 3704 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0); 3705 memset(&pubkey, 1, sizeof(pubkey)); 3706 VG_UNDEF(&pubkey, sizeof(pubkey)); 3707 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); 3708 VG_CHECK(&pubkey, sizeof(pubkey)); 3709 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 3710 /* -1 must be accepted. */ 3711 ctmp[31] = 0x40; 3712 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1); 3713 memset(&pubkey, 0, sizeof(pubkey)); 3714 VG_UNDEF(&pubkey, sizeof(pubkey)); 3715 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1); 3716 VG_CHECK(&pubkey, sizeof(pubkey)); 3717 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); 3718 pubkey_negone = pubkey; 3719 /* Tweak of zero leaves the value unchanged. */ 3720 memset(ctmp2, 0, 32); 3721 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1); 3722 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40); 3723 memcpy(&pubkey2, &pubkey, sizeof(pubkey)); 3724 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); 3725 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 3726 /* Multiply tweak of zero zeroizes the output. */ 3727 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0); 3728 CHECK(memcmp(zeros, ctmp, 32) == 0); 3729 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0); 3730 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0); 3731 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 3732 /* Overflowing key tweak zeroizes. */ 3733 memcpy(ctmp, orderc, 32); 3734 ctmp[31] = 0x40; 3735 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0); 3736 CHECK(memcmp(zeros, ctmp, 32) == 0); 3737 memcpy(ctmp, orderc, 32); 3738 ctmp[31] = 0x40; 3739 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0); 3740 CHECK(memcmp(zeros, ctmp, 32) == 0); 3741 memcpy(ctmp, orderc, 32); 3742 ctmp[31] = 0x40; 3743 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0); 3744 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0); 3745 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 3746 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0); 3747 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0); 3748 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 3749 /* Private key tweaks results in a key of zero. */ 3750 ctmp2[31] = 1; 3751 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0); 3752 CHECK(memcmp(zeros, ctmp2, 32) == 0); 3753 ctmp2[31] = 1; 3754 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0); 3755 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0); 3756 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 3757 /* Tweak computation wraps and results in a key of 1. */ 3758 ctmp2[31] = 2; 3759 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1); 3760 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1); 3761 ctmp2[31] = 2; 3762 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); 3763 ctmp2[31] = 1; 3764 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1); 3765 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 3766 /* Tweak mul * 2 = 1+1. */ 3767 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); 3768 ctmp2[31] = 2; 3769 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1); 3770 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 3771 /* Test argument errors. */ 3772 ecount = 0; 3773 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); 3774 CHECK(ecount == 0); 3775 /* Zeroize pubkey on parse error. */ 3776 memset(&pubkey, 0, 32); 3777 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0); 3778 CHECK(ecount == 1); 3779 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0); 3780 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 3781 memset(&pubkey2, 0, 32); 3782 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0); 3783 CHECK(ecount == 2); 3784 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0); 3785 /* Plain argument errors. */ 3786 ecount = 0; 3787 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1); 3788 CHECK(ecount == 0); 3789 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0); 3790 CHECK(ecount == 1); 3791 ecount = 0; 3792 memset(ctmp2, 0, 32); 3793 ctmp2[31] = 4; 3794 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0); 3795 CHECK(ecount == 1); 3796 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0); 3797 CHECK(ecount == 2); 3798 ecount = 0; 3799 memset(ctmp2, 0, 32); 3800 ctmp2[31] = 4; 3801 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0); 3802 CHECK(ecount == 1); 3803 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0); 3804 CHECK(ecount == 2); 3805 ecount = 0; 3806 memset(ctmp2, 0, 32); 3807 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0); 3808 CHECK(ecount == 1); 3809 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0); 3810 CHECK(ecount == 2); 3811 ecount = 0; 3812 memset(ctmp2, 0, 32); 3813 ctmp2[31] = 1; 3814 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0); 3815 CHECK(ecount == 1); 3816 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0); 3817 CHECK(ecount == 2); 3818 ecount = 0; 3819 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0); 3820 CHECK(ecount == 1); 3821 memset(&pubkey, 1, sizeof(pubkey)); 3822 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0); 3823 CHECK(ecount == 2); 3824 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 3825 /* secp256k1_ec_pubkey_combine tests. */ 3826 ecount = 0; 3827 pubkeys[0] = &pubkey_one; 3828 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *)); 3829 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *)); 3830 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *)); 3831 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 3832 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey)); 3833 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0); 3834 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 3835 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 3836 CHECK(ecount == 1); 3837 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0); 3838 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 3839 CHECK(ecount == 2); 3840 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 3841 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey)); 3842 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0); 3843 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 3844 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 3845 CHECK(ecount == 3); 3846 pubkeys[0] = &pubkey_negone; 3847 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 3848 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey)); 3849 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1); 3850 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 3851 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); 3852 CHECK(ecount == 3); 3853 len = 33; 3854 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); 3855 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1); 3856 CHECK(memcmp(ctmp, ctmp2, 33) == 0); 3857 /* Result is infinity. */ 3858 pubkeys[0] = &pubkey_one; 3859 pubkeys[1] = &pubkey_negone; 3860 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 3861 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey)); 3862 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0); 3863 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 3864 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 3865 CHECK(ecount == 3); 3866 /* Passes through infinity but comes out one. */ 3867 pubkeys[2] = &pubkey_one; 3868 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 3869 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey)); 3870 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1); 3871 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 3872 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); 3873 CHECK(ecount == 3); 3874 len = 33; 3875 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); 3876 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1); 3877 CHECK(memcmp(ctmp, ctmp2, 33) == 0); 3878 /* Adds to two. */ 3879 pubkeys[1] = &pubkey_one; 3880 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 3881 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey)); 3882 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1); 3883 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 3884 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); 3885 CHECK(ecount == 3); 3886 secp256k1_context_set_illegal_callback(ctx, NULL, NULL); 3887 } 3888 3889 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) { 3890 secp256k1_scalar nonce; 3891 do { 3892 random_scalar_order_test(&nonce); 3893 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid)); 3894 } 3895 3896 void test_ecdsa_sign_verify(void) { 3897 secp256k1_gej pubj; 3898 secp256k1_ge pub; 3899 secp256k1_scalar one; 3900 secp256k1_scalar msg, key; 3901 secp256k1_scalar sigr, sigs; 3902 int recid; 3903 int getrec; 3904 random_scalar_order_test(&msg); 3905 random_scalar_order_test(&key); 3906 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key); 3907 secp256k1_ge_set_gej(&pub, &pubj); 3908 getrec = secp256k1_rand_bits(1); 3909 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL); 3910 if (getrec) { 3911 CHECK(recid >= 0 && recid < 4); 3912 } 3913 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg)); 3914 secp256k1_scalar_set_int(&one, 1); 3915 secp256k1_scalar_add(&msg, &msg, &one); 3916 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg)); 3917 } 3918 3919 void run_ecdsa_sign_verify(void) { 3920 int i; 3921 for (i = 0; i < 10*count; i++) { 3922 test_ecdsa_sign_verify(); 3923 } 3924 } 3925 3926 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */ 3927 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 3928 (void)msg32; 3929 (void)key32; 3930 (void)algo16; 3931 memcpy(nonce32, data, 32); 3932 return (counter == 0); 3933 } 3934 3935 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 3936 /* Dummy nonce generator that has a fatal error on the first counter value. */ 3937 if (counter == 0) { 3938 return 0; 3939 } 3940 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1); 3941 } 3942 3943 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 3944 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */ 3945 if (counter < 3) { 3946 memset(nonce32, counter==0 ? 0 : 255, 32); 3947 if (counter == 2) { 3948 nonce32[31]--; 3949 } 3950 return 1; 3951 } 3952 if (counter < 5) { 3953 static const unsigned char order[] = { 3954 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 3955 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE, 3956 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B, 3957 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41 3958 }; 3959 memcpy(nonce32, order, 32); 3960 if (counter == 4) { 3961 nonce32[31]++; 3962 } 3963 return 1; 3964 } 3965 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */ 3966 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */ 3967 if (counter > 5) { 3968 return 0; 3969 } 3970 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5); 3971 } 3972 3973 int is_empty_signature(const secp256k1_ecdsa_signature *sig) { 3974 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0}; 3975 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0; 3976 } 3977 3978 void test_ecdsa_end_to_end(void) { 3979 unsigned char extra[32] = {0x00}; 3980 unsigned char privkey[32]; 3981 unsigned char message[32]; 3982 unsigned char privkey2[32]; 3983 secp256k1_ecdsa_signature signature[6]; 3984 secp256k1_scalar r, s; 3985 unsigned char sig[74]; 3986 size_t siglen = 74; 3987 unsigned char pubkeyc[65]; 3988 size_t pubkeyclen = 65; 3989 secp256k1_pubkey pubkey; 3990 secp256k1_pubkey pubkey_tmp; 3991 unsigned char seckey[300]; 3992 size_t seckeylen = 300; 3993 3994 /* Generate a random key and message. */ 3995 { 3996 secp256k1_scalar msg, key; 3997 random_scalar_order_test(&msg); 3998 random_scalar_order_test(&key); 3999 secp256k1_scalar_get_b32(privkey, &key); 4000 secp256k1_scalar_get_b32(message, &msg); 4001 } 4002 4003 /* Construct and verify corresponding public key. */ 4004 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1); 4005 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1); 4006 4007 /* Verify exporting and importing public key. */ 4008 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED)); 4009 memset(&pubkey, 0, sizeof(pubkey)); 4010 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1); 4011 4012 /* Verify negation changes the key and changes it back */ 4013 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey)); 4014 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1); 4015 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0); 4016 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1); 4017 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0); 4018 4019 /* Verify private key import and export. */ 4020 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1)); 4021 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1); 4022 CHECK(memcmp(privkey, privkey2, 32) == 0); 4023 4024 /* Optionally tweak the keys using addition. */ 4025 if (secp256k1_rand_int(3) == 0) { 4026 int ret1; 4027 int ret2; 4028 unsigned char rnd[32]; 4029 secp256k1_pubkey pubkey2; 4030 secp256k1_rand256_test(rnd); 4031 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd); 4032 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd); 4033 CHECK(ret1 == ret2); 4034 if (ret1 == 0) { 4035 return; 4036 } 4037 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1); 4038 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 4039 } 4040 4041 /* Optionally tweak the keys using multiplication. */ 4042 if (secp256k1_rand_int(3) == 0) { 4043 int ret1; 4044 int ret2; 4045 unsigned char rnd[32]; 4046 secp256k1_pubkey pubkey2; 4047 secp256k1_rand256_test(rnd); 4048 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd); 4049 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd); 4050 CHECK(ret1 == ret2); 4051 if (ret1 == 0) { 4052 return; 4053 } 4054 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1); 4055 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 4056 } 4057 4058 /* Sign. */ 4059 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1); 4060 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1); 4061 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1); 4062 extra[31] = 1; 4063 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1); 4064 extra[31] = 0; 4065 extra[0] = 1; 4066 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1); 4067 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0); 4068 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0); 4069 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0); 4070 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0); 4071 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0); 4072 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0); 4073 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0); 4074 /* Verify. */ 4075 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1); 4076 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1); 4077 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1); 4078 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1); 4079 /* Test lower-S form, malleate, verify and fail, test again, malleate again */ 4080 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0])); 4081 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]); 4082 secp256k1_scalar_negate(&s, &s); 4083 secp256k1_ecdsa_signature_save(&signature[5], &r, &s); 4084 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0); 4085 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5])); 4086 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5])); 4087 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5])); 4088 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5])); 4089 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1); 4090 secp256k1_scalar_negate(&s, &s); 4091 secp256k1_ecdsa_signature_save(&signature[5], &r, &s); 4092 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5])); 4093 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1); 4094 CHECK(memcmp(&signature[5], &signature[0], 64) == 0); 4095 4096 /* Serialize/parse DER and verify again */ 4097 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1); 4098 memset(&signature[0], 0, sizeof(signature[0])); 4099 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1); 4100 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1); 4101 /* Serialize/destroy/parse DER and verify again. */ 4102 siglen = 74; 4103 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1); 4104 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255); 4105 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 || 4106 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0); 4107 } 4108 4109 void test_random_pubkeys(void) { 4110 secp256k1_ge elem; 4111 secp256k1_ge elem2; 4112 unsigned char in[65]; 4113 /* Generate some randomly sized pubkeys. */ 4114 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33; 4115 if (secp256k1_rand_bits(2) == 0) { 4116 len = secp256k1_rand_bits(6); 4117 } 4118 if (len == 65) { 4119 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7); 4120 } else { 4121 in[0] = secp256k1_rand_bits(1) ? 2 : 3; 4122 } 4123 if (secp256k1_rand_bits(3) == 0) { 4124 in[0] = secp256k1_rand_bits(8); 4125 } 4126 if (len > 1) { 4127 secp256k1_rand256(&in[1]); 4128 } 4129 if (len > 33) { 4130 secp256k1_rand256(&in[33]); 4131 } 4132 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) { 4133 unsigned char out[65]; 4134 unsigned char firstb; 4135 int res; 4136 size_t size = len; 4137 firstb = in[0]; 4138 /* If the pubkey can be parsed, it should round-trip... */ 4139 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33)); 4140 CHECK(size == len); 4141 CHECK(memcmp(&in[1], &out[1], len-1) == 0); 4142 /* ... except for the type of hybrid inputs. */ 4143 if ((in[0] != 6) && (in[0] != 7)) { 4144 CHECK(in[0] == out[0]); 4145 } 4146 size = 65; 4147 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0)); 4148 CHECK(size == 65); 4149 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size)); 4150 ge_equals_ge(&elem,&elem2); 4151 /* Check that the X9.62 hybrid type is checked. */ 4152 in[0] = secp256k1_rand_bits(1) ? 6 : 7; 4153 res = secp256k1_eckey_pubkey_parse(&elem2, in, size); 4154 if (firstb == 2 || firstb == 3) { 4155 if (in[0] == firstb + 4) { 4156 CHECK(res); 4157 } else { 4158 CHECK(!res); 4159 } 4160 } 4161 if (res) { 4162 ge_equals_ge(&elem,&elem2); 4163 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0)); 4164 CHECK(memcmp(&in[1], &out[1], 64) == 0); 4165 } 4166 } 4167 } 4168 4169 void run_random_pubkeys(void) { 4170 int i; 4171 for (i = 0; i < 10*count; i++) { 4172 test_random_pubkeys(); 4173 } 4174 } 4175 4176 void run_ecdsa_end_to_end(void) { 4177 int i; 4178 for (i = 0; i < 64*count; i++) { 4179 test_ecdsa_end_to_end(); 4180 } 4181 } 4182 4183 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) { 4184 static const unsigned char zeroes[32] = {0}; 4185 #ifdef ENABLE_OPENSSL_TESTS 4186 static const unsigned char max_scalar[32] = { 4187 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4188 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 4189 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 4190 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40 4191 }; 4192 #endif 4193 4194 int ret = 0; 4195 4196 secp256k1_ecdsa_signature sig_der; 4197 unsigned char roundtrip_der[2048]; 4198 unsigned char compact_der[64]; 4199 size_t len_der = 2048; 4200 int parsed_der = 0, valid_der = 0, roundtrips_der = 0; 4201 4202 secp256k1_ecdsa_signature sig_der_lax; 4203 unsigned char roundtrip_der_lax[2048]; 4204 unsigned char compact_der_lax[64]; 4205 size_t len_der_lax = 2048; 4206 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0; 4207 4208 #ifdef ENABLE_OPENSSL_TESTS 4209 ECDSA_SIG *sig_openssl; 4210 const BIGNUM *r = NULL, *s = NULL; 4211 const unsigned char *sigptr; 4212 unsigned char roundtrip_openssl[2048]; 4213 int len_openssl = 2048; 4214 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0; 4215 #endif 4216 4217 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen); 4218 if (parsed_der) { 4219 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0; 4220 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0); 4221 } 4222 if (valid_der) { 4223 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1; 4224 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0; 4225 } 4226 4227 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen); 4228 if (parsed_der_lax) { 4229 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10; 4230 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0); 4231 } 4232 if (valid_der_lax) { 4233 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11; 4234 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0; 4235 } 4236 4237 if (certainly_der) { 4238 ret |= (!parsed_der) << 2; 4239 } 4240 if (certainly_not_der) { 4241 ret |= (parsed_der) << 17; 4242 } 4243 if (valid_der) { 4244 ret |= (!roundtrips_der) << 3; 4245 } 4246 4247 if (valid_der) { 4248 ret |= (!roundtrips_der_lax) << 12; 4249 ret |= (len_der != len_der_lax) << 13; 4250 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14; 4251 } 4252 ret |= (roundtrips_der != roundtrips_der_lax) << 15; 4253 if (parsed_der) { 4254 ret |= (!parsed_der_lax) << 16; 4255 } 4256 4257 #ifdef ENABLE_OPENSSL_TESTS 4258 sig_openssl = ECDSA_SIG_new(); 4259 sigptr = sig; 4260 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL); 4261 if (parsed_openssl) { 4262 ECDSA_SIG_get0(sig_openssl, &r, &s); 4263 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256; 4264 if (valid_openssl) { 4265 unsigned char tmp[32] = {0}; 4266 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r)); 4267 valid_openssl = memcmp(tmp, max_scalar, 32) < 0; 4268 } 4269 if (valid_openssl) { 4270 unsigned char tmp[32] = {0}; 4271 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s)); 4272 valid_openssl = memcmp(tmp, max_scalar, 32) < 0; 4273 } 4274 } 4275 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL); 4276 if (len_openssl <= 2048) { 4277 unsigned char *ptr = roundtrip_openssl; 4278 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl); 4279 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0); 4280 } else { 4281 len_openssl = 0; 4282 } 4283 ECDSA_SIG_free(sig_openssl); 4284 4285 ret |= (parsed_der && !parsed_openssl) << 4; 4286 ret |= (valid_der && !valid_openssl) << 5; 4287 ret |= (roundtrips_openssl && !parsed_der) << 6; 4288 ret |= (roundtrips_der != roundtrips_openssl) << 7; 4289 if (roundtrips_openssl) { 4290 ret |= (len_der != (size_t)len_openssl) << 8; 4291 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9; 4292 } 4293 #endif 4294 return ret; 4295 } 4296 4297 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) { 4298 size_t i; 4299 for (i = 0; i < ptrlen; i++) { 4300 int shift = ptrlen - 1 - i; 4301 if (shift >= 4) { 4302 ptr[i] = 0; 4303 } else { 4304 ptr[i] = (val >> shift) & 0xFF; 4305 } 4306 } 4307 } 4308 4309 static void damage_array(unsigned char *sig, size_t *len) { 4310 int pos; 4311 int action = secp256k1_rand_bits(3); 4312 if (action < 1 && *len > 3) { 4313 /* Delete a byte. */ 4314 pos = secp256k1_rand_int(*len); 4315 memmove(sig + pos, sig + pos + 1, *len - pos - 1); 4316 (*len)--; 4317 return; 4318 } else if (action < 2 && *len < 2048) { 4319 /* Insert a byte. */ 4320 pos = secp256k1_rand_int(1 + *len); 4321 memmove(sig + pos + 1, sig + pos, *len - pos); 4322 sig[pos] = secp256k1_rand_bits(8); 4323 (*len)++; 4324 return; 4325 } else if (action < 4) { 4326 /* Modify a byte. */ 4327 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255); 4328 return; 4329 } else { /* action < 8 */ 4330 /* Modify a bit. */ 4331 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3); 4332 return; 4333 } 4334 } 4335 4336 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) { 4337 int der; 4338 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2]; 4339 size_t tlen, elen, glen; 4340 int indet; 4341 int n; 4342 4343 *len = 0; 4344 der = secp256k1_rand_bits(2) == 0; 4345 *certainly_der = der; 4346 *certainly_not_der = 0; 4347 indet = der ? 0 : secp256k1_rand_int(10) == 0; 4348 4349 for (n = 0; n < 2; n++) { 4350 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */ 4351 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0); 4352 /* The length of the number in bytes (the first byte of which will always be nonzero) */ 4353 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8; 4354 CHECK(nlen[n] <= 232); 4355 /* The top bit of the number. */ 4356 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1)); 4357 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */ 4358 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127)); 4359 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */ 4360 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8); 4361 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) { 4362 *certainly_not_der = 1; 4363 } 4364 CHECK(nlen[n] + nzlen[n] <= 300); 4365 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */ 4366 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2); 4367 if (!der) { 4368 /* nlenlen[n] max 127 bytes */ 4369 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256; 4370 nlenlen[n] += add; 4371 if (add != 0) { 4372 *certainly_not_der = 1; 4373 } 4374 } 4375 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427); 4376 } 4377 4378 /* The total length of the data to go, so far */ 4379 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1]; 4380 CHECK(tlen <= 856); 4381 4382 /* The length of the garbage inside the tuple. */ 4383 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8; 4384 if (elen != 0) { 4385 *certainly_not_der = 1; 4386 } 4387 tlen += elen; 4388 CHECK(tlen <= 980); 4389 4390 /* The length of the garbage after the end of the tuple. */ 4391 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8; 4392 if (glen != 0) { 4393 *certainly_not_der = 1; 4394 } 4395 CHECK(tlen + glen <= 990); 4396 4397 /* Write the tuple header. */ 4398 sig[(*len)++] = 0x30; 4399 if (indet) { 4400 /* Indeterminate length */ 4401 sig[(*len)++] = 0x80; 4402 *certainly_not_der = 1; 4403 } else { 4404 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2); 4405 if (!der) { 4406 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256; 4407 tlenlen += add; 4408 if (add != 0) { 4409 *certainly_not_der = 1; 4410 } 4411 } 4412 if (tlenlen == 0) { 4413 /* Short length notation */ 4414 sig[(*len)++] = tlen; 4415 } else { 4416 /* Long length notation */ 4417 sig[(*len)++] = 128 + tlenlen; 4418 assign_big_endian(sig + *len, tlenlen, tlen); 4419 *len += tlenlen; 4420 } 4421 tlen += tlenlen; 4422 } 4423 tlen += 2; 4424 CHECK(tlen + glen <= 1119); 4425 4426 for (n = 0; n < 2; n++) { 4427 /* Write the integer header. */ 4428 sig[(*len)++] = 0x02; 4429 if (nlenlen[n] == 0) { 4430 /* Short length notation */ 4431 sig[(*len)++] = nlen[n] + nzlen[n]; 4432 } else { 4433 /* Long length notation. */ 4434 sig[(*len)++] = 128 + nlenlen[n]; 4435 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]); 4436 *len += nlenlen[n]; 4437 } 4438 /* Write zero padding */ 4439 while (nzlen[n] > 0) { 4440 sig[(*len)++] = 0x00; 4441 nzlen[n]--; 4442 } 4443 if (nlen[n] == 32 && !nlow[n]) { 4444 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */ 4445 int i; 4446 for (i = 0; i < 16; i++) { 4447 sig[(*len)++] = 0xFF; 4448 } 4449 nlen[n] -= 16; 4450 } 4451 /* Write first byte of number */ 4452 if (nlen[n] > 0) { 4453 sig[(*len)++] = nhbyte[n]; 4454 nlen[n]--; 4455 } 4456 /* Generate remaining random bytes of number */ 4457 secp256k1_rand_bytes_test(sig + *len, nlen[n]); 4458 *len += nlen[n]; 4459 nlen[n] = 0; 4460 } 4461 4462 /* Generate random garbage inside tuple. */ 4463 secp256k1_rand_bytes_test(sig + *len, elen); 4464 *len += elen; 4465 4466 /* Generate end-of-contents bytes. */ 4467 if (indet) { 4468 sig[(*len)++] = 0; 4469 sig[(*len)++] = 0; 4470 tlen += 2; 4471 } 4472 CHECK(tlen + glen <= 1121); 4473 4474 /* Generate random garbage outside tuple. */ 4475 secp256k1_rand_bytes_test(sig + *len, glen); 4476 *len += glen; 4477 tlen += glen; 4478 CHECK(tlen <= 1121); 4479 CHECK(tlen == *len); 4480 } 4481 4482 void run_ecdsa_der_parse(void) { 4483 int i,j; 4484 for (i = 0; i < 200 * count; i++) { 4485 unsigned char buffer[2048]; 4486 size_t buflen = 0; 4487 int certainly_der = 0; 4488 int certainly_not_der = 0; 4489 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der); 4490 CHECK(buflen <= 2048); 4491 for (j = 0; j < 16; j++) { 4492 int ret = 0; 4493 if (j > 0) { 4494 damage_array(buffer, &buflen); 4495 /* We don't know anything anymore about the DERness of the result */ 4496 certainly_der = 0; 4497 certainly_not_der = 0; 4498 } 4499 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der); 4500 if (ret != 0) { 4501 size_t k; 4502 fprintf(stderr, "Failure %x on ", ret); 4503 for (k = 0; k < buflen; k++) { 4504 fprintf(stderr, "%02x ", buffer[k]); 4505 } 4506 fprintf(stderr, "\n"); 4507 } 4508 CHECK(ret == 0); 4509 } 4510 } 4511 } 4512 4513 /* Tests several edge cases. */ 4514 void test_ecdsa_edge_cases(void) { 4515 int t; 4516 secp256k1_ecdsa_signature sig; 4517 4518 /* Test the case where ECDSA recomputes a point that is infinity. */ 4519 { 4520 secp256k1_gej keyj; 4521 secp256k1_ge key; 4522 secp256k1_scalar msg; 4523 secp256k1_scalar sr, ss; 4524 secp256k1_scalar_set_int(&ss, 1); 4525 secp256k1_scalar_negate(&ss, &ss); 4526 secp256k1_scalar_inverse(&ss, &ss); 4527 secp256k1_scalar_set_int(&sr, 1); 4528 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr); 4529 secp256k1_ge_set_gej(&key, &keyj); 4530 msg = ss; 4531 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); 4532 } 4533 4534 /* Verify signature with r of zero fails. */ 4535 { 4536 const unsigned char pubkey_mods_zero[33] = { 4537 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4538 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4539 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 4540 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 4541 0x41 4542 }; 4543 secp256k1_ge key; 4544 secp256k1_scalar msg; 4545 secp256k1_scalar sr, ss; 4546 secp256k1_scalar_set_int(&ss, 1); 4547 secp256k1_scalar_set_int(&msg, 0); 4548 secp256k1_scalar_set_int(&sr, 0); 4549 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33)); 4550 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); 4551 } 4552 4553 /* Verify signature with s of zero fails. */ 4554 { 4555 const unsigned char pubkey[33] = { 4556 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4557 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4558 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4559 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4560 0x01 4561 }; 4562 secp256k1_ge key; 4563 secp256k1_scalar msg; 4564 secp256k1_scalar sr, ss; 4565 secp256k1_scalar_set_int(&ss, 0); 4566 secp256k1_scalar_set_int(&msg, 0); 4567 secp256k1_scalar_set_int(&sr, 1); 4568 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); 4569 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); 4570 } 4571 4572 /* Verify signature with message 0 passes. */ 4573 { 4574 const unsigned char pubkey[33] = { 4575 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4578 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4579 0x02 4580 }; 4581 const unsigned char pubkey2[33] = { 4582 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4583 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4584 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 4585 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 4586 0x43 4587 }; 4588 secp256k1_ge key; 4589 secp256k1_ge key2; 4590 secp256k1_scalar msg; 4591 secp256k1_scalar sr, ss; 4592 secp256k1_scalar_set_int(&ss, 2); 4593 secp256k1_scalar_set_int(&msg, 0); 4594 secp256k1_scalar_set_int(&sr, 2); 4595 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); 4596 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33)); 4597 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); 4598 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); 4599 secp256k1_scalar_negate(&ss, &ss); 4600 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); 4601 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); 4602 secp256k1_scalar_set_int(&ss, 1); 4603 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); 4604 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0); 4605 } 4606 4607 /* Verify signature with message 1 passes. */ 4608 { 4609 const unsigned char pubkey[33] = { 4610 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22, 4611 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05, 4612 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c, 4613 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76, 4614 0x25 4615 }; 4616 const unsigned char pubkey2[33] = { 4617 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40, 4618 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae, 4619 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f, 4620 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10, 4621 0x62 4622 }; 4623 const unsigned char csr[32] = { 4624 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4625 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 4626 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 4627 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb 4628 }; 4629 secp256k1_ge key; 4630 secp256k1_ge key2; 4631 secp256k1_scalar msg; 4632 secp256k1_scalar sr, ss; 4633 secp256k1_scalar_set_int(&ss, 1); 4634 secp256k1_scalar_set_int(&msg, 1); 4635 secp256k1_scalar_set_b32(&sr, csr, NULL); 4636 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); 4637 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33)); 4638 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); 4639 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); 4640 secp256k1_scalar_negate(&ss, &ss); 4641 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); 4642 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); 4643 secp256k1_scalar_set_int(&ss, 2); 4644 secp256k1_scalar_inverse_var(&ss, &ss); 4645 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); 4646 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0); 4647 } 4648 4649 /* Verify signature with message -1 passes. */ 4650 { 4651 const unsigned char pubkey[33] = { 4652 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0, 4653 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52, 4654 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27, 4655 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20, 4656 0xf1 4657 }; 4658 const unsigned char csr[32] = { 4659 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4660 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 4661 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 4662 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee 4663 }; 4664 secp256k1_ge key; 4665 secp256k1_scalar msg; 4666 secp256k1_scalar sr, ss; 4667 secp256k1_scalar_set_int(&ss, 1); 4668 secp256k1_scalar_set_int(&msg, 1); 4669 secp256k1_scalar_negate(&msg, &msg); 4670 secp256k1_scalar_set_b32(&sr, csr, NULL); 4671 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); 4672 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); 4673 secp256k1_scalar_negate(&ss, &ss); 4674 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); 4675 secp256k1_scalar_set_int(&ss, 3); 4676 secp256k1_scalar_inverse_var(&ss, &ss); 4677 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); 4678 } 4679 4680 /* Signature where s would be zero. */ 4681 { 4682 secp256k1_pubkey pubkey; 4683 size_t siglen; 4684 int32_t ecount; 4685 unsigned char signature[72]; 4686 static const unsigned char nonce[32] = { 4687 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4688 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4689 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 4691 }; 4692 static const unsigned char nonce2[32] = { 4693 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 4694 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE, 4695 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B, 4696 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40 4697 }; 4698 const unsigned char key[32] = { 4699 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4700 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4701 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 4702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 4703 }; 4704 unsigned char msg[32] = { 4705 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53, 4706 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7, 4707 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62, 4708 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9, 4709 }; 4710 ecount = 0; 4711 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); 4712 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0); 4713 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0); 4714 msg[31] = 0xaa; 4715 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1); 4716 CHECK(ecount == 0); 4717 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0); 4718 CHECK(ecount == 1); 4719 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0); 4720 CHECK(ecount == 2); 4721 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0); 4722 CHECK(ecount == 3); 4723 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1); 4724 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1); 4725 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0); 4726 CHECK(ecount == 4); 4727 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0); 4728 CHECK(ecount == 5); 4729 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0); 4730 CHECK(ecount == 6); 4731 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1); 4732 CHECK(ecount == 6); 4733 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0); 4734 CHECK(ecount == 7); 4735 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */ 4736 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0); 4737 CHECK(ecount == 8); 4738 siglen = 72; 4739 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0); 4740 CHECK(ecount == 9); 4741 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0); 4742 CHECK(ecount == 10); 4743 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0); 4744 CHECK(ecount == 11); 4745 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1); 4746 CHECK(ecount == 11); 4747 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0); 4748 CHECK(ecount == 12); 4749 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0); 4750 CHECK(ecount == 13); 4751 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1); 4752 CHECK(ecount == 13); 4753 siglen = 10; 4754 /* Too little room for a signature does not fail via ARGCHECK. */ 4755 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0); 4756 CHECK(ecount == 13); 4757 ecount = 0; 4758 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0); 4759 CHECK(ecount == 1); 4760 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0); 4761 CHECK(ecount == 2); 4762 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0); 4763 CHECK(ecount == 3); 4764 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1); 4765 CHECK(ecount == 3); 4766 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0); 4767 CHECK(ecount == 4); 4768 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0); 4769 CHECK(ecount == 5); 4770 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1); 4771 CHECK(ecount == 5); 4772 memset(signature, 255, 64); 4773 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0); 4774 CHECK(ecount == 5); 4775 secp256k1_context_set_illegal_callback(ctx, NULL, NULL); 4776 } 4777 4778 /* Nonce function corner cases. */ 4779 for (t = 0; t < 2; t++) { 4780 static const unsigned char zero[32] = {0x00}; 4781 int i; 4782 unsigned char key[32]; 4783 unsigned char msg[32]; 4784 secp256k1_ecdsa_signature sig2; 4785 secp256k1_scalar sr[512], ss; 4786 const unsigned char *extra; 4787 extra = t == 0 ? NULL : zero; 4788 memset(msg, 0, 32); 4789 msg[31] = 1; 4790 /* High key results in signature failure. */ 4791 memset(key, 0xFF, 32); 4792 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0); 4793 CHECK(is_empty_signature(&sig)); 4794 /* Zero key results in signature failure. */ 4795 memset(key, 0, 32); 4796 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0); 4797 CHECK(is_empty_signature(&sig)); 4798 /* Nonce function failure results in signature failure. */ 4799 key[31] = 1; 4800 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0); 4801 CHECK(is_empty_signature(&sig)); 4802 /* The retry loop successfully makes its way to the first good value. */ 4803 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1); 4804 CHECK(!is_empty_signature(&sig)); 4805 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1); 4806 CHECK(!is_empty_signature(&sig2)); 4807 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0); 4808 /* The default nonce function is deterministic. */ 4809 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); 4810 CHECK(!is_empty_signature(&sig2)); 4811 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0); 4812 /* The default nonce function changes output with different messages. */ 4813 for(i = 0; i < 256; i++) { 4814 int j; 4815 msg[0] = i; 4816 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); 4817 CHECK(!is_empty_signature(&sig2)); 4818 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2); 4819 for (j = 0; j < i; j++) { 4820 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j])); 4821 } 4822 } 4823 msg[0] = 0; 4824 msg[31] = 2; 4825 /* The default nonce function changes output with different keys. */ 4826 for(i = 256; i < 512; i++) { 4827 int j; 4828 key[0] = i - 256; 4829 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); 4830 CHECK(!is_empty_signature(&sig2)); 4831 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2); 4832 for (j = 0; j < i; j++) { 4833 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j])); 4834 } 4835 } 4836 key[0] = 0; 4837 } 4838 4839 { 4840 /* Check that optional nonce arguments do not have equivalent effect. */ 4841 const unsigned char zeros[32] = {0}; 4842 unsigned char nonce[32]; 4843 unsigned char nonce2[32]; 4844 unsigned char nonce3[32]; 4845 unsigned char nonce4[32]; 4846 VG_UNDEF(nonce,32); 4847 VG_UNDEF(nonce2,32); 4848 VG_UNDEF(nonce3,32); 4849 VG_UNDEF(nonce4,32); 4850 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1); 4851 VG_CHECK(nonce,32); 4852 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1); 4853 VG_CHECK(nonce2,32); 4854 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1); 4855 VG_CHECK(nonce3,32); 4856 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1); 4857 VG_CHECK(nonce4,32); 4858 CHECK(memcmp(nonce, nonce2, 32) != 0); 4859 CHECK(memcmp(nonce, nonce3, 32) != 0); 4860 CHECK(memcmp(nonce, nonce4, 32) != 0); 4861 CHECK(memcmp(nonce2, nonce3, 32) != 0); 4862 CHECK(memcmp(nonce2, nonce4, 32) != 0); 4863 CHECK(memcmp(nonce3, nonce4, 32) != 0); 4864 } 4865 4866 4867 /* Privkey export where pubkey is the point at infinity. */ 4868 { 4869 unsigned char privkey[300]; 4870 unsigned char seckey[32] = { 4871 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 4872 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 4873 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 4874 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41, 4875 }; 4876 size_t outlen = 300; 4877 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0)); 4878 outlen = 300; 4879 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1)); 4880 } 4881 } 4882 4883 void run_ecdsa_edge_cases(void) { 4884 test_ecdsa_edge_cases(); 4885 } 4886 4887 #ifdef ENABLE_OPENSSL_TESTS 4888 EC_KEY *get_openssl_key(const unsigned char *key32) { 4889 unsigned char privkey[300]; 4890 size_t privkeylen; 4891 const unsigned char* pbegin = privkey; 4892 int compr = secp256k1_rand_bits(1); 4893 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1); 4894 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr)); 4895 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen)); 4896 CHECK(EC_KEY_check_key(ec_key)); 4897 return ec_key; 4898 } 4899 4900 void test_ecdsa_openssl(void) { 4901 secp256k1_gej qj; 4902 secp256k1_ge q; 4903 secp256k1_scalar sigr, sigs; 4904 secp256k1_scalar one; 4905 secp256k1_scalar msg2; 4906 secp256k1_scalar key, msg; 4907 EC_KEY *ec_key; 4908 unsigned int sigsize = 80; 4909 size_t secp_sigsize = 80; 4910 unsigned char message[32]; 4911 unsigned char signature[80]; 4912 unsigned char key32[32]; 4913 secp256k1_rand256_test(message); 4914 secp256k1_scalar_set_b32(&msg, message, NULL); 4915 random_scalar_order_test(&key); 4916 secp256k1_scalar_get_b32(key32, &key); 4917 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key); 4918 secp256k1_ge_set_gej(&q, &qj); 4919 ec_key = get_openssl_key(key32); 4920 CHECK(ec_key != NULL); 4921 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key)); 4922 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize)); 4923 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg)); 4924 secp256k1_scalar_set_int(&one, 1); 4925 secp256k1_scalar_add(&msg2, &msg, &one); 4926 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2)); 4927 4928 random_sign(&sigr, &sigs, &key, &msg, NULL); 4929 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs)); 4930 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1); 4931 4932 EC_KEY_free(ec_key); 4933 } 4934 4935 void run_ecdsa_openssl(void) { 4936 int i; 4937 for (i = 0; i < 10*count; i++) { 4938 test_ecdsa_openssl(); 4939 } 4940 } 4941 #endif 4942 4943 #ifdef ENABLE_MODULE_ECDH 4944 # include "modules/ecdh/tests_impl.h" 4945 #endif 4946 4947 #ifdef ENABLE_MODULE_RECOVERY 4948 # include "modules/recovery/tests_impl.h" 4949 #endif 4950 4951 int main(int argc, char **argv) { 4952 unsigned char seed16[16] = {0}; 4953 unsigned char run32[32] = {0}; 4954 /* find iteration count */ 4955 if (argc > 1) { 4956 count = strtol(argv[1], NULL, 0); 4957 } 4958 4959 /* find random seed */ 4960 if (argc > 2) { 4961 int pos = 0; 4962 const char* ch = argv[2]; 4963 while (pos < 16 && ch[0] != 0 && ch[1] != 0) { 4964 unsigned short sh; 4965 if (sscanf(ch, "%2hx", &sh)) { 4966 seed16[pos] = sh; 4967 } else { 4968 break; 4969 } 4970 ch += 2; 4971 pos++; 4972 } 4973 } else { 4974 FILE *frand = fopen("/dev/urandom", "r"); 4975 if ((frand == NULL) || fread(&seed16, sizeof(seed16), 1, frand) != sizeof(seed16)) { 4976 uint64_t t = time(NULL) * (uint64_t)1337; 4977 seed16[0] ^= t; 4978 seed16[1] ^= t >> 8; 4979 seed16[2] ^= t >> 16; 4980 seed16[3] ^= t >> 24; 4981 seed16[4] ^= t >> 32; 4982 seed16[5] ^= t >> 40; 4983 seed16[6] ^= t >> 48; 4984 seed16[7] ^= t >> 56; 4985 } 4986 if (frand) { 4987 fclose(frand); 4988 } 4989 } 4990 secp256k1_rand_seed(seed16); 4991 4992 printf("test count = %i\n", count); 4993 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]); 4994 4995 /* initialize */ 4996 run_context_tests(); 4997 run_scratch_tests(); 4998 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); 4999 if (secp256k1_rand_bits(1)) { 5000 secp256k1_rand256(run32); 5001 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL)); 5002 } 5003 5004 run_rand_bits(); 5005 run_rand_int(); 5006 5007 run_sha256_tests(); 5008 run_hmac_sha256_tests(); 5009 run_rfc6979_hmac_sha256_tests(); 5010 5011 #ifndef USE_NUM_NONE 5012 /* num tests */ 5013 run_num_smalltests(); 5014 #endif 5015 5016 /* scalar tests */ 5017 run_scalar_tests(); 5018 5019 /* field tests */ 5020 run_field_inv(); 5021 run_field_inv_var(); 5022 run_field_inv_all_var(); 5023 run_field_misc(); 5024 run_field_convert(); 5025 run_sqr(); 5026 run_sqrt(); 5027 5028 /* group tests */ 5029 run_ge(); 5030 run_group_decompress(); 5031 5032 /* ecmult tests */ 5033 run_wnaf(); 5034 run_point_times_order(); 5035 run_ecmult_chain(); 5036 run_ecmult_constants(); 5037 run_ecmult_gen_blind(); 5038 run_ecmult_const_tests(); 5039 run_ecmult_multi_tests(); 5040 run_ec_combine(); 5041 5042 /* endomorphism tests */ 5043 #ifdef USE_ENDOMORPHISM 5044 run_endomorphism_tests(); 5045 #endif 5046 5047 /* EC point parser test */ 5048 run_ec_pubkey_parse_test(); 5049 5050 /* EC key edge cases */ 5051 run_eckey_edge_case_test(); 5052 5053 #ifdef ENABLE_MODULE_ECDH 5054 /* ecdh tests */ 5055 run_ecdh_tests(); 5056 #endif 5057 5058 /* ecdsa tests */ 5059 run_random_pubkeys(); 5060 run_ecdsa_der_parse(); 5061 run_ecdsa_sign_verify(); 5062 run_ecdsa_end_to_end(); 5063 run_ecdsa_edge_cases(); 5064 #ifdef ENABLE_OPENSSL_TESTS 5065 run_ecdsa_openssl(); 5066 #endif 5067 5068 #ifdef ENABLE_MODULE_RECOVERY 5069 /* ECDSA pubkey recovery tests */ 5070 run_recovery_tests(); 5071 #endif 5072 5073 secp256k1_rand256(run32); 5074 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]); 5075 5076 /* shutdown */ 5077 secp256k1_context_destroy(ctx); 5078 5079 printf("no problems found\n"); 5080 return 0; 5081 }