github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/src/tests.c (about) 1 /*********************************************************************** 2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 5 ***********************************************************************/ 6 7 #include <stdio.h> 8 #include <stdlib.h> 9 #include <string.h> 10 11 #include <time.h> 12 13 #ifdef USE_EXTERNAL_DEFAULT_CALLBACKS 14 #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.") 15 #undef USE_EXTERNAL_DEFAULT_CALLBACKS 16 #endif 17 #if defined(VERIFY) && defined(COVERAGE) 18 #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.") 19 #endif 20 #include "secp256k1.c" 21 22 #include "../include/secp256k1.h" 23 #include "../include/secp256k1_preallocated.h" 24 #include "testrand_impl.h" 25 #include "checkmem.h" 26 #include "testutil.h" 27 #include "util.h" 28 29 #include "../contrib/lax_der_parsing.c" 30 #include "../contrib/lax_der_privatekey_parsing.c" 31 32 #include "modinv32_impl.h" 33 #ifdef SECP256K1_WIDEMUL_INT128 34 #include "modinv64_impl.h" 35 #include "int128_impl.h" 36 #endif 37 38 #define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else 39 40 static int COUNT = 16; 41 static secp256k1_context *CTX = NULL; 42 static secp256k1_context *STATIC_CTX = NULL; 43 44 static int all_bytes_equal(const void* s, unsigned char value, size_t n) { 45 const unsigned char *p = s; 46 size_t i; 47 48 for (i = 0; i < n; i++) { 49 if (p[i] != value) { 50 return 0; 51 } 52 } 53 return 1; 54 } 55 56 #define CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, callback, callback_setter) do { \ 57 int32_t _calls_to_callback = 0; \ 58 secp256k1_callback _saved_callback = ctx->callback; \ 59 callback_setter(ctx, counting_callback_fn, &_calls_to_callback); \ 60 { expr_or_stmt; } \ 61 ctx->callback = _saved_callback; \ 62 CHECK(_calls_to_callback == 1); \ 63 } while(0); 64 65 /* CHECK that expr_or_stmt calls the error or illegal callback of ctx exactly once 66 * 67 * Useful for checking functions that return void (e.g., API functions that use ARG_CHECK_VOID) */ 68 #define CHECK_ERROR_VOID(ctx, expr_or_stmt) \ 69 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, error_callback, secp256k1_context_set_error_callback) 70 #define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) \ 71 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, illegal_callback, secp256k1_context_set_illegal_callback) 72 73 /* CHECK that 74 * - expr calls the illegal callback of ctx exactly once and, 75 * - expr == 0 (or equivalently, expr == NULL) 76 * 77 * Useful for checking functions that return an integer or a pointer. */ 78 #define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0)) 79 #define CHECK_ERROR(ctx, expr) CHECK_ERROR_VOID(ctx, CHECK((expr) == 0)) 80 81 static void counting_callback_fn(const char* str, void* data) { 82 /* Dummy callback function that just counts. */ 83 int32_t *p; 84 (void)str; 85 p = data; 86 CHECK(*p != INT32_MAX); 87 (*p)++; 88 } 89 90 static void uncounting_illegal_callback_fn(const char* str, void* data) { 91 /* Dummy callback function that just counts (backwards). */ 92 int32_t *p; 93 (void)str; 94 p = data; 95 CHECK(*p != INT32_MIN); 96 (*p)--; 97 } 98 99 static void run_xoshiro256pp_tests(void) { 100 { 101 size_t i; 102 /* Sanity check that we run before the actual seeding. */ 103 for (i = 0; i < sizeof(secp256k1_test_state)/sizeof(secp256k1_test_state[0]); i++) { 104 CHECK(secp256k1_test_state[i] == 0); 105 } 106 } 107 { 108 int i; 109 unsigned char buf32[32]; 110 unsigned char seed16[16] = { 111 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!', 112 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!', 113 }; 114 unsigned char buf32_expected[32] = { 115 0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0, 116 0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36, 117 0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF, 118 0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30, 119 }; 120 testrand_seed(seed16); 121 for (i = 0; i < 17; i++) { 122 testrand256(buf32); 123 } 124 CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0); 125 } 126 } 127 128 static void run_selftest_tests(void) { 129 /* Test public API */ 130 secp256k1_selftest(); 131 } 132 133 static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b) { 134 return a->built == b->built 135 && secp256k1_scalar_eq(&a->scalar_offset, &b->scalar_offset) 136 && secp256k1_ge_eq_var(&a->ge_offset, &b->ge_offset) 137 && secp256k1_fe_equal(&a->proj_blind, &b->proj_blind); 138 } 139 140 static int context_eq(const secp256k1_context *a, const secp256k1_context *b) { 141 return a->declassify == b->declassify 142 && ecmult_gen_context_eq(&a->ecmult_gen_ctx, &b->ecmult_gen_ctx) 143 && a->illegal_callback.fn == b->illegal_callback.fn 144 && a->illegal_callback.data == b->illegal_callback.data 145 && a->error_callback.fn == b->error_callback.fn 146 && a->error_callback.data == b->error_callback.data; 147 } 148 149 static void run_deprecated_context_flags_test(void) { 150 /* Check that a context created with any of the flags in the flags array is 151 * identical to the NONE context. */ 152 unsigned int flags[] = { SECP256K1_CONTEXT_SIGN, 153 SECP256K1_CONTEXT_VERIFY, 154 SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY }; 155 secp256k1_context *none_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE); 156 int i; 157 for (i = 0; i < (int)(sizeof(flags)/sizeof(flags[0])); i++) { 158 secp256k1_context *tmp_ctx; 159 CHECK(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE) == secp256k1_context_preallocated_size(flags[i])); 160 tmp_ctx = secp256k1_context_create(flags[i]); 161 CHECK(context_eq(none_ctx, tmp_ctx)); 162 secp256k1_context_destroy(tmp_ctx); 163 } 164 secp256k1_context_destroy(none_ctx); 165 } 166 167 static void run_ec_illegal_argument_tests(void) { 168 secp256k1_pubkey pubkey; 169 secp256k1_pubkey zero_pubkey; 170 secp256k1_ecdsa_signature sig; 171 unsigned char ctmp[32]; 172 173 /* Setup */ 174 memset(ctmp, 1, 32); 175 memset(&zero_pubkey, 0, sizeof(zero_pubkey)); 176 177 /* Verify context-type checking illegal-argument errors. */ 178 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ec_pubkey_create(STATIC_CTX, &pubkey, ctmp)); 179 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 180 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1); 181 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 182 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL)); 183 SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig)); 184 CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1); 185 SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig)); 186 CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1); 187 CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1); 188 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1); 189 CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1); 190 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1); 191 CHECK(secp256k1_ec_pubkey_negate(STATIC_CTX, &pubkey) == 1); 192 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1); 193 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ec_pubkey_negate(STATIC_CTX, &zero_pubkey)); 194 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_negate(CTX, NULL)); 195 CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1); 196 } 197 198 static void run_static_context_tests(int use_prealloc) { 199 /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */ 200 CHECK(secp256k1_context_no_precomp == secp256k1_context_static); 201 202 { 203 unsigned char seed[32] = {0x17}; 204 205 /* Randomizing secp256k1_context_static is not supported. */ 206 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, seed)); 207 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, NULL)); 208 209 /* Destroying or cloning secp256k1_context_static is not supported. */ 210 if (use_prealloc) { 211 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone_size(STATIC_CTX)); 212 { 213 secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX)); 214 CHECK(my_static_ctx != NULL); 215 memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx)); 216 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone(STATIC_CTX, my_static_ctx)); 217 CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx))); 218 free(my_static_ctx); 219 } 220 CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_preallocated_destroy(STATIC_CTX)); 221 } else { 222 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_clone(STATIC_CTX)); 223 CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_destroy(STATIC_CTX)); 224 } 225 } 226 227 { 228 /* Verify that setting and resetting illegal callback works */ 229 int32_t dummy = 0; 230 secp256k1_context_set_illegal_callback(STATIC_CTX, counting_callback_fn, &dummy); 231 CHECK(STATIC_CTX->illegal_callback.fn == counting_callback_fn); 232 CHECK(STATIC_CTX->illegal_callback.data == &dummy); 233 secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL); 234 CHECK(STATIC_CTX->illegal_callback.fn == secp256k1_default_illegal_callback_fn); 235 CHECK(STATIC_CTX->illegal_callback.data == NULL); 236 } 237 } 238 239 static void run_proper_context_tests(int use_prealloc) { 240 int32_t dummy = 0; 241 secp256k1_context *my_ctx, *my_ctx_fresh; 242 void *my_ctx_prealloc = NULL; 243 unsigned char seed[32] = {0x17}; 244 245 secp256k1_gej pubj; 246 secp256k1_ge pub; 247 secp256k1_scalar msg, key, nonce; 248 secp256k1_scalar sigr, sigs; 249 250 /* Fresh reference context for comparison */ 251 my_ctx_fresh = secp256k1_context_create(SECP256K1_CONTEXT_NONE); 252 253 if (use_prealloc) { 254 my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); 255 CHECK(my_ctx_prealloc != NULL); 256 my_ctx = secp256k1_context_preallocated_create(my_ctx_prealloc, SECP256K1_CONTEXT_NONE); 257 } else { 258 my_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE); 259 } 260 261 /* Randomize and reset randomization */ 262 CHECK(context_eq(my_ctx, my_ctx_fresh)); 263 CHECK(secp256k1_context_randomize(my_ctx, seed) == 1); 264 CHECK(!context_eq(my_ctx, my_ctx_fresh)); 265 CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1); 266 CHECK(context_eq(my_ctx, my_ctx_fresh)); 267 268 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */ 269 secp256k1_context_set_error_callback(my_ctx, secp256k1_default_illegal_callback_fn, NULL); 270 CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn); 271 CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn); 272 273 /* check if sizes for cloning are consistent */ 274 CHECK(secp256k1_context_preallocated_clone_size(my_ctx) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); 275 276 /*** clone and destroy all of them to make sure cloning was complete ***/ 277 { 278 secp256k1_context *ctx_tmp; 279 280 if (use_prealloc) { 281 /* clone into a non-preallocated context and then again into a new preallocated one. */ 282 ctx_tmp = my_ctx; 283 my_ctx = secp256k1_context_clone(my_ctx); 284 CHECK(context_eq(ctx_tmp, my_ctx)); 285 secp256k1_context_preallocated_destroy(ctx_tmp); 286 287 free(my_ctx_prealloc); 288 my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); 289 CHECK(my_ctx_prealloc != NULL); 290 ctx_tmp = my_ctx; 291 my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc); 292 CHECK(context_eq(ctx_tmp, my_ctx)); 293 secp256k1_context_destroy(ctx_tmp); 294 } else { 295 /* clone into a preallocated context and then again into a new non-preallocated one. */ 296 void *prealloc_tmp; 297 298 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); 299 CHECK(prealloc_tmp != NULL); 300 ctx_tmp = my_ctx; 301 my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp); 302 CHECK(context_eq(ctx_tmp, my_ctx)); 303 secp256k1_context_destroy(ctx_tmp); 304 305 ctx_tmp = my_ctx; 306 my_ctx = secp256k1_context_clone(my_ctx); 307 CHECK(context_eq(ctx_tmp, my_ctx)); 308 secp256k1_context_preallocated_destroy(ctx_tmp); 309 free(prealloc_tmp); 310 } 311 } 312 313 /* Verify that the error callback makes it across the clone. */ 314 CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn); 315 CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn); 316 /* And that it resets back to default. */ 317 secp256k1_context_set_error_callback(my_ctx, NULL, NULL); 318 CHECK(my_ctx->error_callback.fn == secp256k1_default_error_callback_fn); 319 CHECK(context_eq(my_ctx, my_ctx_fresh)); 320 321 /* Verify that setting and resetting illegal callback works */ 322 secp256k1_context_set_illegal_callback(my_ctx, counting_callback_fn, &dummy); 323 CHECK(my_ctx->illegal_callback.fn == counting_callback_fn); 324 CHECK(my_ctx->illegal_callback.data == &dummy); 325 secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL); 326 CHECK(my_ctx->illegal_callback.fn == secp256k1_default_illegal_callback_fn); 327 CHECK(my_ctx->illegal_callback.data == NULL); 328 CHECK(context_eq(my_ctx, my_ctx_fresh)); 329 330 /*** attempt to use them ***/ 331 testutil_random_scalar_order_test(&msg); 332 testutil_random_scalar_order_test(&key); 333 secp256k1_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key); 334 secp256k1_ge_set_gej(&pub, &pubj); 335 336 /* obtain a working nonce */ 337 do { 338 testutil_random_scalar_order_test(&nonce); 339 } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); 340 341 /* try signing */ 342 CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); 343 344 /* try verifying */ 345 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg)); 346 347 /* cleanup */ 348 if (use_prealloc) { 349 secp256k1_context_preallocated_destroy(my_ctx); 350 free(my_ctx_prealloc); 351 } else { 352 secp256k1_context_destroy(my_ctx); 353 } 354 secp256k1_context_destroy(my_ctx_fresh); 355 356 /* Defined as no-op. */ 357 secp256k1_context_destroy(NULL); 358 secp256k1_context_preallocated_destroy(NULL); 359 } 360 361 static void run_scratch_tests(void) { 362 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT; 363 364 size_t checkpoint; 365 size_t checkpoint_2; 366 secp256k1_scratch_space *scratch; 367 secp256k1_scratch_space local_scratch; 368 369 /* Test public API */ 370 scratch = secp256k1_scratch_space_create(CTX, 1000); 371 CHECK(scratch != NULL); 372 373 /* Test internal API */ 374 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000); 375 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1)); 376 CHECK(scratch->alloc_size == 0); 377 CHECK(scratch->alloc_size % ALIGNMENT == 0); 378 379 /* Allocating 500 bytes succeeds */ 380 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch); 381 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL); 382 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc); 383 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); 384 CHECK(scratch->alloc_size != 0); 385 CHECK(scratch->alloc_size % ALIGNMENT == 0); 386 387 /* Allocating another 501 bytes fails */ 388 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL); 389 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc); 390 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); 391 CHECK(scratch->alloc_size != 0); 392 CHECK(scratch->alloc_size % ALIGNMENT == 0); 393 394 /* ...but it succeeds once we apply the checkpoint to undo it */ 395 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint); 396 CHECK(scratch->alloc_size == 0); 397 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000); 398 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL); 399 CHECK(scratch->alloc_size != 0); 400 401 /* try to apply a bad checkpoint */ 402 checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch); 403 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint); 404 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2)); /* checkpoint_2 is after checkpoint */ 405 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1)); /* this is just wildly invalid */ 406 407 /* try to use badly initialized scratch space */ 408 secp256k1_scratch_space_destroy(CTX, scratch); 409 memset(&local_scratch, 0, sizeof(local_scratch)); 410 scratch = &local_scratch; 411 CHECK_ERROR(CTX, secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0)); 412 CHECK_ERROR(CTX, secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500)); 413 CHECK_ERROR_VOID(CTX, secp256k1_scratch_space_destroy(CTX, scratch)); 414 415 /* Test that large integers do not wrap around in a bad way */ 416 scratch = secp256k1_scratch_space_create(CTX, 1000); 417 /* Try max allocation with a large number of objects. Only makes sense if 418 * ALIGNMENT is greater than 1 because otherwise the objects take no extra 419 * space. */ 420 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1)); 421 /* Try allocating SIZE_MAX to test wrap around which only happens if 422 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch 423 * space is too small. */ 424 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL); 425 secp256k1_scratch_space_destroy(CTX, scratch); 426 427 /* cleanup */ 428 secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */ 429 } 430 431 static void run_ctz_tests(void) { 432 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129}; 433 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef}; 434 int shift; 435 unsigned i; 436 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) { 437 for (shift = 0; shift < 32; ++shift) { 438 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift); 439 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift); 440 } 441 } 442 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) { 443 for (shift = 0; shift < 64; ++shift) { 444 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift); 445 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift); 446 } 447 } 448 } 449 450 /***** HASH TESTS *****/ 451 452 static void run_sha256_known_output_tests(void) { 453 static const char *inputs[] = { 454 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe", 455 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 456 "For this sample, this 63-byte string will be used as input data", 457 "This is exactly 64 bytes long, not counting the terminating byte", 458 "aaaaa", 459 }; 460 static const unsigned int repeat[] = { 461 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5 462 }; 463 static const unsigned char outputs[][32] = { 464 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}, 465 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad}, 466 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50}, 467 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d}, 468 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30}, 469 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1}, 470 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42}, 471 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}, 472 {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0}, 473 }; 474 unsigned int i, ninputs; 475 476 /* Skip last input vector for low iteration counts */ 477 ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1; 478 CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++; 479 480 for (i = 0; i < ninputs; i++) { 481 unsigned char out[32]; 482 secp256k1_sha256 hasher; 483 unsigned int j; 484 /* 1. Run: simply write the input bytestrings */ 485 j = repeat[i]; 486 secp256k1_sha256_initialize(&hasher); 487 while (j > 0) { 488 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); 489 j--; 490 } 491 secp256k1_sha256_finalize(&hasher, out); 492 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0); 493 /* 2. Run: split the input bytestrings randomly before writing */ 494 if (strlen(inputs[i]) > 0) { 495 int split = testrand_int(strlen(inputs[i])); 496 secp256k1_sha256_initialize(&hasher); 497 j = repeat[i]; 498 while (j > 0) { 499 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); 500 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); 501 j--; 502 } 503 secp256k1_sha256_finalize(&hasher, out); 504 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0); 505 } 506 } 507 } 508 509 /** SHA256 counter tests 510 511 The tests verify that the SHA256 counter doesn't wrap around at message length 512 2^i bytes for i = 20, ..., 33. This wide range aims at being independent of the 513 implementation of the counter and it catches multiple natural 32-bit overflows 514 (e.g., counting bits, counting bytes, counting blocks, ...). 515 516 The test vectors have been generated using following Python script which relies 517 on https://github.com/cloudtools/sha256/ (v0.3 on Python v3.10.2). 518 519 ``` 520 from sha256 import sha256 521 from copy import copy 522 523 def midstate_c_definition(hasher): 524 ret = ' {{0x' + hasher.state[0].hex('_', 4).replace('_', ', 0x') + '},\n' 525 ret += ' {0x00}, ' + str(hex(hasher.state[1])) + '}' 526 return ret 527 528 def output_c_literal(hasher): 529 return '{0x' + hasher.digest().hex('_').replace('_', ', 0x') + '}' 530 531 MESSAGE = b'abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno' 532 assert(len(MESSAGE) == 64) 533 BYTE_BOUNDARIES = [(2**b)//len(MESSAGE) - 1 for b in range(20, 34)] 534 535 midstates = [] 536 digests = [] 537 hasher = sha256() 538 for i in range(BYTE_BOUNDARIES[-1] + 1): 539 if i in BYTE_BOUNDARIES: 540 midstates.append(midstate_c_definition(hasher)) 541 hasher_copy = copy(hasher) 542 hasher_copy.update(MESSAGE) 543 digests.append(output_c_literal(hasher_copy)) 544 hasher.update(MESSAGE) 545 546 for x in midstates: 547 print(x + ',') 548 549 for x in digests: 550 print(x + ',') 551 ``` 552 */ 553 static void run_sha256_counter_tests(void) { 554 static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno"; 555 static const secp256k1_sha256 midstates[] = { 556 {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda}, 557 {0x00}, 0xfffc0}, 558 {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26}, 559 {0x00}, 0x1fffc0}, 560 {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1}, 561 {0x00}, 0x3fffc0}, 562 {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6}, 563 {0x00}, 0x7fffc0}, 564 {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c}, 565 {0x00}, 0xffffc0}, 566 {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2}, 567 {0x00}, 0x1ffffc0}, 568 {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c}, 569 {0x00}, 0x3ffffc0}, 570 {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0}, 571 {0x00}, 0x7ffffc0}, 572 {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad}, 573 {0x00}, 0xfffffc0}, 574 {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023}, 575 {0x00}, 0x1fffffc0}, 576 {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1}, 577 {0x00}, 0x3fffffc0}, 578 {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec}, 579 {0x00}, 0x7fffffc0}, 580 {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162}, 581 {0x00}, 0xffffffc0}, 582 {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a}, 583 {0x00}, 0x1ffffffc0}, 584 }; 585 static const unsigned char outputs[][32] = { 586 {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15}, 587 {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb}, 588 {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e}, 589 {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9}, 590 {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7}, 591 {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07}, 592 {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76}, 593 {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0}, 594 {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8}, 595 {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6}, 596 {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e}, 597 {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b}, 598 {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34}, 599 {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e}, 600 }; 601 unsigned int i; 602 for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) { 603 unsigned char out[32]; 604 secp256k1_sha256 hasher = midstates[i]; 605 secp256k1_sha256_write(&hasher, (const unsigned char*)input, strlen(input)); 606 secp256k1_sha256_finalize(&hasher, out); 607 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0); 608 } 609 } 610 611 /* Tests for the equality of two sha256 structs. This function only produces a 612 * correct result if an integer multiple of 64 many bytes have been written 613 * into the hash functions. This function is used by some module tests. */ 614 static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) { 615 /* Is buffer fully consumed? */ 616 CHECK((sha1->bytes & 0x3F) == 0); 617 618 CHECK(sha1->bytes == sha2->bytes); 619 CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0); 620 } 621 622 static void run_hmac_sha256_tests(void) { 623 static const char *keys[6] = { 624 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 625 "\x4a\x65\x66\x65", 626 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 627 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19", 628 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 629 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 630 }; 631 static const char *inputs[6] = { 632 "\x48\x69\x20\x54\x68\x65\x72\x65", 633 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f", 634 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd", 635 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd", 636 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74", 637 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e" 638 }; 639 static const unsigned char outputs[6][32] = { 640 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7}, 641 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43}, 642 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe}, 643 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b}, 644 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54}, 645 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2} 646 }; 647 int i; 648 for (i = 0; i < 6; i++) { 649 secp256k1_hmac_sha256 hasher; 650 unsigned char out[32]; 651 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); 652 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); 653 secp256k1_hmac_sha256_finalize(&hasher, out); 654 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0); 655 if (strlen(inputs[i]) > 0) { 656 int split = testrand_int(strlen(inputs[i])); 657 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); 658 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); 659 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); 660 secp256k1_hmac_sha256_finalize(&hasher, out); 661 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0); 662 } 663 } 664 } 665 666 static void run_rfc6979_hmac_sha256_tests(void) { 667 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0}; 668 static const unsigned char out1[3][32] = { 669 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb}, 670 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a}, 671 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e} 672 }; 673 674 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}; 675 static const unsigned char out2[3][32] = { 676 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95}, 677 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9}, 678 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94} 679 }; 680 681 secp256k1_rfc6979_hmac_sha256 rng; 682 unsigned char out[32]; 683 int i; 684 685 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64); 686 for (i = 0; i < 3; i++) { 687 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32); 688 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0); 689 } 690 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 691 692 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65); 693 for (i = 0; i < 3; i++) { 694 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32); 695 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0); 696 } 697 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 698 699 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64); 700 for (i = 0; i < 3; i++) { 701 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32); 702 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0); 703 } 704 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 705 } 706 707 static void run_tagged_sha256_tests(void) { 708 unsigned char tag[32] = { 0 }; 709 unsigned char msg[32] = { 0 }; 710 unsigned char hash32[32]; 711 unsigned char hash_expected[32] = { 712 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1, 713 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62, 714 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C, 715 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3 716 }; 717 718 /* API test */ 719 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1); 720 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg))); 721 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg))); 722 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0)); 723 724 /* Static test vector */ 725 memcpy(tag, "tag", 3); 726 memcpy(msg, "msg", 3); 727 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1); 728 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0); 729 } 730 731 /***** MODINV TESTS *****/ 732 733 /* Compute the modular inverse of (odd) x mod 2^64. */ 734 static uint64_t modinv2p64(uint64_t x) { 735 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See 736 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for 737 * why. Start with L=0, for which it is true for every odd x that 738 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */ 739 int l; 740 uint64_t w = 1; 741 CHECK(x & 1); 742 for (l = 0; l < 6; ++l) w *= (2 - w*x); 743 return w; 744 } 745 746 747 /* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity. 748 * 749 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other 750 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */ 751 static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) { 752 uint16_t mul[32]; 753 uint64_t c = 0; 754 int i, j; 755 int m_bitlen = 0; 756 int mul_bitlen = 0; 757 758 if (b != NULL) { 759 /* Compute the product of a and b, and put it in mul. */ 760 for (i = 0; i < 32; ++i) { 761 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) { 762 c += (uint64_t)a[j] * b[i - j]; 763 } 764 mul[i] = c & 0xFFFF; 765 c >>= 16; 766 } 767 CHECK(c == 0); 768 769 /* compute the highest set bit in mul */ 770 for (i = 511; i >= 0; --i) { 771 if ((mul[i >> 4] >> (i & 15)) & 1) { 772 mul_bitlen = i; 773 break; 774 } 775 } 776 } else { 777 /* if b==NULL, set mul=a. */ 778 memcpy(mul, a, 32); 779 memset(mul + 16, 0, 32); 780 /* compute the highest set bit in mul */ 781 for (i = 255; i >= 0; --i) { 782 if ((mul[i >> 4] >> (i & 15)) & 1) { 783 mul_bitlen = i; 784 break; 785 } 786 } 787 } 788 789 if (m) { 790 /* Compute the highest set bit in m. */ 791 for (i = 255; i >= 0; --i) { 792 if ((m[i >> 4] >> (i & 15)) & 1) { 793 m_bitlen = i; 794 break; 795 } 796 } 797 798 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */ 799 for (i = mul_bitlen - m_bitlen; i >= 0; --i) { 800 uint16_t mul2[32]; 801 int64_t cs; 802 803 /* Compute mul2 = mul - m<<i. */ 804 cs = 0; /* accumulator */ 805 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */ 806 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */ 807 uint16_t sub = 0; 808 int p; 809 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */ 810 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */ 811 if (bitpos >= 0 && bitpos < 256) { 812 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p; 813 } 814 } 815 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */ 816 cs += mul[j]; 817 cs -= sub; 818 mul2[j] = (cs & 0xFFFF); 819 cs >>= 16; 820 } 821 /* If remainder of subtraction is 0, set mul = mul2. */ 822 if (cs == 0) { 823 memcpy(mul, mul2, sizeof(mul)); 824 } 825 } 826 /* Sanity check: test that all limbs higher than m's highest are zero */ 827 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) { 828 CHECK(mul[i] == 0); 829 } 830 } 831 memcpy(out, mul, 32); 832 } 833 834 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */ 835 static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) { 836 int i; 837 memset(out->v, 0, sizeof(out->v)); 838 for (i = 0; i < 256; ++i) { 839 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30); 840 } 841 } 842 843 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */ 844 static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) { 845 int i; 846 memset(out, 0, 32); 847 for (i = 0; i < 256; ++i) { 848 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15); 849 } 850 } 851 852 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */ 853 static void mutate_sign_signed30(secp256k1_modinv32_signed30* x) { 854 int i; 855 for (i = 0; i < 16; ++i) { 856 int pos = testrand_bits(3); 857 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) { 858 x->v[pos] -= 0x40000000; 859 x->v[pos + 1] += 1; 860 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) { 861 x->v[pos] += 0x40000000; 862 x->v[pos + 1] -= 1; 863 } 864 } 865 } 866 867 /* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */ 868 static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) { 869 uint16_t tmp[16]; 870 secp256k1_modinv32_signed30 x; 871 secp256k1_modinv32_modinfo m; 872 int i, vartime, nonzero; 873 874 uint16_to_signed30(&x, in); 875 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0; 876 uint16_to_signed30(&m.modulus, mod); 877 878 /* compute 1/modulus mod 2^30 */ 879 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff; 880 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1); 881 882 /* Test secp256k1_jacobi32_maybe_var. */ 883 if (nonzero) { 884 int jac; 885 uint16_t sqr[16], negone[16]; 886 mulmod256(sqr, in, in, mod); 887 uint16_to_signed30(&x, sqr); 888 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */ 889 jac = secp256k1_jacobi32_maybe_var(&x, &m); 890 CHECK(jac == 0 || jac == 1); 891 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite 892 * jacobi symbols if and only if (mod % 4) == 3. */ 893 negone[0] = mod[0] - 1; 894 for (i = 1; i < 16; ++i) negone[i] = mod[i]; 895 mulmod256(sqr, sqr, negone, mod); 896 uint16_to_signed30(&x, sqr); 897 jac = secp256k1_jacobi32_maybe_var(&x, &m); 898 CHECK(jac == 0 || jac == 1 - (mod[0] & 2)); 899 } 900 901 uint16_to_signed30(&x, in); 902 mutate_sign_signed30(&m.modulus); 903 for (vartime = 0; vartime < 2; ++vartime) { 904 /* compute inverse */ 905 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m); 906 907 /* produce output */ 908 signed30_to_uint16(out, &x); 909 910 /* check if the inverse times the input is 1 (mod m), unless x is 0. */ 911 mulmod256(tmp, out, in, mod); 912 CHECK(tmp[0] == nonzero); 913 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0); 914 915 /* invert again */ 916 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m); 917 918 /* check if the result is equal to the input */ 919 signed30_to_uint16(tmp, &x); 920 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]); 921 } 922 } 923 924 #ifdef SECP256K1_WIDEMUL_INT128 925 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */ 926 static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) { 927 int i; 928 memset(out->v, 0, sizeof(out->v)); 929 for (i = 0; i < 256; ++i) { 930 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62); 931 } 932 } 933 934 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */ 935 static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) { 936 int i; 937 memset(out, 0, 32); 938 for (i = 0; i < 256; ++i) { 939 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15); 940 } 941 } 942 943 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */ 944 static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) { 945 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2); 946 int i; 947 for (i = 0; i < 8; ++i) { 948 int pos = testrand_bits(2); 949 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) { 950 x->v[pos] -= (M62 + 1); 951 x->v[pos + 1] += 1; 952 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) { 953 x->v[pos] += (M62 + 1); 954 x->v[pos + 1] -= 1; 955 } 956 } 957 } 958 959 /* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */ 960 static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) { 961 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2); 962 uint16_t tmp[16]; 963 secp256k1_modinv64_signed62 x; 964 secp256k1_modinv64_modinfo m; 965 int i, vartime, nonzero; 966 967 uint16_to_signed62(&x, in); 968 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0; 969 uint16_to_signed62(&m.modulus, mod); 970 971 /* compute 1/modulus mod 2^62 */ 972 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62; 973 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1); 974 975 /* Test secp256k1_jacobi64_maybe_var. */ 976 if (nonzero) { 977 int jac; 978 uint16_t sqr[16], negone[16]; 979 mulmod256(sqr, in, in, mod); 980 uint16_to_signed62(&x, sqr); 981 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */ 982 jac = secp256k1_jacobi64_maybe_var(&x, &m); 983 CHECK(jac == 0 || jac == 1); 984 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite 985 * jacobi symbols if and only if (mod % 4) == 3. */ 986 negone[0] = mod[0] - 1; 987 for (i = 1; i < 16; ++i) negone[i] = mod[i]; 988 mulmod256(sqr, sqr, negone, mod); 989 uint16_to_signed62(&x, sqr); 990 jac = secp256k1_jacobi64_maybe_var(&x, &m); 991 CHECK(jac == 0 || jac == 1 - (mod[0] & 2)); 992 } 993 994 uint16_to_signed62(&x, in); 995 mutate_sign_signed62(&m.modulus); 996 for (vartime = 0; vartime < 2; ++vartime) { 997 /* compute inverse */ 998 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m); 999 1000 /* produce output */ 1001 signed62_to_uint16(out, &x); 1002 1003 /* check if the inverse times the input is 1 (mod m), unless x is 0. */ 1004 mulmod256(tmp, out, in, mod); 1005 CHECK(tmp[0] == nonzero); 1006 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0); 1007 1008 /* invert again */ 1009 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m); 1010 1011 /* check if the result is equal to the input */ 1012 signed62_to_uint16(tmp, &x); 1013 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]); 1014 } 1015 } 1016 #endif 1017 1018 /* test if a and b are coprime */ 1019 static int coprime(const uint16_t* a, const uint16_t* b) { 1020 uint16_t x[16], y[16], t[16]; 1021 int i; 1022 int iszero; 1023 memcpy(x, a, 32); 1024 memcpy(y, b, 32); 1025 1026 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */ 1027 while (1) { 1028 iszero = 1; 1029 for (i = 0; i < 16; ++i) { 1030 if (x[i] != 0) { 1031 iszero = 0; 1032 break; 1033 } 1034 } 1035 if (iszero) break; 1036 mulmod256(t, y, NULL, x); 1037 memcpy(y, x, 32); 1038 memcpy(x, t, 32); 1039 } 1040 1041 /* return whether y=1 */ 1042 if (y[0] != 1) return 0; 1043 for (i = 1; i < 16; ++i) { 1044 if (y[i] != 0) return 0; 1045 } 1046 return 1; 1047 } 1048 1049 static void run_modinv_tests(void) { 1050 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */ 1051 static const uint16_t CASES[][3][16] = { 1052 /* Test cases triggering edge cases in divsteps */ 1053 1054 /* Test case known to need 713 divsteps */ 1055 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477, 1056 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e}, 1057 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54, 1058 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b}, 1059 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab, 1060 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}}, 1061 /* Test case known to need 589 divsteps, reaching delta=-140 and 1062 delta=141. */ 1063 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9, 1064 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c}, 1065 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da, 1066 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3}, 1067 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0, 1068 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}}, 1069 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */ 1070 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94, 1071 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040}, 1072 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d, 1073 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3}, 1074 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005, 1075 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}}, 1076 /* example needing 713 divsteps; delta=-2..3 */ 1077 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9, 1078 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d}, 1079 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772, 1080 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298}, 1081 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797, 1082 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}}, 1083 /* example needing 713 divsteps; delta=-2..3 */ 1084 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850, 1085 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78}, 1086 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c, 1087 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2}, 1088 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358, 1089 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}}, 1090 /* example needing 713 divsteps; delta=-2..3 */ 1091 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9, 1092 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc}, 1093 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e, 1094 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29}, 1095 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da, 1096 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}}, 1097 /* example reaching delta=-64..65; 661 divsteps */ 1098 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2, 1099 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530}, 1100 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16, 1101 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598}, 1102 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f, 1103 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}}, 1104 /* example reaching delta=-64..65; 661 divsteps */ 1105 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717, 1106 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a}, 1107 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94, 1108 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108}, 1109 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187, 1110 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}}, 1111 /* example reaching delta=-64..65; 661 divsteps */ 1112 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb, 1113 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a}, 1114 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6, 1115 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230}, 1116 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb, 1117 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}}, 1118 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */ 1119 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee, 1120 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc}, 1121 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005, 1122 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67}, 1123 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572, 1124 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}}, 1125 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */ 1126 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185, 1127 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d}, 1128 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde, 1129 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5}, 1130 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0, 1131 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}}, 1132 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */ 1133 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7, 1134 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50}, 1135 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a, 1136 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24}, 1137 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb, 1138 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}}, 1139 /* example doing 446 (f,g/2) steps; 523 divsteps */ 1140 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf, 1141 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a}, 1142 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f, 1143 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32}, 1144 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c, 1145 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}}, 1146 /* example doing 446 (f,g/2) steps; 523 divsteps */ 1147 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd, 1148 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7}, 1149 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283, 1150 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087}, 1151 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8, 1152 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}}, 1153 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */ 1154 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878, 1155 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5}, 1156 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703, 1157 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b}, 1158 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d, 1159 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}}, 1160 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */ 1161 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836, 1162 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c}, 1163 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6, 1164 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62}, 1165 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344, 1166 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}}, 1167 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */ 1168 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5, 1169 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5}, 1170 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153, 1171 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032}, 1172 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2, 1173 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}}, 1174 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */ 1175 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c, 1176 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f}, 1177 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717, 1178 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b}, 1179 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951, 1180 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}}, 1181 1182 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */ 1183 1184 /* example needing 590 divsteps; delta=-5/2..7/2 */ 1185 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a, 1186 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e}, 1187 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0, 1188 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8}, 1189 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54, 1190 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}}, 1191 /* example needing 590 divsteps; delta=-3/2..5/2 */ 1192 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e, 1193 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d}, 1194 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a, 1195 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7}, 1196 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451, 1197 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}}, 1198 /* example needing 590 divsteps; delta=-3/2..5/2 */ 1199 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11, 1200 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40}, 1201 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805, 1202 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9}, 1203 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7, 1204 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}}, 1205 /* example needing 590 divsteps; delta=-5/2..7/2 */ 1206 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce, 1207 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1}, 1208 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba, 1209 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5}, 1210 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c, 1211 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}}, 1212 /* example needing 590 divsteps; delta=-3/2..5/2 */ 1213 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7, 1214 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82}, 1215 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712, 1216 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89}, 1217 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919, 1218 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}}, 1219 /* example reaching delta=-127/2..129/2; 571 divsteps */ 1220 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681, 1221 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56}, 1222 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868, 1223 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f}, 1224 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db, 1225 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}}, 1226 /* example reaching delta=-127/2..129/2; 571 divsteps */ 1227 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7, 1228 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c}, 1229 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1, 1230 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36}, 1231 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074, 1232 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}}, 1233 /* example reaching delta=-127/2..129/2; 571 divsteps */ 1234 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d, 1235 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56}, 1236 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669, 1237 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f}, 1238 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0, 1239 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}}, 1240 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */ 1241 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a, 1242 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14}, 1243 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae, 1244 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943}, 1245 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa, 1246 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}}, 1247 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */ 1248 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8, 1249 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4}, 1250 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332, 1251 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4}, 1252 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9, 1253 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}}, 1254 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */ 1255 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982, 1256 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14}, 1257 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d, 1258 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943}, 1259 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495, 1260 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}}, 1261 /* example doing 453 (f,g/2) steps; 514 divsteps */ 1262 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae, 1263 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448}, 1264 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089, 1265 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7}, 1266 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241, 1267 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}}, 1268 /* example doing 453 (f,g/2) steps; 514 divsteps */ 1269 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1, 1270 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2}, 1271 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5, 1272 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823}, 1273 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159, 1274 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}}, 1275 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */ 1276 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877, 1277 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19}, 1278 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49, 1279 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9}, 1280 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e, 1281 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}}, 1282 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */ 1283 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3, 1284 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b}, 1285 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4, 1286 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf}, 1287 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042, 1288 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}}, 1289 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */ 1290 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6, 1291 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42}, 1292 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936, 1293 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305}, 1294 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a, 1295 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}}, 1296 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */ 1297 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52, 1298 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359}, 1299 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a, 1300 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f}, 1301 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9, 1302 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}}, 1303 1304 /* Test cases with the group order as modulus. */ 1305 1306 /* Test case with the group order as modulus, needing 635 divsteps. */ 1307 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120, 1308 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686}, 1309 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1310 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1311 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc, 1312 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}}, 1313 /* example with group size as modulus needing 631 divsteps */ 1314 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7, 1315 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b}, 1316 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1317 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1318 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb, 1319 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}}, 1320 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */ 1321 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce, 1322 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf}, 1323 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1324 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1325 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32, 1326 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}}, 1327 /* Test case with the group size as modulus, needing 981 divsteps with 1328 broken eta handling. */ 1329 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae, 1330 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2}, 1331 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1332 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1333 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126, 1334 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}}, 1335 /* Test case with the group size as modulus, input = 0. */ 1336 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1337 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1338 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1339 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1340 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1341 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, 1342 /* Test case with the group size as modulus, input = 1. */ 1343 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1344 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1345 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1346 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1347 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1348 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, 1349 /* Test case with the group size as modulus, input = 2. */ 1350 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1351 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1352 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1353 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1354 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57, 1355 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}}, 1356 /* Test case with the group size as modulus, input = group - 1. */ 1357 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1358 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1359 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1360 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1361 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1362 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}}, 1363 1364 /* Test cases with the field size as modulus. */ 1365 1366 /* Test case with the field size as modulus, needing 637 divsteps. */ 1367 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688, 1368 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e}, 1369 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1370 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1371 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701, 1372 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}}, 1373 /* example with field size as modulus needing 637 divsteps */ 1374 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff, 1375 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8}, 1376 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1377 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1378 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce, 1379 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}}, 1380 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */ 1381 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e, 1382 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f}, 1383 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1384 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1385 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291, 1386 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}}, 1387 /* Test case with the field size as modulus, needing 935 divsteps with 1388 broken eta handling. */ 1389 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8, 1390 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93}, 1391 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1392 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1393 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed, 1394 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}}, 1395 /* Test case with the field size as modulus, input = 0. */ 1396 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1397 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1398 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1399 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1400 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1401 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, 1402 /* Test case with the field size as modulus, input = 1. */ 1403 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1404 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1405 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1406 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1407 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1408 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, 1409 /* Test case with the field size as modulus, input = 2. */ 1410 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1411 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1412 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1413 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1414 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1415 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}}, 1416 /* Test case with the field size as modulus, input = field - 1. */ 1417 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1418 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1419 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1420 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1421 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1422 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}}, 1423 1424 /* Selected from a large number of random inputs to reach small/large 1425 * d/e values in various configurations. */ 1426 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70, 1427 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30}, 1428 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8, 1429 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff}, 1430 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842, 1431 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}}, 1432 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98, 1433 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e}, 1434 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43, 1435 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6}, 1436 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae, 1437 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}}, 1438 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5, 1439 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac}, 1440 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969, 1441 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb}, 1442 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512, 1443 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}}, 1444 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c, 1445 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8}, 1446 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702, 1447 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2}, 1448 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce, 1449 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}}, 1450 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737, 1451 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4}, 1452 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4, 1453 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff}, 1454 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33, 1455 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}}, 1456 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb, 1457 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97}, 1458 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311, 1459 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640}, 1460 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7, 1461 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}}, 1462 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd, 1463 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576}, 1464 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621, 1465 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64}, 1466 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821, 1467 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}}, 1468 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89, 1469 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e}, 1470 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa, 1471 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5}, 1472 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0, 1473 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}}, 1474 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3, 1475 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c}, 1476 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd, 1477 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff}, 1478 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c, 1479 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}}, 1480 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f, 1481 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a}, 1482 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b, 1483 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff}, 1484 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf, 1485 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}}, 1486 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49, 1487 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe}, 1488 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8, 1489 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff}, 1490 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac, 1491 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}}, 1492 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e, 1493 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e}, 1494 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba, 1495 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77}, 1496 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569, 1497 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}}, 1498 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611, 1499 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d}, 1500 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a, 1501 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff}, 1502 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376, 1503 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}}, 1504 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b, 1505 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4}, 1506 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016, 1507 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff}, 1508 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f, 1509 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}}, 1510 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7, 1511 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8}, 1512 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104, 1513 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff}, 1514 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405, 1515 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}}, 1516 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033, 1517 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914}, 1518 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346, 1519 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3}, 1520 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c, 1521 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}}, 1522 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c, 1523 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025}, 1524 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb, 1525 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93}, 1526 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744, 1527 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}}, 1528 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904, 1529 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94}, 1530 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94, 1531 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b}, 1532 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e, 1533 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}}, 1534 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4, 1535 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f}, 1536 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550, 1537 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97}, 1538 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618, 1539 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}}, 1540 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7, 1541 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166}, 1542 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54, 1543 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa}, 1544 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5, 1545 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}}, 1546 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a, 1547 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1}, 1548 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328, 1549 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb}, 1550 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857, 1551 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}}, 1552 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413, 1553 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3}, 1554 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92, 1555 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c}, 1556 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f, 1557 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}}, 1558 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe, 1559 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d}, 1560 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e, 1561 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb}, 1562 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424, 1563 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}}, 1564 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56, 1565 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428}, 1566 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998, 1567 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff}, 1568 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8, 1569 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}}, 1570 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9, 1571 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d}, 1572 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e, 1573 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a}, 1574 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614, 1575 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}}, 1576 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7, 1577 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067}, 1578 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b, 1579 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185}, 1580 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42, 1581 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}}, 1582 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74, 1583 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4}, 1584 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781, 1585 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351}, 1586 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65, 1587 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}}, 1588 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced, 1589 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79}, 1590 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c, 1591 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0}, 1592 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145, 1593 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}}, 1594 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a, 1595 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096}, 1596 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf, 1597 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628}, 1598 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da, 1599 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}}, 1600 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91, 1601 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4}, 1602 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5, 1603 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad}, 1604 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41, 1605 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}}, 1606 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224, 1607 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000}, 1608 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183, 1609 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000}, 1610 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3, 1611 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}}, 1612 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b, 1613 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f}, 1614 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35, 1615 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb}, 1616 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3, 1617 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}}, 1618 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995, 1619 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c}, 1620 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60, 1621 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb}, 1622 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134, 1623 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}}, 1624 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6, 1625 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097}, 1626 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40, 1627 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0}, 1628 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0, 1629 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}}, 1630 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82, 1631 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14}, 1632 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee, 1633 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80}, 1634 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051, 1635 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}} 1636 }; 1637 1638 int i, j, ok; 1639 1640 /* Test known inputs/outputs */ 1641 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) { 1642 uint16_t out[16]; 1643 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]); 1644 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]); 1645 #ifdef SECP256K1_WIDEMUL_INT128 1646 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]); 1647 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]); 1648 #endif 1649 } 1650 1651 for (i = 0; i < 100 * COUNT; ++i) { 1652 /* 256-bit numbers in 16-uint16_t's notation */ 1653 static const uint16_t ZERO[16] = {0}; 1654 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */ 1655 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */ 1656 uint16_t id[16]; /* the inverse of xd mod md */ 1657 1658 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */ 1659 do { 1660 /* generate random xd and md (with many subsequent 0s and 1s) */ 1661 testrand256_test((unsigned char*)xd); 1662 testrand256_test((unsigned char*)md); 1663 md[0] |= 1; /* modulus must be odd */ 1664 /* If modulus is 1, find another one. */ 1665 ok = md[0] != 1; 1666 for (j = 1; j < 16; ++j) ok |= md[j] != 0; 1667 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */ 1668 } while (!(ok && coprime(xd, md))); 1669 1670 test_modinv32_uint16(id, xd, md); 1671 #ifdef SECP256K1_WIDEMUL_INT128 1672 test_modinv64_uint16(id, xd, md); 1673 #endif 1674 1675 /* In a few cases, also test with input=0 */ 1676 if (i < COUNT) { 1677 test_modinv32_uint16(id, ZERO, md); 1678 #ifdef SECP256K1_WIDEMUL_INT128 1679 test_modinv64_uint16(id, ZERO, md); 1680 #endif 1681 } 1682 } 1683 } 1684 1685 /***** INT128 TESTS *****/ 1686 1687 #ifdef SECP256K1_WIDEMUL_INT128 1688 /* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */ 1689 static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) { 1690 int i; 1691 uint32_t carry = 0; 1692 for (i = 0; i < 16; ++i) { 1693 carry += a[i]; 1694 carry += b[i]; 1695 out[i] = carry; 1696 carry >>= 16; 1697 } 1698 } 1699 1700 /* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */ 1701 static void neg256(uint16_t* out, const uint16_t* a) { 1702 int i; 1703 uint32_t carry = 1; 1704 for (i = 0; i < 16; ++i) { 1705 carry += (uint16_t)~a[i]; 1706 out[i] = carry; 1707 carry >>= 16; 1708 } 1709 } 1710 1711 /* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */ 1712 static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) { 1713 uint16_t sign = sign_extend && (a[15] >> 15); 1714 int i, j; 1715 for (i = 15; i >= 0; --i) { 1716 uint16_t v = 0; 1717 for (j = 0; j < 16; ++j) { 1718 int frompos = i*16 + j + n; 1719 if (frompos >= 256) { 1720 v |= sign << j; 1721 } else { 1722 v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j; 1723 } 1724 } 1725 out[i] = v; 1726 } 1727 } 1728 1729 /* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */ 1730 static void load256u64(uint16_t* out, uint64_t v, int is_signed) { 1731 int i; 1732 uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0; 1733 for (i = 0; i < 4; ++i) { 1734 out[i] = v >> (16 * i); 1735 } 1736 for (i = 4; i < 16; ++i) { 1737 out[i] = sign; 1738 } 1739 } 1740 1741 /* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */ 1742 static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) { 1743 int i; 1744 uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0; 1745 for (i = 0; i < 4; ++i) { 1746 out[i] = lo >> (16 * i); 1747 } 1748 for (i = 4; i < 8; ++i) { 1749 out[i] = hi >> (16 * (i - 4)); 1750 } 1751 for (i = 8; i < 16; ++i) { 1752 out[i] = sign; 1753 } 1754 } 1755 1756 /* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */ 1757 static int int256is127(const uint16_t* v) { 1758 int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000); 1759 int i; 1760 for (i = 8; i < 16; ++i) { 1761 if (v[i] != 0) all_0 = 0; 1762 if (v[i] != 0xffff) all_1 = 0; 1763 } 1764 return all_0 || all_1; 1765 } 1766 1767 static void load256u128(uint16_t* out, const secp256k1_uint128* v) { 1768 uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v); 1769 load256two64(out, hi, lo, 0); 1770 } 1771 1772 static void load256i128(uint16_t* out, const secp256k1_int128* v) { 1773 uint64_t lo; 1774 int64_t hi; 1775 secp256k1_int128 c = *v; 1776 lo = secp256k1_i128_to_u64(&c); 1777 secp256k1_i128_rshift(&c, 64); 1778 hi = secp256k1_i128_to_i64(&c); 1779 load256two64(out, hi, lo, 1); 1780 } 1781 1782 static void run_int128_test_case(void) { 1783 unsigned char buf[32]; 1784 uint64_t v[4]; 1785 secp256k1_int128 swa, swz; 1786 secp256k1_uint128 uwa, uwz; 1787 uint64_t ub, uc; 1788 int64_t sb, sc; 1789 uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32]; 1790 uint16_t rub[16], ruc[16], rsb[16], rsc[16]; 1791 int i; 1792 1793 /* Generate 32-byte random value. */ 1794 testrand256_test(buf); 1795 /* Convert into 4 64-bit integers. */ 1796 for (i = 0; i < 4; ++i) { 1797 uint64_t vi = 0; 1798 int j; 1799 for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j]; 1800 v[i] = vi; 1801 } 1802 /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */ 1803 secp256k1_u128_load(&uwa, v[1], v[0]); 1804 secp256k1_i128_load(&swa, v[1], v[0]); 1805 ub = v[2]; 1806 sb = v[2]; 1807 uc = v[3]; 1808 sc = v[3]; 1809 /* Load those also into 16-bit array representations. */ 1810 load256u128(ruwa, &uwa); 1811 load256i128(rswa, &swa); 1812 load256u64(rub, ub, 0); 1813 load256u64(rsb, sb, 1); 1814 load256u64(ruc, uc, 0); 1815 load256u64(rsc, sc, 1); 1816 /* test secp256k1_u128_mul */ 1817 mulmod256(ruwr, rub, ruc, NULL); 1818 secp256k1_u128_mul(&uwz, ub, uc); 1819 load256u128(ruwz, &uwz); 1820 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0); 1821 /* test secp256k1_u128_accum_mul */ 1822 mulmod256(ruwr, rub, ruc, NULL); 1823 add256(ruwr, ruwr, ruwa); 1824 uwz = uwa; 1825 secp256k1_u128_accum_mul(&uwz, ub, uc); 1826 load256u128(ruwz, &uwz); 1827 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0); 1828 /* test secp256k1_u128_accum_u64 */ 1829 add256(ruwr, rub, ruwa); 1830 uwz = uwa; 1831 secp256k1_u128_accum_u64(&uwz, ub); 1832 load256u128(ruwz, &uwz); 1833 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0); 1834 /* test secp256k1_u128_rshift */ 1835 rshift256(ruwr, ruwa, uc % 128, 0); 1836 uwz = uwa; 1837 secp256k1_u128_rshift(&uwz, uc % 128); 1838 load256u128(ruwz, &uwz); 1839 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0); 1840 /* test secp256k1_u128_to_u64 */ 1841 CHECK(secp256k1_u128_to_u64(&uwa) == v[0]); 1842 /* test secp256k1_u128_hi_u64 */ 1843 CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]); 1844 /* test secp256k1_u128_from_u64 */ 1845 secp256k1_u128_from_u64(&uwz, ub); 1846 load256u128(ruwz, &uwz); 1847 CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0); 1848 /* test secp256k1_u128_check_bits */ 1849 { 1850 int uwa_bits = 0; 1851 int j; 1852 for (j = 0; j < 128; ++j) { 1853 if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j; 1854 } 1855 for (j = 0; j < 128; ++j) { 1856 CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j)); 1857 } 1858 } 1859 /* test secp256k1_i128_mul */ 1860 mulmod256(rswr, rsb, rsc, NULL); 1861 secp256k1_i128_mul(&swz, sb, sc); 1862 load256i128(rswz, &swz); 1863 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0); 1864 /* test secp256k1_i128_accum_mul */ 1865 mulmod256(rswr, rsb, rsc, NULL); 1866 add256(rswr, rswr, rswa); 1867 if (int256is127(rswr)) { 1868 swz = swa; 1869 secp256k1_i128_accum_mul(&swz, sb, sc); 1870 load256i128(rswz, &swz); 1871 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0); 1872 } 1873 /* test secp256k1_i128_det */ 1874 { 1875 uint16_t rsd[16], rse[16], rst[32]; 1876 int64_t sd = v[0], se = v[1]; 1877 load256u64(rsd, sd, 1); 1878 load256u64(rse, se, 1); 1879 mulmod256(rst, rsc, rsd, NULL); 1880 neg256(rst, rst); 1881 mulmod256(rswr, rsb, rse, NULL); 1882 add256(rswr, rswr, rst); 1883 secp256k1_i128_det(&swz, sb, sc, sd, se); 1884 load256i128(rswz, &swz); 1885 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0); 1886 } 1887 /* test secp256k1_i128_rshift */ 1888 rshift256(rswr, rswa, uc % 127, 1); 1889 swz = swa; 1890 secp256k1_i128_rshift(&swz, uc % 127); 1891 load256i128(rswz, &swz); 1892 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0); 1893 /* test secp256k1_i128_to_u64 */ 1894 CHECK(secp256k1_i128_to_u64(&swa) == v[0]); 1895 /* test secp256k1_i128_from_i64 */ 1896 secp256k1_i128_from_i64(&swz, sb); 1897 load256i128(rswz, &swz); 1898 CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0); 1899 /* test secp256k1_i128_to_i64 */ 1900 CHECK(secp256k1_i128_to_i64(&swz) == sb); 1901 /* test secp256k1_i128_eq_var */ 1902 { 1903 int expect = (uc & 1); 1904 swz = swa; 1905 if (!expect) { 1906 /* Make sure swz != swa */ 1907 uint64_t v0c = v[0], v1c = v[1]; 1908 if (ub & 64) { 1909 v1c ^= (((uint64_t)1) << (ub & 63)); 1910 } else { 1911 v0c ^= (((uint64_t)1) << (ub & 63)); 1912 } 1913 secp256k1_i128_load(&swz, v1c, v0c); 1914 } 1915 CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect); 1916 } 1917 /* test secp256k1_i128_check_pow2 (sign == 1) */ 1918 { 1919 int expect = (uc & 1); 1920 int pos = ub % 127; 1921 if (expect) { 1922 /* If expect==1, set swz to exactly 2^pos. */ 1923 uint64_t hi = 0; 1924 uint64_t lo = 0; 1925 if (pos >= 64) { 1926 hi = (((uint64_t)1) << (pos & 63)); 1927 } else { 1928 lo = (((uint64_t)1) << (pos & 63)); 1929 } 1930 secp256k1_i128_load(&swz, hi, lo); 1931 } else { 1932 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */ 1933 if (pos >= 64) { 1934 if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1; 1935 } else { 1936 if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1; 1937 } 1938 swz = swa; 1939 } 1940 CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect); 1941 } 1942 /* test secp256k1_i128_check_pow2 (sign == -1) */ 1943 { 1944 int expect = (uc & 1); 1945 int pos = ub % 127; 1946 if (expect) { 1947 /* If expect==1, set swz to exactly -2^pos. */ 1948 uint64_t hi = ~(uint64_t)0; 1949 uint64_t lo = ~(uint64_t)0; 1950 if (pos >= 64) { 1951 hi <<= (pos & 63); 1952 lo = 0; 1953 } else { 1954 lo <<= (pos & 63); 1955 } 1956 secp256k1_i128_load(&swz, hi, lo); 1957 } else { 1958 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */ 1959 if (pos >= 64) { 1960 if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1; 1961 } else { 1962 if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1; 1963 } 1964 swz = swa; 1965 } 1966 CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect); 1967 } 1968 } 1969 1970 static void run_int128_tests(void) { 1971 { /* secp256k1_u128_accum_mul */ 1972 secp256k1_uint128 res; 1973 1974 /* Check secp256k1_u128_accum_mul overflow */ 1975 secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX); 1976 secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX); 1977 CHECK(secp256k1_u128_to_u64(&res) == 2); 1978 CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U); 1979 } 1980 { /* secp256k1_u128_accum_mul */ 1981 secp256k1_int128 res; 1982 1983 /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */ 1984 secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX); 1985 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX); 1986 CHECK(secp256k1_i128_to_u64(&res) == 2); 1987 secp256k1_i128_accum_mul(&res, 4, 9223372036854775807); 1988 secp256k1_i128_accum_mul(&res, 1, 1); 1989 CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX); 1990 secp256k1_i128_rshift(&res, 64); 1991 CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX); 1992 1993 /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */ 1994 secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN); 1995 CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN); 1996 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN); 1997 CHECK(secp256k1_i128_to_u64(&res) == 0); 1998 secp256k1_i128_accum_mul(&res, 2, INT64_MIN); 1999 CHECK(secp256k1_i128_to_u64(&res) == 0); 2000 secp256k1_i128_rshift(&res, 64); 2001 CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN); 2002 } 2003 { 2004 /* Randomized tests. */ 2005 int i; 2006 for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case(); 2007 } 2008 } 2009 #endif 2010 2011 /***** SCALAR TESTS *****/ 2012 2013 static void scalar_test(void) { 2014 secp256k1_scalar s; 2015 secp256k1_scalar s1; 2016 secp256k1_scalar s2; 2017 unsigned char c[32]; 2018 2019 /* Set 's' to a random scalar, with value 'snum'. */ 2020 testutil_random_scalar_order_test(&s); 2021 2022 /* Set 's1' to a random scalar, with value 's1num'. */ 2023 testutil_random_scalar_order_test(&s1); 2024 2025 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */ 2026 testutil_random_scalar_order_test(&s2); 2027 secp256k1_scalar_get_b32(c, &s2); 2028 2029 { 2030 int i; 2031 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */ 2032 secp256k1_scalar n; 2033 secp256k1_scalar_set_int(&n, 0); 2034 for (i = 0; i < 256; i += 4) { 2035 secp256k1_scalar t; 2036 int j; 2037 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_limb32(&s, 256 - 4 - i, 4)); 2038 for (j = 0; j < 4; j++) { 2039 secp256k1_scalar_add(&n, &n, &n); 2040 } 2041 secp256k1_scalar_add(&n, &n, &t); 2042 } 2043 CHECK(secp256k1_scalar_eq(&n, &s)); 2044 } 2045 2046 { 2047 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */ 2048 secp256k1_scalar n; 2049 int i = 0; 2050 secp256k1_scalar_set_int(&n, 0); 2051 while (i < 256) { 2052 secp256k1_scalar t; 2053 int j; 2054 int now = testrand_int(15) + 1; 2055 if (now + i > 256) { 2056 now = 256 - i; 2057 } 2058 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now)); 2059 for (j = 0; j < now; j++) { 2060 secp256k1_scalar_add(&n, &n, &n); 2061 } 2062 secp256k1_scalar_add(&n, &n, &t); 2063 i += now; 2064 } 2065 CHECK(secp256k1_scalar_eq(&n, &s)); 2066 } 2067 2068 { 2069 /* Test commutativity of add. */ 2070 secp256k1_scalar r1, r2; 2071 secp256k1_scalar_add(&r1, &s1, &s2); 2072 secp256k1_scalar_add(&r2, &s2, &s1); 2073 CHECK(secp256k1_scalar_eq(&r1, &r2)); 2074 } 2075 2076 { 2077 secp256k1_scalar r1, r2; 2078 secp256k1_scalar b; 2079 int i; 2080 /* Test add_bit. */ 2081 int bit = testrand_bits(8); 2082 secp256k1_scalar_set_int(&b, 1); 2083 CHECK(secp256k1_scalar_is_one(&b)); 2084 for (i = 0; i < bit; i++) { 2085 secp256k1_scalar_add(&b, &b, &b); 2086 } 2087 r1 = s1; 2088 r2 = s1; 2089 if (!secp256k1_scalar_add(&r1, &r1, &b)) { 2090 /* No overflow happened. */ 2091 secp256k1_scalar_cadd_bit(&r2, bit, 1); 2092 CHECK(secp256k1_scalar_eq(&r1, &r2)); 2093 /* cadd is a noop when flag is zero */ 2094 secp256k1_scalar_cadd_bit(&r2, bit, 0); 2095 CHECK(secp256k1_scalar_eq(&r1, &r2)); 2096 } 2097 } 2098 2099 { 2100 /* Test commutativity of mul. */ 2101 secp256k1_scalar r1, r2; 2102 secp256k1_scalar_mul(&r1, &s1, &s2); 2103 secp256k1_scalar_mul(&r2, &s2, &s1); 2104 CHECK(secp256k1_scalar_eq(&r1, &r2)); 2105 } 2106 2107 { 2108 /* Test associativity of add. */ 2109 secp256k1_scalar r1, r2; 2110 secp256k1_scalar_add(&r1, &s1, &s2); 2111 secp256k1_scalar_add(&r1, &r1, &s); 2112 secp256k1_scalar_add(&r2, &s2, &s); 2113 secp256k1_scalar_add(&r2, &s1, &r2); 2114 CHECK(secp256k1_scalar_eq(&r1, &r2)); 2115 } 2116 2117 { 2118 /* Test associativity of mul. */ 2119 secp256k1_scalar r1, r2; 2120 secp256k1_scalar_mul(&r1, &s1, &s2); 2121 secp256k1_scalar_mul(&r1, &r1, &s); 2122 secp256k1_scalar_mul(&r2, &s2, &s); 2123 secp256k1_scalar_mul(&r2, &s1, &r2); 2124 CHECK(secp256k1_scalar_eq(&r1, &r2)); 2125 } 2126 2127 { 2128 /* Test distributitivity of mul over add. */ 2129 secp256k1_scalar r1, r2, t; 2130 secp256k1_scalar_add(&r1, &s1, &s2); 2131 secp256k1_scalar_mul(&r1, &r1, &s); 2132 secp256k1_scalar_mul(&r2, &s1, &s); 2133 secp256k1_scalar_mul(&t, &s2, &s); 2134 secp256k1_scalar_add(&r2, &r2, &t); 2135 CHECK(secp256k1_scalar_eq(&r1, &r2)); 2136 } 2137 2138 { 2139 /* Test multiplicative identity. */ 2140 secp256k1_scalar r1; 2141 secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_one); 2142 CHECK(secp256k1_scalar_eq(&r1, &s1)); 2143 } 2144 2145 { 2146 /* Test additive identity. */ 2147 secp256k1_scalar r1; 2148 secp256k1_scalar_add(&r1, &s1, &secp256k1_scalar_zero); 2149 CHECK(secp256k1_scalar_eq(&r1, &s1)); 2150 } 2151 2152 { 2153 /* Test zero product property. */ 2154 secp256k1_scalar r1; 2155 secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_zero); 2156 CHECK(secp256k1_scalar_eq(&r1, &secp256k1_scalar_zero)); 2157 } 2158 2159 { 2160 /* Test halving. */ 2161 secp256k1_scalar r; 2162 secp256k1_scalar_add(&r, &s, &s); 2163 secp256k1_scalar_half(&r, &r); 2164 CHECK(secp256k1_scalar_eq(&r, &s)); 2165 } 2166 } 2167 2168 static void run_scalar_set_b32_seckey_tests(void) { 2169 unsigned char b32[32]; 2170 secp256k1_scalar s1; 2171 secp256k1_scalar s2; 2172 2173 /* Usually set_b32 and set_b32_seckey give the same result */ 2174 testutil_random_scalar_order_b32(b32); 2175 secp256k1_scalar_set_b32(&s1, b32, NULL); 2176 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1); 2177 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1); 2178 2179 memset(b32, 0, sizeof(b32)); 2180 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0); 2181 memset(b32, 0xFF, sizeof(b32)); 2182 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0); 2183 } 2184 2185 static void run_scalar_tests(void) { 2186 int i; 2187 for (i = 0; i < 128 * COUNT; i++) { 2188 scalar_test(); 2189 } 2190 for (i = 0; i < COUNT; i++) { 2191 run_scalar_set_b32_seckey_tests(); 2192 } 2193 2194 { 2195 /* Check that the scalar constants secp256k1_scalar_zero and 2196 secp256k1_scalar_one contain the expected values. */ 2197 secp256k1_scalar zero, one; 2198 2199 CHECK(secp256k1_scalar_is_zero(&secp256k1_scalar_zero)); 2200 secp256k1_scalar_set_int(&zero, 0); 2201 CHECK(secp256k1_scalar_eq(&zero, &secp256k1_scalar_zero)); 2202 2203 CHECK(secp256k1_scalar_is_one(&secp256k1_scalar_one)); 2204 secp256k1_scalar_set_int(&one, 1); 2205 CHECK(secp256k1_scalar_eq(&one, &secp256k1_scalar_one)); 2206 } 2207 2208 { 2209 /* (-1)+1 should be zero. */ 2210 secp256k1_scalar o; 2211 secp256k1_scalar_negate(&o, &secp256k1_scalar_one); 2212 secp256k1_scalar_add(&o, &o, &secp256k1_scalar_one); 2213 CHECK(secp256k1_scalar_is_zero(&o)); 2214 secp256k1_scalar_negate(&o, &o); 2215 CHECK(secp256k1_scalar_is_zero(&o)); 2216 } 2217 2218 { 2219 /* Test that halving and doubling roundtrips on some fixed values. */ 2220 static const secp256k1_scalar HALF_TESTS[] = { 2221 /* 0 */ 2222 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0), 2223 /* 1 */ 2224 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1), 2225 /* -1 */ 2226 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd0364140ul), 2227 /* -2 (largest odd value) */ 2228 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd036413Ful), 2229 /* Half the secp256k1 order */ 2230 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a0ul), 2231 /* Half the secp256k1 order + 1 */ 2232 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a1ul), 2233 /* 2^255 */ 2234 SECP256K1_SCALAR_CONST(0x80000000ul, 0, 0, 0, 0, 0, 0, 0), 2235 /* 2^255 - 1 */ 2236 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful), 2237 }; 2238 unsigned n; 2239 for (n = 0; n < sizeof(HALF_TESTS) / sizeof(HALF_TESTS[0]); ++n) { 2240 secp256k1_scalar s; 2241 secp256k1_scalar_half(&s, &HALF_TESTS[n]); 2242 secp256k1_scalar_add(&s, &s, &s); 2243 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n])); 2244 secp256k1_scalar_add(&s, &s, &s); 2245 secp256k1_scalar_half(&s, &s); 2246 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n])); 2247 } 2248 } 2249 2250 { 2251 /* Does check_overflow check catch all ones? */ 2252 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST( 2253 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 2254 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL 2255 ); 2256 CHECK(secp256k1_scalar_check_overflow(&overflowed)); 2257 } 2258 2259 { 2260 /* Static test vectors. 2261 * These were reduced from ~10^12 random vectors based on comparison-decision 2262 * and edge-case coverage on 32-bit and 64-bit implementations. 2263 * The responses were generated with Sage 5.9. 2264 */ 2265 secp256k1_scalar x; 2266 secp256k1_scalar y; 2267 secp256k1_scalar z; 2268 secp256k1_scalar zz; 2269 secp256k1_scalar r1; 2270 secp256k1_scalar r2; 2271 secp256k1_scalar zzv; 2272 int overflow; 2273 unsigned char chal[33][2][32] = { 2274 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00, 2275 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 2276 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 2277 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff}, 2278 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00, 2279 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 2280 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2281 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}}, 2282 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00, 2283 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 2284 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2285 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 2286 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2287 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 2288 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff, 2289 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}}, 2290 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2291 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 2292 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00, 2293 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00}, 2294 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80, 2295 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0, 2296 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00, 2297 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}}, 2298 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2299 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 2300 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2301 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff}, 2302 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 2303 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0, 2304 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff, 2305 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2306 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00, 2307 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 2308 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00, 2309 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff}, 2310 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 2311 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2312 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f, 2313 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}}, 2314 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f, 2315 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80, 2316 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00, 2317 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 2318 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 2319 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff, 2320 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 2321 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}}, 2322 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 2323 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 2324 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00, 2325 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0}, 2326 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 2327 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 2328 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 2329 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 2330 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00, 2331 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2332 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 2333 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff}, 2334 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 2335 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0, 2336 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2337 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 2338 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2339 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 2340 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 2341 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 2342 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2343 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2344 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2345 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2346 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff, 2347 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2348 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80, 2349 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f}, 2350 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 2351 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff, 2352 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00, 2353 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}}, 2354 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff, 2355 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 2356 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80, 2357 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff}, 2358 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 2359 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2360 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 2361 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}}, 2362 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2363 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2364 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2365 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80}, 2366 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2367 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff, 2368 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 2369 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2370 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2371 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2372 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2373 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00}, 2374 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 2375 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f, 2376 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff, 2377 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}}, 2378 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2379 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 2380 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2381 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00}, 2382 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 2383 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2384 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00, 2385 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}}, 2386 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00, 2387 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03, 2388 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2389 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 2390 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff, 2391 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2392 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2393 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}}, 2394 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 2395 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2396 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2397 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 2398 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2399 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff, 2400 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 2401 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}}, 2402 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2403 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2404 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00, 2405 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80}, 2406 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2407 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 2408 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e, 2409 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2410 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2411 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 2412 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 2413 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00}, 2414 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 2415 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00, 2416 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2417 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}}, 2418 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80, 2419 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2420 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 2421 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 2422 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2423 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80, 2424 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 2425 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}}, 2426 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff, 2427 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00, 2428 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2429 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07}, 2430 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2431 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 2432 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff, 2433 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}}, 2434 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2435 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2436 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2437 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 2438 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2439 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 2440 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 2441 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}}, 2442 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2443 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2444 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2445 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, 2446 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2447 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2448 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2449 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2450 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2451 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2452 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2453 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 2454 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2455 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2456 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2457 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 2458 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0, 2459 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2460 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 2461 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f}, 2462 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 2463 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00, 2464 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 2465 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}}, 2466 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2467 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2468 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2469 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 2470 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2471 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2472 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2473 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}}, 2474 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2475 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 2476 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 2477 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}, 2478 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2479 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2480 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2481 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}, 2482 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2483 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00, 2484 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 2485 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 2486 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 2487 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80, 2488 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 2489 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 2490 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00, 2491 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2492 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 2493 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff}, 2494 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 2495 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff, 2496 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2497 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}}, 2498 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2499 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff, 2500 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2501 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00}, 2502 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 2503 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 2504 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f, 2505 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}}, 2506 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2507 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01, 2508 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff, 2509 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 2510 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 2511 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80, 2512 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff, 2513 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}}, 2514 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2515 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2516 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8, 2517 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80}, 2518 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2519 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00, 2520 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f, 2521 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}}, 2522 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00, 2523 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83, 2524 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 2525 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0}, 2526 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 2527 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00, 2528 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 2529 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}}, 2530 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 2531 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 2532 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb, 2533 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}, 2534 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 2535 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 2536 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb, 2537 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}} 2538 }; 2539 unsigned char res[33][2][32] = { 2540 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9, 2541 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1, 2542 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6, 2543 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35}, 2544 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d, 2545 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c, 2546 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49, 2547 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}}, 2548 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22, 2549 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c, 2550 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f, 2551 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8}, 2552 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77, 2553 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4, 2554 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59, 2555 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}}, 2556 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef, 2557 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab, 2558 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55, 2559 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c}, 2560 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96, 2561 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f, 2562 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12, 2563 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}}, 2564 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c, 2565 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf, 2566 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9, 2567 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48}, 2568 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42, 2569 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5, 2570 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c, 2571 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}}, 2572 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb, 2573 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74, 2574 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6, 2575 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63}, 2576 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3, 2577 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99, 2578 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58, 2579 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}}, 2580 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b, 2581 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7, 2582 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f, 2583 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0}, 2584 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d, 2585 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d, 2586 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9, 2587 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}}, 2588 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7, 2589 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70, 2590 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06, 2591 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e}, 2592 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9, 2593 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79, 2594 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e, 2595 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}}, 2596 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb, 2597 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5, 2598 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a, 2599 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe}, 2600 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48, 2601 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e, 2602 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc, 2603 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}}, 2604 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b, 2605 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0, 2606 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53, 2607 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8}, 2608 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c, 2609 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01, 2610 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f, 2611 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}}, 2612 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7, 2613 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c, 2614 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92, 2615 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30}, 2616 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62, 2617 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e, 2618 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb, 2619 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}}, 2620 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25, 2621 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d, 2622 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0, 2623 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13}, 2624 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60, 2625 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00, 2626 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4, 2627 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}}, 2628 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31, 2629 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4, 2630 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88, 2631 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa}, 2632 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57, 2633 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38, 2634 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51, 2635 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}}, 2636 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c, 2637 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f, 2638 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2, 2639 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4}, 2640 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01, 2641 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4, 2642 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86, 2643 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}}, 2644 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5, 2645 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51, 2646 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3, 2647 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62}, 2648 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c, 2649 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91, 2650 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c, 2651 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}}, 2652 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e, 2653 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56, 2654 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58, 2655 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4}, 2656 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41, 2657 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7, 2658 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92, 2659 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}}, 2660 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec, 2661 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19, 2662 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3, 2663 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4}, 2664 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87, 2665 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a, 2666 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92, 2667 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}}, 2668 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64, 2669 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3, 2670 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f, 2671 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33}, 2672 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c, 2673 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d, 2674 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea, 2675 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}}, 2676 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7, 2677 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a, 2678 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae, 2679 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe}, 2680 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc, 2681 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39, 2682 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14, 2683 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}}, 2684 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23, 2685 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d, 2686 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2, 2687 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16}, 2688 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c, 2689 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84, 2690 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0, 2691 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}}, 2692 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb, 2693 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94, 2694 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b, 2695 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e}, 2696 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54, 2697 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00, 2698 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb, 2699 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}}, 2700 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2701 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2703 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 2704 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2708 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2709 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2710 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2711 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 2712 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2713 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2714 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2715 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}, 2716 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1, 2717 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0, 2718 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59, 2719 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}, 2720 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1, 2721 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0, 2722 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59, 2723 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}}, 2724 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0, 2725 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b, 2726 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94, 2727 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8}, 2728 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26, 2729 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d, 2730 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a, 2731 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}}, 2732 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2733 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 2734 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 2735 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd}, 2736 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1, 2737 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0, 2738 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59, 2739 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}}, 2740 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2741 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 2742 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 2743 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}, 2744 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2745 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2746 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2747 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}, 2748 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39, 2749 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea, 2750 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf, 2751 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae}, 2752 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b, 2753 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb, 2754 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6, 2755 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}}, 2756 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a, 2757 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f, 2758 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9, 2759 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56}, 2760 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93, 2761 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07, 2762 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71, 2763 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}}, 2764 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87, 2765 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9, 2766 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55, 2767 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73}, 2768 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d, 2769 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86, 2770 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb, 2771 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}}, 2772 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2, 2773 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7, 2774 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41, 2775 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7}, 2776 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06, 2777 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04, 2778 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08, 2779 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}}, 2780 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2, 2781 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b, 2782 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40, 2783 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68}, 2784 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e, 2785 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a, 2786 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b, 2787 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}}, 2788 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67, 2789 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f, 2790 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a, 2791 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51}, 2792 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2, 2793 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38, 2794 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34, 2795 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}}, 2796 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34, 2797 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13, 2798 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46, 2799 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}, 2800 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34, 2801 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13, 2802 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46, 2803 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}} 2804 }; 2805 for (i = 0; i < 33; i++) { 2806 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow); 2807 CHECK(!overflow); 2808 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow); 2809 CHECK(!overflow); 2810 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow); 2811 CHECK(!overflow); 2812 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow); 2813 CHECK(!overflow); 2814 secp256k1_scalar_mul(&z, &x, &y); 2815 CHECK(secp256k1_scalar_eq(&r1, &z)); 2816 if (!secp256k1_scalar_is_zero(&y)) { 2817 secp256k1_scalar_inverse(&zz, &y); 2818 secp256k1_scalar_inverse_var(&zzv, &y); 2819 CHECK(secp256k1_scalar_eq(&zzv, &zz)); 2820 secp256k1_scalar_mul(&z, &z, &zz); 2821 CHECK(secp256k1_scalar_eq(&x, &z)); 2822 secp256k1_scalar_mul(&zz, &zz, &y); 2823 CHECK(secp256k1_scalar_eq(&secp256k1_scalar_one, &zz)); 2824 } 2825 secp256k1_scalar_mul(&z, &x, &x); 2826 CHECK(secp256k1_scalar_eq(&r2, &z)); 2827 } 2828 } 2829 } 2830 2831 /***** FIELD TESTS *****/ 2832 2833 static void random_fe_non_square(secp256k1_fe *ns) { 2834 secp256k1_fe r; 2835 testutil_random_fe_non_zero(ns); 2836 if (secp256k1_fe_sqrt(&r, ns)) { 2837 secp256k1_fe_negate(ns, ns, 1); 2838 } 2839 } 2840 2841 static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) { 2842 secp256k1_fe an = *a; 2843 secp256k1_fe bn = *b; 2844 secp256k1_fe_normalize_weak(&an); 2845 return secp256k1_fe_equal(&an, &bn); 2846 } 2847 2848 static void run_field_convert(void) { 2849 static const unsigned char b32[32] = { 2850 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 2851 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 2852 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 2853 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40 2854 }; 2855 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST( 2856 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, 2857 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL 2858 ); 2859 static const secp256k1_fe fe = SECP256K1_FE_CONST( 2860 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, 2861 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL 2862 ); 2863 secp256k1_fe fe2; 2864 unsigned char b322[32]; 2865 secp256k1_fe_storage fes2; 2866 /* Check conversions to fe. */ 2867 CHECK(secp256k1_fe_set_b32_limit(&fe2, b32)); 2868 CHECK(secp256k1_fe_equal(&fe, &fe2)); 2869 secp256k1_fe_from_storage(&fe2, &fes); 2870 CHECK(secp256k1_fe_equal(&fe, &fe2)); 2871 /* Check conversion from fe. */ 2872 secp256k1_fe_get_b32(b322, &fe); 2873 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0); 2874 secp256k1_fe_to_storage(&fes2, &fe); 2875 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0); 2876 } 2877 2878 static void run_field_be32_overflow(void) { 2879 { 2880 static const unsigned char zero_overflow[32] = { 2881 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 2882 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 2883 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 2884 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F, 2885 }; 2886 static const unsigned char zero[32] = { 0x00 }; 2887 unsigned char out[32]; 2888 secp256k1_fe fe; 2889 CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0); 2890 secp256k1_fe_set_b32_mod(&fe, zero_overflow); 2891 CHECK(secp256k1_fe_normalizes_to_zero(&fe) == 1); 2892 secp256k1_fe_normalize(&fe); 2893 CHECK(secp256k1_fe_is_zero(&fe) == 1); 2894 secp256k1_fe_get_b32(out, &fe); 2895 CHECK(secp256k1_memcmp_var(out, zero, 32) == 0); 2896 } 2897 { 2898 static const unsigned char one_overflow[32] = { 2899 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 2900 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 2901 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 2902 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30, 2903 }; 2904 static const unsigned char one[32] = { 2905 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2906 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2907 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2908 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 2909 }; 2910 unsigned char out[32]; 2911 secp256k1_fe fe; 2912 CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0); 2913 secp256k1_fe_set_b32_mod(&fe, one_overflow); 2914 secp256k1_fe_normalize(&fe); 2915 CHECK(secp256k1_fe_cmp_var(&fe, &secp256k1_fe_one) == 0); 2916 secp256k1_fe_get_b32(out, &fe); 2917 CHECK(secp256k1_memcmp_var(out, one, 32) == 0); 2918 } 2919 { 2920 static const unsigned char ff_overflow[32] = { 2921 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 2922 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 2923 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 2924 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 2925 }; 2926 static const unsigned char ff[32] = { 2927 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2928 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2929 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2930 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0, 2931 }; 2932 unsigned char out[32]; 2933 secp256k1_fe fe; 2934 const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0); 2935 CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0); 2936 secp256k1_fe_set_b32_mod(&fe, ff_overflow); 2937 secp256k1_fe_normalize(&fe); 2938 CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0); 2939 secp256k1_fe_get_b32(out, &fe); 2940 CHECK(secp256k1_memcmp_var(out, ff, 32) == 0); 2941 } 2942 } 2943 2944 /* Returns true if two field elements have the same representation. */ 2945 static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) { 2946 int ret = 1; 2947 /* Compare the struct member that holds the limbs. */ 2948 ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0); 2949 return ret; 2950 } 2951 2952 static void run_field_half(void) { 2953 secp256k1_fe t, u; 2954 int m; 2955 2956 /* Check magnitude 0 input */ 2957 secp256k1_fe_get_bounds(&t, 0); 2958 secp256k1_fe_half(&t); 2959 #ifdef VERIFY 2960 CHECK(t.magnitude == 1); 2961 CHECK(t.normalized == 0); 2962 #endif 2963 CHECK(secp256k1_fe_normalizes_to_zero(&t)); 2964 2965 /* Check non-zero magnitudes in the supported range */ 2966 for (m = 1; m < 32; m++) { 2967 /* Check max-value input */ 2968 secp256k1_fe_get_bounds(&t, m); 2969 2970 u = t; 2971 secp256k1_fe_half(&u); 2972 #ifdef VERIFY 2973 CHECK(u.magnitude == (m >> 1) + 1); 2974 CHECK(u.normalized == 0); 2975 #endif 2976 secp256k1_fe_normalize_weak(&u); 2977 secp256k1_fe_add(&u, &u); 2978 CHECK(fe_equal(&t, &u)); 2979 2980 /* Check worst-case input: ensure the LSB is 1 so that P will be added, 2981 * which will also cause all carries to be 1, since all limbs that can 2982 * generate a carry are initially even and all limbs of P are odd in 2983 * every existing field implementation. */ 2984 secp256k1_fe_get_bounds(&t, m); 2985 CHECK(t.n[0] > 0); 2986 CHECK((t.n[0] & 1) == 0); 2987 --t.n[0]; 2988 2989 u = t; 2990 secp256k1_fe_half(&u); 2991 #ifdef VERIFY 2992 CHECK(u.magnitude == (m >> 1) + 1); 2993 CHECK(u.normalized == 0); 2994 #endif 2995 secp256k1_fe_normalize_weak(&u); 2996 secp256k1_fe_add(&u, &u); 2997 CHECK(fe_equal(&t, &u)); 2998 } 2999 } 3000 3001 static void run_field_misc(void) { 3002 secp256k1_fe x; 3003 secp256k1_fe y; 3004 secp256k1_fe z; 3005 secp256k1_fe q; 3006 int v; 3007 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5); 3008 int i, j; 3009 for (i = 0; i < 1000 * COUNT; i++) { 3010 secp256k1_fe_storage xs, ys, zs; 3011 if (i & 1) { 3012 testutil_random_fe(&x); 3013 } else { 3014 testutil_random_fe_test(&x); 3015 } 3016 testutil_random_fe_non_zero(&y); 3017 v = testrand_bits(15); 3018 /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */ 3019 secp256k1_fe_set_int(&q, v); /* q = v */ 3020 z = x; /* z = x */ 3021 secp256k1_fe_add(&z, &q); /* z = x+v */ 3022 q = x; /* q = x */ 3023 secp256k1_fe_add_int(&q, v); /* q = x+v */ 3024 CHECK(fe_equal(&q, &z)); 3025 /* Test the fe equality and comparison operations. */ 3026 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0); 3027 CHECK(secp256k1_fe_equal(&x, &x)); 3028 z = x; 3029 secp256k1_fe_add(&z,&y); 3030 /* Test fe conditional move; z is not normalized here. */ 3031 q = x; 3032 secp256k1_fe_cmov(&x, &z, 0); 3033 #ifdef VERIFY 3034 CHECK(!x.normalized); 3035 CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude)); 3036 CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude)); 3037 #endif 3038 x = q; 3039 secp256k1_fe_cmov(&x, &x, 1); 3040 CHECK(!fe_identical(&x, &z)); 3041 CHECK(fe_identical(&x, &q)); 3042 secp256k1_fe_cmov(&q, &z, 1); 3043 #ifdef VERIFY 3044 CHECK(!q.normalized); 3045 CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude)); 3046 CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude)); 3047 #endif 3048 CHECK(fe_identical(&q, &z)); 3049 q = z; 3050 secp256k1_fe_normalize_var(&x); 3051 secp256k1_fe_normalize_var(&z); 3052 CHECK(!secp256k1_fe_equal(&x, &z)); 3053 secp256k1_fe_normalize_var(&q); 3054 secp256k1_fe_cmov(&q, &z, (i&1)); 3055 #ifdef VERIFY 3056 CHECK(q.normalized && q.magnitude == 1); 3057 #endif 3058 for (j = 0; j < 6; j++) { 3059 secp256k1_fe_negate_unchecked(&z, &z, j+1); 3060 secp256k1_fe_normalize_var(&q); 3061 secp256k1_fe_cmov(&q, &z, (j&1)); 3062 #ifdef VERIFY 3063 CHECK(!q.normalized && q.magnitude == z.magnitude); 3064 #endif 3065 } 3066 secp256k1_fe_normalize_var(&z); 3067 /* Test storage conversion and conditional moves. */ 3068 secp256k1_fe_to_storage(&xs, &x); 3069 secp256k1_fe_to_storage(&ys, &y); 3070 secp256k1_fe_to_storage(&zs, &z); 3071 secp256k1_fe_storage_cmov(&zs, &xs, 0); 3072 secp256k1_fe_storage_cmov(&zs, &zs, 1); 3073 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0); 3074 secp256k1_fe_storage_cmov(&ys, &xs, 1); 3075 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0); 3076 secp256k1_fe_from_storage(&x, &xs); 3077 secp256k1_fe_from_storage(&y, &ys); 3078 secp256k1_fe_from_storage(&z, &zs); 3079 /* Test that mul_int, mul, and add agree. */ 3080 secp256k1_fe_add(&y, &x); 3081 secp256k1_fe_add(&y, &x); 3082 z = x; 3083 secp256k1_fe_mul_int(&z, 3); 3084 CHECK(fe_equal(&y, &z)); 3085 secp256k1_fe_add(&y, &x); 3086 secp256k1_fe_add(&z, &x); 3087 CHECK(fe_equal(&z, &y)); 3088 z = x; 3089 secp256k1_fe_mul_int(&z, 5); 3090 secp256k1_fe_mul(&q, &x, &fe5); 3091 CHECK(fe_equal(&z, &q)); 3092 secp256k1_fe_negate(&x, &x, 1); 3093 secp256k1_fe_add(&z, &x); 3094 secp256k1_fe_add(&q, &x); 3095 CHECK(fe_equal(&y, &z)); 3096 CHECK(fe_equal(&q, &y)); 3097 /* Check secp256k1_fe_half. */ 3098 z = x; 3099 secp256k1_fe_half(&z); 3100 secp256k1_fe_add(&z, &z); 3101 CHECK(fe_equal(&x, &z)); 3102 secp256k1_fe_add(&z, &z); 3103 secp256k1_fe_half(&z); 3104 CHECK(fe_equal(&x, &z)); 3105 } 3106 } 3107 3108 static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr) 3109 { 3110 secp256k1_fe c, an, bn; 3111 /* Variables in BE 32-byte format. */ 3112 unsigned char a32[32], b32[32], c32[32]; 3113 /* Variables in LE 16x uint16_t format. */ 3114 uint16_t a16[16], b16[16], c16[16]; 3115 /* Field modulus in LE 16x uint16_t format. */ 3116 static const uint16_t m16[16] = { 3117 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 3118 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 3119 }; 3120 uint16_t t16[32]; 3121 int i; 3122 3123 /* Compute C = A * B in fe format. */ 3124 c = *a; 3125 if (use_sqr) { 3126 secp256k1_fe_sqr(&c, &c); 3127 } else { 3128 secp256k1_fe_mul(&c, &c, b); 3129 } 3130 3131 /* Convert A, B, C into LE 16x uint16_t format. */ 3132 an = *a; 3133 bn = *b; 3134 secp256k1_fe_normalize_var(&c); 3135 secp256k1_fe_normalize_var(&an); 3136 secp256k1_fe_normalize_var(&bn); 3137 secp256k1_fe_get_b32(a32, &an); 3138 secp256k1_fe_get_b32(b32, &bn); 3139 secp256k1_fe_get_b32(c32, &c); 3140 for (i = 0; i < 16; ++i) { 3141 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8); 3142 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8); 3143 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8); 3144 } 3145 /* Compute T = A * B in LE 16x uint16_t format. */ 3146 mulmod256(t16, a16, b16, m16); 3147 /* Compare */ 3148 CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0); 3149 } 3150 3151 static void run_fe_mul(void) { 3152 int i; 3153 for (i = 0; i < 100 * COUNT; ++i) { 3154 secp256k1_fe a, b, c, d; 3155 testutil_random_fe(&a); 3156 testutil_random_fe_magnitude(&a, 8); 3157 testutil_random_fe(&b); 3158 testutil_random_fe_magnitude(&b, 8); 3159 testutil_random_fe_test(&c); 3160 testutil_random_fe_magnitude(&c, 8); 3161 testutil_random_fe_test(&d); 3162 testutil_random_fe_magnitude(&d, 8); 3163 test_fe_mul(&a, &a, 1); 3164 test_fe_mul(&c, &c, 1); 3165 test_fe_mul(&a, &b, 0); 3166 test_fe_mul(&a, &c, 0); 3167 test_fe_mul(&c, &b, 0); 3168 test_fe_mul(&c, &d, 0); 3169 } 3170 } 3171 3172 static void run_sqr(void) { 3173 int i; 3174 secp256k1_fe x, y, lhs, rhs, tmp; 3175 3176 secp256k1_fe_set_int(&x, 1); 3177 secp256k1_fe_negate(&x, &x, 1); 3178 3179 for (i = 1; i <= 512; ++i) { 3180 secp256k1_fe_mul_int(&x, 2); 3181 secp256k1_fe_normalize(&x); 3182 3183 /* Check that (x+y)*(x-y) = x^2 - y*2 for some random values y */ 3184 testutil_random_fe_test(&y); 3185 3186 lhs = x; 3187 secp256k1_fe_add(&lhs, &y); /* lhs = x+y */ 3188 secp256k1_fe_negate(&tmp, &y, 1); /* tmp = -y */ 3189 secp256k1_fe_add(&tmp, &x); /* tmp = x-y */ 3190 secp256k1_fe_mul(&lhs, &lhs, &tmp); /* lhs = (x+y)*(x-y) */ 3191 3192 secp256k1_fe_sqr(&rhs, &x); /* rhs = x^2 */ 3193 secp256k1_fe_sqr(&tmp, &y); /* tmp = y^2 */ 3194 secp256k1_fe_negate(&tmp, &tmp, 1); /* tmp = -y^2 */ 3195 secp256k1_fe_add(&rhs, &tmp); /* rhs = x^2 - y^2 */ 3196 3197 CHECK(fe_equal(&lhs, &rhs)); 3198 } 3199 } 3200 3201 static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) { 3202 secp256k1_fe r1, r2; 3203 int v = secp256k1_fe_sqrt(&r1, a); 3204 CHECK((v == 0) == (k == NULL)); 3205 3206 if (k != NULL) { 3207 /* Check that the returned root is +/- the given known answer */ 3208 secp256k1_fe_negate(&r2, &r1, 1); 3209 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k); 3210 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2); 3211 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2)); 3212 } 3213 } 3214 3215 static void run_sqrt(void) { 3216 secp256k1_fe ns, x, s, t; 3217 int i; 3218 3219 /* Check sqrt(0) is 0 */ 3220 secp256k1_fe_set_int(&x, 0); 3221 secp256k1_fe_sqr(&s, &x); 3222 test_sqrt(&s, &x); 3223 3224 /* Check sqrt of small squares (and their negatives) */ 3225 for (i = 1; i <= 100; i++) { 3226 secp256k1_fe_set_int(&x, i); 3227 secp256k1_fe_sqr(&s, &x); 3228 test_sqrt(&s, &x); 3229 secp256k1_fe_negate(&t, &s, 1); 3230 test_sqrt(&t, NULL); 3231 } 3232 3233 /* Consistency checks for large random values */ 3234 for (i = 0; i < 10; i++) { 3235 int j; 3236 random_fe_non_square(&ns); 3237 for (j = 0; j < COUNT; j++) { 3238 testutil_random_fe(&x); 3239 secp256k1_fe_sqr(&s, &x); 3240 CHECK(secp256k1_fe_is_square_var(&s)); 3241 test_sqrt(&s, &x); 3242 secp256k1_fe_negate(&t, &s, 1); 3243 CHECK(!secp256k1_fe_is_square_var(&t)); 3244 test_sqrt(&t, NULL); 3245 secp256k1_fe_mul(&t, &s, &ns); 3246 test_sqrt(&t, NULL); 3247 } 3248 } 3249 } 3250 3251 /***** FIELD/SCALAR INVERSE TESTS *****/ 3252 3253 static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST( 3254 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 3255 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140 3256 ); 3257 3258 static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST( 3259 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 3260 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E 3261 ); 3262 3263 /* These tests test the following identities: 3264 * 3265 * for x==0: 1/x == 0 3266 * for x!=0: x*(1/x) == 1 3267 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1) 3268 */ 3269 3270 static void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var) 3271 { 3272 secp256k1_scalar l, r, t; 3273 3274 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */ 3275 if (out) *out = l; 3276 if (secp256k1_scalar_is_zero(x)) { 3277 CHECK(secp256k1_scalar_is_zero(&l)); 3278 return; 3279 } 3280 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */ 3281 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */ 3282 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */ 3283 if (secp256k1_scalar_is_zero(&r)) return; 3284 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */ 3285 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */ 3286 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */ 3287 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */ 3288 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */ 3289 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */ 3290 } 3291 3292 static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var) 3293 { 3294 secp256k1_fe l, r, t; 3295 3296 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */ 3297 if (out) *out = l; 3298 t = *x; /* t = x */ 3299 if (secp256k1_fe_normalizes_to_zero_var(&t)) { 3300 CHECK(secp256k1_fe_normalizes_to_zero(&l)); 3301 return; 3302 } 3303 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */ 3304 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */ 3305 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */ 3306 r = *x; /* r = x */ 3307 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */ 3308 if (secp256k1_fe_normalizes_to_zero_var(&r)) return; 3309 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */ 3310 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */ 3311 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */ 3312 secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */ 3313 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */ 3314 CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */ 3315 } 3316 3317 static void run_inverse_tests(void) 3318 { 3319 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */ 3320 static const secp256k1_fe fe_cases[][2] = { 3321 /* 0 */ 3322 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), 3323 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)}, 3324 /* 1 */ 3325 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1), 3326 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)}, 3327 /* -1 */ 3328 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e), 3329 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)}, 3330 /* 2 */ 3331 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2), 3332 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)}, 3333 /* 2**128 */ 3334 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0), 3335 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)}, 3336 /* Input known to need 637 divsteps */ 3337 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3), 3338 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)}, 3339 /* Input known to need 567 divsteps starting with delta=1/2. */ 3340 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc), 3341 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)}, 3342 /* Input known to need 566 divsteps starting with delta=1/2. */ 3343 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae), 3344 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)}, 3345 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */ 3346 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000), 3347 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)}, 3348 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192), 3349 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)}, 3350 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100), 3351 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)}, 3352 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8), 3353 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)}, 3354 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440), 3355 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)}, 3356 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff), 3357 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)}, 3358 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe), 3359 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)}, 3360 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f), 3361 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)}, 3362 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690), 3363 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)}, 3364 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000), 3365 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)}, 3366 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */ 3367 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950), 3368 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)}, 3369 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057), 3370 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)}, 3371 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058), 3372 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)}, 3373 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a), 3374 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)}, 3375 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c), 3376 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)}, 3377 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21), 3378 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)}, 3379 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600), 3380 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)}, 3381 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec), 3382 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)}, 3383 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c), 3384 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)}, 3385 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696), 3386 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)}, 3387 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e), 3388 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)}, 3389 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78), 3390 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)}, 3391 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d), 3392 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)}, 3393 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870), 3394 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)}, 3395 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc), 3396 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)}, 3397 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef), 3398 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)}, 3399 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6), 3400 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)}, 3401 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709), 3402 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)}, 3403 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787), 3404 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)}, 3405 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760), 3406 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)}, 3407 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d), 3408 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)}, 3409 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3), 3410 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)}, 3411 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4), 3412 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)}, 3413 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91), 3414 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)}, 3415 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a), 3416 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)}, 3417 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9), 3418 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)}, 3419 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd), 3420 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)}, 3421 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb), 3422 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)} 3423 }; 3424 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */ 3425 static const secp256k1_scalar scalar_cases[][2] = { 3426 /* 0 */ 3427 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0), 3428 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)}, 3429 /* 1 */ 3430 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1), 3431 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)}, 3432 /* -1 */ 3433 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140), 3434 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)}, 3435 /* 2 */ 3436 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2), 3437 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)}, 3438 /* 2**128 */ 3439 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0), 3440 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)}, 3441 /* Input known to need 635 divsteps */ 3442 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3), 3443 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)}, 3444 /* Input known to need 566 divsteps starting with delta=1/2. */ 3445 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72), 3446 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)}, 3447 /* Input known to need 565 divsteps starting with delta=1/2. */ 3448 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4), 3449 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)}, 3450 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */ 3451 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e), 3452 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)}, 3453 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0), 3454 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)}, 3455 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9), 3456 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)}, 3457 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2), 3458 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)}, 3459 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905), 3460 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)}, 3461 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec), 3462 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)}, 3463 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816), 3464 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)}, 3465 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f), 3466 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)}, 3467 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a), 3468 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)}, 3469 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504), 3470 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)}, 3471 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7), 3472 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)}, 3473 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640), 3474 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)}, 3475 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03), 3476 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)}, 3477 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4), 3478 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)}, 3479 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730), 3480 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)}, 3481 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948), 3482 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)}, 3483 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f), 3484 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)}, 3485 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000), 3486 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)}, 3487 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9), 3488 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)}, 3489 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3), 3490 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)}, 3491 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189), 3492 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)}, 3493 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141), 3494 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)}, 3495 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13), 3496 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)}, 3497 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0), 3498 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)}, 3499 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785), 3500 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)}, 3501 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0), 3502 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)}, 3503 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265), 3504 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)}, 3505 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5), 3506 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)}, 3507 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8), 3508 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)} 3509 }; 3510 int i, var, testrand; 3511 unsigned char b32[32]; 3512 secp256k1_fe x_fe; 3513 secp256k1_scalar x_scalar; 3514 memset(b32, 0, sizeof(b32)); 3515 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */ 3516 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) { 3517 for (var = 0; var <= 1; ++var) { 3518 test_inverse_field(&x_fe, &fe_cases[i][0], var); 3519 CHECK(fe_equal(&x_fe, &fe_cases[i][1])); 3520 test_inverse_field(&x_fe, &fe_cases[i][1], var); 3521 CHECK(fe_equal(&x_fe, &fe_cases[i][0])); 3522 } 3523 } 3524 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) { 3525 for (var = 0; var <= 1; ++var) { 3526 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var); 3527 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1])); 3528 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var); 3529 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0])); 3530 } 3531 } 3532 /* Test inputs 0..999 and their respective negations. */ 3533 for (i = 0; i < 1000; ++i) { 3534 b32[31] = i & 0xff; 3535 b32[30] = (i >> 8) & 0xff; 3536 secp256k1_scalar_set_b32(&x_scalar, b32, NULL); 3537 secp256k1_fe_set_b32_mod(&x_fe, b32); 3538 for (var = 0; var <= 1; ++var) { 3539 test_inverse_scalar(NULL, &x_scalar, var); 3540 test_inverse_field(NULL, &x_fe, var); 3541 } 3542 secp256k1_scalar_negate(&x_scalar, &x_scalar); 3543 secp256k1_fe_negate(&x_fe, &x_fe, 1); 3544 for (var = 0; var <= 1; ++var) { 3545 test_inverse_scalar(NULL, &x_scalar, var); 3546 test_inverse_field(NULL, &x_fe, var); 3547 } 3548 } 3549 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */ 3550 for (testrand = 0; testrand <= 1; ++testrand) { 3551 for (i = 0; i < 64 * COUNT; ++i) { 3552 (testrand ? testrand256_test : testrand256)(b32); 3553 secp256k1_scalar_set_b32(&x_scalar, b32, NULL); 3554 secp256k1_fe_set_b32_mod(&x_fe, b32); 3555 for (var = 0; var <= 1; ++var) { 3556 test_inverse_scalar(NULL, &x_scalar, var); 3557 test_inverse_field(NULL, &x_fe, var); 3558 } 3559 } 3560 } 3561 } 3562 3563 /***** HSORT TESTS *****/ 3564 3565 static void test_heap_swap(void) { 3566 unsigned char a[600]; 3567 unsigned char e[sizeof(a)]; 3568 memset(a, 21, 200); 3569 memset(a + 200, 99, 200); 3570 memset(a + 400, 42, 200); 3571 memset(e, 42, 200); 3572 memset(e + 200, 99, 200); 3573 memset(e + 400, 21, 200); 3574 secp256k1_heap_swap(a, 0, 2, 200); 3575 CHECK(secp256k1_memcmp_var(a, e, sizeof(a)) == 0); 3576 } 3577 3578 static void test_hsort_is_sorted(unsigned char *elements, size_t n, size_t len) { 3579 size_t i; 3580 for (i = 1; i < n; i++) { 3581 CHECK(secp256k1_memcmp_var(&elements[(i-1) * len], &elements[i * len], len) <= 0); 3582 } 3583 } 3584 3585 struct test_hsort_cmp_data { 3586 size_t counter; 3587 size_t element_len; 3588 }; 3589 3590 3591 static int test_hsort_cmp(const void *ele1, const void *ele2, void *data) { 3592 struct test_hsort_cmp_data *d = (struct test_hsort_cmp_data *) data; 3593 d->counter += 1; 3594 return secp256k1_memcmp_var((unsigned char *)ele1, (unsigned char *)ele2, d->element_len); 3595 } 3596 3597 #define NUM 65 3598 #define MAX_ELEMENT_LEN 65 3599 static void test_hsort(size_t element_len) { 3600 unsigned char elements[NUM * MAX_ELEMENT_LEN] = { 0 }; 3601 struct test_hsort_cmp_data data; 3602 int i; 3603 3604 VERIFY_CHECK(element_len <= MAX_ELEMENT_LEN); 3605 data.counter = 0; 3606 data.element_len = element_len; 3607 3608 secp256k1_hsort(elements, 0, element_len, test_hsort_cmp, &data); 3609 CHECK(data.counter == 0); 3610 secp256k1_hsort(elements, 1, element_len, test_hsort_cmp, &data); 3611 CHECK(data.counter == 0); 3612 secp256k1_hsort(elements, NUM, element_len, test_hsort_cmp, &data); 3613 CHECK(data.counter >= NUM - 1); 3614 test_hsort_is_sorted(elements, NUM, element_len); 3615 3616 /* Test hsort with array of random length n */ 3617 for (i = 0; i < COUNT; i++) { 3618 int n = testrand_int(NUM); 3619 testrand_bytes_test(elements, n*element_len); 3620 secp256k1_hsort(elements, n, element_len, test_hsort_cmp, &data); 3621 test_hsort_is_sorted(elements, n, element_len); 3622 } 3623 } 3624 #undef NUM 3625 #undef MAX_ELEMENT_LEN 3626 3627 3628 static void run_hsort_tests(void) { 3629 test_heap_swap(); 3630 test_hsort(1); 3631 test_hsort(64); 3632 test_hsort(65); 3633 } 3634 3635 /***** GROUP TESTS *****/ 3636 3637 /* This compares jacobian points including their Z, not just their geometric meaning. */ 3638 static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) { 3639 secp256k1_gej a2; 3640 secp256k1_gej b2; 3641 int ret = 1; 3642 ret &= a->infinity == b->infinity; 3643 if (ret && !a->infinity) { 3644 a2 = *a; 3645 b2 = *b; 3646 secp256k1_fe_normalize(&a2.x); 3647 secp256k1_fe_normalize(&a2.y); 3648 secp256k1_fe_normalize(&a2.z); 3649 secp256k1_fe_normalize(&b2.x); 3650 secp256k1_fe_normalize(&b2.y); 3651 secp256k1_fe_normalize(&b2.z); 3652 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0; 3653 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0; 3654 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0; 3655 } 3656 return ret; 3657 } 3658 3659 static void test_ge(void) { 3660 int i, i1; 3661 int runs = 6; 3662 /* 25 points are used: 3663 * - infinity 3664 * - for each of four random points p1 p2 p3 p4, we add the point, its 3665 * negation, and then those two again but with randomized Z coordinate. 3666 * - The same is then done for lambda*p1 and lambda^2*p1. 3667 */ 3668 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs)); 3669 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs)); 3670 secp256k1_fe zf, r; 3671 secp256k1_fe zfi2, zfi3; 3672 3673 secp256k1_gej_set_infinity(&gej[0]); 3674 secp256k1_ge_set_infinity(&ge[0]); 3675 for (i = 0; i < runs; i++) { 3676 int j, k; 3677 secp256k1_ge g; 3678 testutil_random_ge_test(&g); 3679 if (i >= runs - 2) { 3680 secp256k1_ge_mul_lambda(&g, &ge[1]); 3681 CHECK(!secp256k1_ge_eq_var(&g, &ge[1])); 3682 } 3683 if (i >= runs - 1) { 3684 secp256k1_ge_mul_lambda(&g, &g); 3685 } 3686 ge[1 + 4 * i] = g; 3687 ge[2 + 4 * i] = g; 3688 secp256k1_ge_neg(&ge[3 + 4 * i], &g); 3689 secp256k1_ge_neg(&ge[4 + 4 * i], &g); 3690 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]); 3691 testutil_random_ge_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]); 3692 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]); 3693 testutil_random_ge_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]); 3694 for (j = 0; j < 4; j++) { 3695 testutil_random_ge_x_magnitude(&ge[1 + j + 4 * i]); 3696 testutil_random_ge_y_magnitude(&ge[1 + j + 4 * i]); 3697 testutil_random_gej_x_magnitude(&gej[1 + j + 4 * i]); 3698 testutil_random_gej_y_magnitude(&gej[1 + j + 4 * i]); 3699 testutil_random_gej_z_magnitude(&gej[1 + j + 4 * i]); 3700 } 3701 3702 for (j = 0; j < 4; ++j) { 3703 for (k = 0; k < 4; ++k) { 3704 int expect_equal = (j >> 1) == (k >> 1); 3705 CHECK(secp256k1_ge_eq_var(&ge[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal); 3706 CHECK(secp256k1_gej_eq_var(&gej[1 + j + 4 * i], &gej[1 + k + 4 * i]) == expect_equal); 3707 CHECK(secp256k1_gej_eq_ge_var(&gej[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal); 3708 CHECK(secp256k1_gej_eq_ge_var(&gej[1 + k + 4 * i], &ge[1 + j + 4 * i]) == expect_equal); 3709 } 3710 } 3711 } 3712 3713 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */ 3714 testutil_random_fe_non_zero_test(&zf); 3715 testutil_random_fe_magnitude(&zf, 8); 3716 secp256k1_fe_inv_var(&zfi3, &zf); 3717 secp256k1_fe_sqr(&zfi2, &zfi3); 3718 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2); 3719 3720 /* Generate random r */ 3721 testutil_random_fe_non_zero_test(&r); 3722 3723 for (i1 = 0; i1 < 1 + 4 * runs; i1++) { 3724 int i2; 3725 for (i2 = 0; i2 < 1 + 4 * runs; i2++) { 3726 /* Compute reference result using gej + gej (var). */ 3727 secp256k1_gej refj, resj; 3728 secp256k1_ge ref; 3729 secp256k1_fe zr; 3730 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr); 3731 /* Check Z ratio. */ 3732 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) { 3733 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z); 3734 CHECK(secp256k1_fe_equal(&zrz, &refj.z)); 3735 } 3736 secp256k1_ge_set_gej_var(&ref, &refj); 3737 3738 /* Test gej + ge with Z ratio result (var). */ 3739 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr); 3740 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref)); 3741 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) { 3742 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z); 3743 CHECK(secp256k1_fe_equal(&zrz, &resj.z)); 3744 } 3745 3746 /* Test gej + ge (var, with additional Z factor). */ 3747 { 3748 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */ 3749 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2); 3750 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3); 3751 testutil_random_ge_x_magnitude(&ge2_zfi); 3752 testutil_random_ge_y_magnitude(&ge2_zfi); 3753 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf); 3754 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref)); 3755 } 3756 3757 /* Test gej + ge (const). */ 3758 if (i2 != 0) { 3759 /* secp256k1_gej_add_ge does not support its second argument being infinity. */ 3760 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]); 3761 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref)); 3762 } 3763 3764 /* Test doubling (var). */ 3765 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) { 3766 secp256k1_fe zr2; 3767 /* Normal doubling with Z ratio result. */ 3768 secp256k1_gej_double_var(&resj, &gej[i1], &zr2); 3769 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref)); 3770 /* Check Z ratio. */ 3771 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z); 3772 CHECK(secp256k1_fe_equal(&zr2, &resj.z)); 3773 /* Normal doubling. */ 3774 secp256k1_gej_double_var(&resj, &gej[i2], NULL); 3775 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref)); 3776 /* Constant-time doubling. */ 3777 secp256k1_gej_double(&resj, &gej[i2]); 3778 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref)); 3779 } 3780 3781 /* Test adding opposites. */ 3782 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) { 3783 CHECK(secp256k1_ge_is_infinity(&ref)); 3784 } 3785 3786 /* Test adding infinity. */ 3787 if (i1 == 0) { 3788 CHECK(secp256k1_ge_is_infinity(&ge[i1])); 3789 CHECK(secp256k1_gej_is_infinity(&gej[i1])); 3790 CHECK(secp256k1_gej_eq_ge_var(&gej[i2], &ref)); 3791 } 3792 if (i2 == 0) { 3793 CHECK(secp256k1_ge_is_infinity(&ge[i2])); 3794 CHECK(secp256k1_gej_is_infinity(&gej[i2])); 3795 CHECK(secp256k1_gej_eq_ge_var(&gej[i1], &ref)); 3796 } 3797 } 3798 } 3799 3800 /* Test adding all points together in random order equals infinity. */ 3801 { 3802 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY; 3803 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej)); 3804 for (i = 0; i < 4 * runs + 1; i++) { 3805 gej_shuffled[i] = gej[i]; 3806 } 3807 for (i = 0; i < 4 * runs + 1; i++) { 3808 int swap = i + testrand_int(4 * runs + 1 - i); 3809 if (swap != i) { 3810 secp256k1_gej t = gej_shuffled[i]; 3811 gej_shuffled[i] = gej_shuffled[swap]; 3812 gej_shuffled[swap] = t; 3813 } 3814 } 3815 for (i = 0; i < 4 * runs + 1; i++) { 3816 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL); 3817 } 3818 CHECK(secp256k1_gej_is_infinity(&sum)); 3819 free(gej_shuffled); 3820 } 3821 3822 /* Test batch gej -> ge conversion without known z ratios. */ 3823 { 3824 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge)); 3825 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1); 3826 for (i = 0; i < 4 * runs + 1; i++) { 3827 secp256k1_fe s; 3828 testutil_random_fe_non_zero(&s); 3829 secp256k1_gej_rescale(&gej[i], &s); 3830 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all[i])); 3831 } 3832 free(ge_set_all); 3833 } 3834 3835 /* Test that all elements have X coordinates on the curve. */ 3836 for (i = 1; i < 4 * runs + 1; i++) { 3837 secp256k1_fe n; 3838 CHECK(secp256k1_ge_x_on_curve_var(&ge[i].x)); 3839 /* And the same holds after random rescaling. */ 3840 secp256k1_fe_mul(&n, &zf, &ge[i].x); 3841 CHECK(secp256k1_ge_x_frac_on_curve_var(&n, &zf)); 3842 } 3843 3844 /* Test correspondence of secp256k1_ge_x{,_frac}_on_curve_var with ge_set_xo. */ 3845 { 3846 secp256k1_fe n; 3847 secp256k1_ge q; 3848 int ret_on_curve, ret_frac_on_curve, ret_set_xo; 3849 secp256k1_fe_mul(&n, &zf, &r); 3850 ret_on_curve = secp256k1_ge_x_on_curve_var(&r); 3851 ret_frac_on_curve = secp256k1_ge_x_frac_on_curve_var(&n, &zf); 3852 ret_set_xo = secp256k1_ge_set_xo_var(&q, &r, 0); 3853 CHECK(ret_on_curve == ret_frac_on_curve); 3854 CHECK(ret_on_curve == ret_set_xo); 3855 if (ret_set_xo) CHECK(secp256k1_fe_equal(&r, &q.x)); 3856 } 3857 3858 /* Test batch gej -> ge conversion with many infinities. */ 3859 for (i = 0; i < 4 * runs + 1; i++) { 3860 int odd; 3861 testutil_random_ge_test(&ge[i]); 3862 odd = secp256k1_fe_is_odd(&ge[i].x); 3863 CHECK(odd == 0 || odd == 1); 3864 /* randomly set half the points to infinity */ 3865 if (odd == i % 2) { 3866 secp256k1_ge_set_infinity(&ge[i]); 3867 } 3868 secp256k1_gej_set_ge(&gej[i], &ge[i]); 3869 } 3870 /* batch convert */ 3871 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1); 3872 /* check result */ 3873 for (i = 0; i < 4 * runs + 1; i++) { 3874 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge[i])); 3875 } 3876 3877 /* Test batch gej -> ge conversion with all infinities. */ 3878 for (i = 0; i < 4 * runs + 1; i++) { 3879 secp256k1_gej_set_infinity(&gej[i]); 3880 } 3881 /* batch convert */ 3882 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1); 3883 /* check result */ 3884 for (i = 0; i < 4 * runs + 1; i++) { 3885 CHECK(secp256k1_ge_is_infinity(&ge[i])); 3886 } 3887 3888 free(ge); 3889 free(gej); 3890 } 3891 3892 static void test_intialized_inf(void) { 3893 secp256k1_ge p; 3894 secp256k1_gej pj, npj, infj1, infj2, infj3; 3895 secp256k1_fe zinv; 3896 3897 /* Test that adding P+(-P) results in a fully initialized infinity*/ 3898 testutil_random_ge_test(&p); 3899 secp256k1_gej_set_ge(&pj, &p); 3900 secp256k1_gej_neg(&npj, &pj); 3901 3902 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL); 3903 CHECK(secp256k1_gej_is_infinity(&infj1)); 3904 CHECK(secp256k1_fe_is_zero(&infj1.x)); 3905 CHECK(secp256k1_fe_is_zero(&infj1.y)); 3906 CHECK(secp256k1_fe_is_zero(&infj1.z)); 3907 3908 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL); 3909 CHECK(secp256k1_gej_is_infinity(&infj2)); 3910 CHECK(secp256k1_fe_is_zero(&infj2.x)); 3911 CHECK(secp256k1_fe_is_zero(&infj2.y)); 3912 CHECK(secp256k1_fe_is_zero(&infj2.z)); 3913 3914 secp256k1_fe_set_int(&zinv, 1); 3915 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv); 3916 CHECK(secp256k1_gej_is_infinity(&infj3)); 3917 CHECK(secp256k1_fe_is_zero(&infj3.x)); 3918 CHECK(secp256k1_fe_is_zero(&infj3.y)); 3919 CHECK(secp256k1_fe_is_zero(&infj3.z)); 3920 3921 3922 } 3923 3924 static void test_add_neg_y_diff_x(void) { 3925 /* The point of this test is to check that we can add two points 3926 * whose y-coordinates are negatives of each other but whose x 3927 * coordinates differ. If the x-coordinates were the same, these 3928 * points would be negatives of each other and their sum is 3929 * infinity. This is cool because it "covers up" any degeneracy 3930 * in the addition algorithm that would cause the xy coordinates 3931 * of the sum to be wrong (since infinity has no xy coordinates). 3932 * HOWEVER, if the x-coordinates are different, infinity is the 3933 * wrong answer, and such degeneracies are exposed. This is the 3934 * root of https://github.com/bitcoin-core/secp256k1/issues/257 3935 * which this test is a regression test for. 3936 * 3937 * These points were generated in sage as 3938 * 3939 * load("secp256k1_params.sage") 3940 * 3941 * # random "bad pair" 3942 * P = C.random_element() 3943 * Q = -int(LAMBDA) * P 3944 * print(" P: %x %x" % P.xy()) 3945 * print(" Q: %x %x" % Q.xy()) 3946 * print("P + Q: %x %x" % (P + Q).xy()) 3947 */ 3948 secp256k1_gej aj = SECP256K1_GEJ_CONST( 3949 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30, 3950 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb, 3951 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8, 3952 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d 3953 ); 3954 secp256k1_gej bj = SECP256K1_GEJ_CONST( 3955 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86, 3956 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7, 3957 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57, 3958 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2 3959 ); 3960 secp256k1_gej sumj = SECP256K1_GEJ_CONST( 3961 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027, 3962 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a, 3963 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08, 3964 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe 3965 ); 3966 secp256k1_ge b; 3967 secp256k1_gej resj; 3968 secp256k1_ge res; 3969 secp256k1_ge_set_gej(&b, &bj); 3970 3971 secp256k1_gej_add_var(&resj, &aj, &bj, NULL); 3972 secp256k1_ge_set_gej(&res, &resj); 3973 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res)); 3974 3975 secp256k1_gej_add_ge(&resj, &aj, &b); 3976 secp256k1_ge_set_gej(&res, &resj); 3977 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res)); 3978 3979 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL); 3980 secp256k1_ge_set_gej(&res, &resj); 3981 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res)); 3982 } 3983 3984 static void test_ge_bytes(void) { 3985 int i; 3986 3987 for (i = 0; i < COUNT + 1; i++) { 3988 unsigned char buf[64]; 3989 secp256k1_ge p, q; 3990 3991 if (i == 0) { 3992 secp256k1_ge_set_infinity(&p); 3993 } else { 3994 testutil_random_ge_test(&p); 3995 } 3996 3997 if (!secp256k1_ge_is_infinity(&p)) { 3998 secp256k1_ge_to_bytes(buf, &p); 3999 4000 secp256k1_ge_from_bytes(&q, buf); 4001 CHECK(secp256k1_ge_eq_var(&p, &q)); 4002 4003 secp256k1_ge_from_bytes_ext(&q, buf); 4004 CHECK(secp256k1_ge_eq_var(&p, &q)); 4005 } 4006 secp256k1_ge_to_bytes_ext(buf, &p); 4007 secp256k1_ge_from_bytes_ext(&q, buf); 4008 CHECK(secp256k1_ge_eq_var(&p, &q)); 4009 } 4010 } 4011 4012 static void run_ge(void) { 4013 int i; 4014 for (i = 0; i < COUNT * 32; i++) { 4015 test_ge(); 4016 } 4017 test_add_neg_y_diff_x(); 4018 test_intialized_inf(); 4019 test_ge_bytes(); 4020 } 4021 4022 static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) { 4023 secp256k1_gej t = *a; 4024 secp256k1_gej_cmov(&t, b, 0); 4025 CHECK(gej_xyz_equals_gej(&t, a)); 4026 secp256k1_gej_cmov(&t, b, 1); 4027 CHECK(gej_xyz_equals_gej(&t, b)); 4028 } 4029 4030 static void run_gej(void) { 4031 int i; 4032 secp256k1_gej a, b; 4033 4034 /* Tests for secp256k1_gej_cmov */ 4035 for (i = 0; i < COUNT; i++) { 4036 secp256k1_gej_set_infinity(&a); 4037 secp256k1_gej_set_infinity(&b); 4038 test_gej_cmov(&a, &b); 4039 4040 testutil_random_gej_test(&a); 4041 test_gej_cmov(&a, &b); 4042 test_gej_cmov(&b, &a); 4043 4044 b = a; 4045 test_gej_cmov(&a, &b); 4046 4047 testutil_random_gej_test(&b); 4048 test_gej_cmov(&a, &b); 4049 test_gej_cmov(&b, &a); 4050 } 4051 4052 /* Tests for secp256k1_gej_eq_var */ 4053 for (i = 0; i < COUNT; i++) { 4054 secp256k1_fe fe; 4055 testutil_random_gej_test(&a); 4056 testutil_random_gej_test(&b); 4057 CHECK(!secp256k1_gej_eq_var(&a, &b)); 4058 4059 b = a; 4060 testutil_random_fe_non_zero_test(&fe); 4061 secp256k1_gej_rescale(&a, &fe); 4062 CHECK(secp256k1_gej_eq_var(&a, &b)); 4063 } 4064 } 4065 4066 static void test_ec_combine(void) { 4067 secp256k1_scalar sum = secp256k1_scalar_zero; 4068 secp256k1_pubkey data[6]; 4069 const secp256k1_pubkey* d[6]; 4070 secp256k1_pubkey sd; 4071 secp256k1_pubkey sd2; 4072 secp256k1_gej Qj; 4073 secp256k1_ge Q; 4074 int i; 4075 for (i = 1; i <= 6; i++) { 4076 secp256k1_scalar s; 4077 testutil_random_scalar_order_test(&s); 4078 secp256k1_scalar_add(&sum, &sum, &s); 4079 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &s); 4080 secp256k1_ge_set_gej(&Q, &Qj); 4081 secp256k1_pubkey_save(&data[i - 1], &Q); 4082 d[i - 1] = &data[i - 1]; 4083 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &sum); 4084 secp256k1_ge_set_gej(&Q, &Qj); 4085 secp256k1_pubkey_save(&sd, &Q); 4086 CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1); 4087 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0); 4088 } 4089 } 4090 4091 static void run_ec_combine(void) { 4092 int i; 4093 for (i = 0; i < COUNT * 8; i++) { 4094 test_ec_combine(); 4095 } 4096 } 4097 4098 static void test_group_decompress(const secp256k1_fe* x) { 4099 /* The input itself, normalized. */ 4100 secp256k1_fe fex = *x; 4101 /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */ 4102 secp256k1_ge ge_even, ge_odd; 4103 /* Return values of the above calls. */ 4104 int res_even, res_odd; 4105 4106 secp256k1_fe_normalize_var(&fex); 4107 4108 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0); 4109 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1); 4110 4111 CHECK(res_even == res_odd); 4112 4113 if (res_even) { 4114 secp256k1_fe_normalize_var(&ge_odd.x); 4115 secp256k1_fe_normalize_var(&ge_even.x); 4116 secp256k1_fe_normalize_var(&ge_odd.y); 4117 secp256k1_fe_normalize_var(&ge_even.y); 4118 4119 /* No infinity allowed. */ 4120 CHECK(!ge_even.infinity); 4121 CHECK(!ge_odd.infinity); 4122 4123 /* Check that the x coordinates check out. */ 4124 CHECK(secp256k1_fe_equal(&ge_even.x, x)); 4125 CHECK(secp256k1_fe_equal(&ge_odd.x, x)); 4126 4127 /* Check odd/even Y in ge_odd, ge_even. */ 4128 CHECK(secp256k1_fe_is_odd(&ge_odd.y)); 4129 CHECK(!secp256k1_fe_is_odd(&ge_even.y)); 4130 } 4131 } 4132 4133 static void run_group_decompress(void) { 4134 int i; 4135 for (i = 0; i < COUNT * 4; i++) { 4136 secp256k1_fe fe; 4137 testutil_random_fe_test(&fe); 4138 test_group_decompress(&fe); 4139 } 4140 } 4141 4142 /***** ECMULT TESTS *****/ 4143 4144 static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) { 4145 /* Tests the pre_g / pre_g_128 tables for consistency. 4146 * For independent verification we take a "geometric" approach to verification. 4147 * We check that every entry is on-curve. 4148 * We check that for consecutive entries p and q, that p + gg - q = 0 by checking 4149 * (1) p, gg, and -q are colinear. 4150 * (2) p, gg, and -q are all distinct. 4151 * where gg is twice the generator, where the generator is the first table entry. 4152 * 4153 * Checking the table's generators are correct is done in run_ecmult_pre_g. 4154 */ 4155 secp256k1_gej g2; 4156 secp256k1_ge p, q, gg; 4157 secp256k1_fe dpx, dpy, dqx, dqy; 4158 size_t i; 4159 4160 CHECK(0 < n); 4161 4162 secp256k1_ge_from_storage(&p, &pre_g[0]); 4163 CHECK(secp256k1_ge_is_valid_var(&p)); 4164 4165 secp256k1_gej_set_ge(&g2, &p); 4166 secp256k1_gej_double_var(&g2, &g2, NULL); 4167 secp256k1_ge_set_gej_var(&gg, &g2); 4168 for (i = 1; i < n; ++i) { 4169 secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx); 4170 secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy); 4171 /* Check that p is not equal to gg */ 4172 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dpx) || !secp256k1_fe_normalizes_to_zero_var(&dpy)); 4173 4174 secp256k1_ge_from_storage(&q, &pre_g[i]); 4175 CHECK(secp256k1_ge_is_valid_var(&q)); 4176 4177 secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x); 4178 dqy = q.y; secp256k1_fe_add(&dqy, &gg.y); 4179 /* Check that -q is not equal to gg */ 4180 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dqx) || !secp256k1_fe_normalizes_to_zero_var(&dqy)); 4181 4182 /* Check that -q is not equal to p */ 4183 CHECK(!secp256k1_fe_equal(&dpx, &dqx) || !secp256k1_fe_equal(&dpy, &dqy)); 4184 4185 /* Check that p, -q and gg are colinear */ 4186 secp256k1_fe_mul(&dpx, &dpx, &dqy); 4187 secp256k1_fe_mul(&dpy, &dpy, &dqx); 4188 CHECK(secp256k1_fe_equal(&dpx, &dpy)); 4189 4190 p = q; 4191 } 4192 } 4193 4194 static void run_ecmult_pre_g(void) { 4195 secp256k1_ge_storage gs; 4196 secp256k1_gej gj; 4197 secp256k1_ge g; 4198 size_t i; 4199 4200 /* Check that the pre_g and pre_g_128 tables are consistent. */ 4201 test_pre_g_table(secp256k1_pre_g, ECMULT_TABLE_SIZE(WINDOW_G)); 4202 test_pre_g_table(secp256k1_pre_g_128, ECMULT_TABLE_SIZE(WINDOW_G)); 4203 4204 /* Check the first entry from the pre_g table. */ 4205 secp256k1_ge_to_storage(&gs, &secp256k1_ge_const_g); 4206 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0); 4207 4208 /* Check the first entry from the pre_g_128 table. */ 4209 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g); 4210 for (i = 0; i < 128; ++i) { 4211 secp256k1_gej_double_var(&gj, &gj, NULL); 4212 } 4213 secp256k1_ge_set_gej(&g, &gj); 4214 secp256k1_ge_to_storage(&gs, &g); 4215 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0); 4216 } 4217 4218 static void run_ecmult_chain(void) { 4219 /* random starting point A (on the curve) */ 4220 secp256k1_gej a = SECP256K1_GEJ_CONST( 4221 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3, 4222 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004, 4223 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f, 4224 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f 4225 ); 4226 /* two random initial factors xn and gn */ 4227 secp256k1_scalar xn = SECP256K1_SCALAR_CONST( 4228 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c, 4229 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407 4230 ); 4231 secp256k1_scalar gn = SECP256K1_SCALAR_CONST( 4232 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9, 4233 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de 4234 ); 4235 /* two small multipliers to be applied to xn and gn in every iteration: */ 4236 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337); 4237 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113); 4238 /* accumulators with the resulting coefficients to A and G */ 4239 secp256k1_scalar ae = secp256k1_scalar_one; 4240 secp256k1_scalar ge = secp256k1_scalar_zero; 4241 /* actual points */ 4242 secp256k1_gej x; 4243 secp256k1_gej x2; 4244 int i; 4245 4246 /* the point being computed */ 4247 x = a; 4248 for (i = 0; i < 200*COUNT; i++) { 4249 /* in each iteration, compute X = xn*X + gn*G; */ 4250 secp256k1_ecmult(&x, &x, &xn, &gn); 4251 /* also compute ae and ge: the actual accumulated factors for A and G */ 4252 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */ 4253 secp256k1_scalar_mul(&ae, &ae, &xn); 4254 secp256k1_scalar_mul(&ge, &ge, &xn); 4255 secp256k1_scalar_add(&ge, &ge, &gn); 4256 /* modify xn and gn */ 4257 secp256k1_scalar_mul(&xn, &xn, &xf); 4258 secp256k1_scalar_mul(&gn, &gn, &gf); 4259 4260 /* verify */ 4261 if (i == 19999) { 4262 /* expected result after 19999 iterations */ 4263 secp256k1_gej rp = SECP256K1_GEJ_CONST( 4264 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE, 4265 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830, 4266 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D, 4267 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88 4268 ); 4269 CHECK(secp256k1_gej_eq_var(&rp, &x)); 4270 } 4271 } 4272 /* redo the computation, but directly with the resulting ae and ge coefficients: */ 4273 secp256k1_ecmult(&x2, &a, &ae, &ge); 4274 CHECK(secp256k1_gej_eq_var(&x, &x2)); 4275 } 4276 4277 static void test_point_times_order(const secp256k1_gej *point) { 4278 /* X * (point + G) + (order-X) * (pointer + G) = 0 */ 4279 secp256k1_scalar x; 4280 secp256k1_scalar nx; 4281 secp256k1_gej res1, res2; 4282 secp256k1_ge res3; 4283 unsigned char pub[65]; 4284 size_t psize = 65; 4285 testutil_random_scalar_order_test(&x); 4286 secp256k1_scalar_negate(&nx, &x); 4287 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */ 4288 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */ 4289 secp256k1_gej_add_var(&res1, &res1, &res2, NULL); 4290 CHECK(secp256k1_gej_is_infinity(&res1)); 4291 secp256k1_ge_set_gej(&res3, &res1); 4292 CHECK(secp256k1_ge_is_infinity(&res3)); 4293 CHECK(secp256k1_ge_is_valid_var(&res3) == 0); 4294 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0); 4295 psize = 65; 4296 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0); 4297 /* check zero/one edge cases */ 4298 secp256k1_ecmult(&res1, point, &secp256k1_scalar_zero, &secp256k1_scalar_zero); 4299 secp256k1_ge_set_gej(&res3, &res1); 4300 CHECK(secp256k1_ge_is_infinity(&res3)); 4301 secp256k1_ecmult(&res1, point, &secp256k1_scalar_one, &secp256k1_scalar_zero); 4302 secp256k1_ge_set_gej(&res3, &res1); 4303 CHECK(secp256k1_gej_eq_ge_var(point, &res3)); 4304 secp256k1_ecmult(&res1, point, &secp256k1_scalar_zero, &secp256k1_scalar_one); 4305 secp256k1_ge_set_gej(&res3, &res1); 4306 CHECK(secp256k1_ge_eq_var(&secp256k1_ge_const_g, &res3)); 4307 } 4308 4309 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda. 4310 * 4311 * They are computed as: 4312 * - For a in [-2, -1, 0, 1, 2]: 4313 * - For b in [-3, -1, 1, 3]: 4314 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER 4315 */ 4316 static const secp256k1_scalar scalars_near_split_bounds[20] = { 4317 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc), 4318 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd), 4319 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe), 4320 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff), 4321 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d), 4322 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e), 4323 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f), 4324 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330), 4325 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f), 4326 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0), 4327 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1), 4328 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2), 4329 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11), 4330 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12), 4331 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13), 4332 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14), 4333 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42), 4334 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43), 4335 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44), 4336 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45) 4337 }; 4338 4339 static void test_ecmult_target(const secp256k1_scalar* target, int mode) { 4340 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */ 4341 secp256k1_scalar n1, n2; 4342 secp256k1_ge p; 4343 secp256k1_gej pj, p1j, p2j, ptj; 4344 4345 /* Generate random n1,n2 such that n1+n2 = -target. */ 4346 testutil_random_scalar_order_test(&n1); 4347 secp256k1_scalar_add(&n2, &n1, target); 4348 secp256k1_scalar_negate(&n2, &n2); 4349 4350 /* Generate a random input point. */ 4351 if (mode != 0) { 4352 testutil_random_ge_test(&p); 4353 secp256k1_gej_set_ge(&pj, &p); 4354 } 4355 4356 /* EC multiplications */ 4357 if (mode == 0) { 4358 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p1j, &n1); 4359 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p2j, &n2); 4360 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target); 4361 } else if (mode == 1) { 4362 secp256k1_ecmult(&p1j, &pj, &n1, &secp256k1_scalar_zero); 4363 secp256k1_ecmult(&p2j, &pj, &n2, &secp256k1_scalar_zero); 4364 secp256k1_ecmult(&ptj, &pj, target, &secp256k1_scalar_zero); 4365 } else { 4366 secp256k1_ecmult_const(&p1j, &p, &n1); 4367 secp256k1_ecmult_const(&p2j, &p, &n2); 4368 secp256k1_ecmult_const(&ptj, &p, target); 4369 } 4370 4371 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */ 4372 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL); 4373 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL); 4374 CHECK(secp256k1_gej_is_infinity(&ptj)); 4375 } 4376 4377 static void run_ecmult_near_split_bound(void) { 4378 int i; 4379 unsigned j; 4380 for (i = 0; i < 4*COUNT; ++i) { 4381 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) { 4382 test_ecmult_target(&scalars_near_split_bounds[j], 0); 4383 test_ecmult_target(&scalars_near_split_bounds[j], 1); 4384 test_ecmult_target(&scalars_near_split_bounds[j], 2); 4385 } 4386 } 4387 } 4388 4389 static void run_point_times_order(void) { 4390 int i; 4391 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2); 4392 static const secp256k1_fe xr = SECP256K1_FE_CONST( 4393 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C, 4394 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45 4395 ); 4396 for (i = 0; i < 500; i++) { 4397 secp256k1_ge p; 4398 if (secp256k1_ge_set_xo_var(&p, &x, 1)) { 4399 secp256k1_gej j; 4400 CHECK(secp256k1_ge_is_valid_var(&p)); 4401 secp256k1_gej_set_ge(&j, &p); 4402 test_point_times_order(&j); 4403 } 4404 secp256k1_fe_sqr(&x, &x); 4405 } 4406 secp256k1_fe_normalize_var(&x); 4407 CHECK(secp256k1_fe_equal(&x, &xr)); 4408 } 4409 4410 static void ecmult_const_random_mult(void) { 4411 /* random starting point A (on the curve) */ 4412 secp256k1_ge a = SECP256K1_GE_CONST( 4413 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b, 4414 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a, 4415 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c, 4416 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d 4417 ); 4418 /* random initial factor xn */ 4419 secp256k1_scalar xn = SECP256K1_SCALAR_CONST( 4420 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327, 4421 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b 4422 ); 4423 /* expected xn * A (from sage) */ 4424 secp256k1_ge expected_b = SECP256K1_GE_CONST( 4425 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd, 4426 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786, 4427 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f, 4428 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956 4429 ); 4430 secp256k1_gej b; 4431 secp256k1_ecmult_const(&b, &a, &xn); 4432 4433 CHECK(secp256k1_ge_is_valid_var(&a)); 4434 CHECK(secp256k1_gej_eq_ge_var(&b, &expected_b)); 4435 } 4436 4437 static void ecmult_const_commutativity(void) { 4438 secp256k1_scalar a; 4439 secp256k1_scalar b; 4440 secp256k1_gej res1; 4441 secp256k1_gej res2; 4442 secp256k1_ge mid1; 4443 secp256k1_ge mid2; 4444 testutil_random_scalar_order_test(&a); 4445 testutil_random_scalar_order_test(&b); 4446 4447 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a); 4448 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b); 4449 secp256k1_ge_set_gej(&mid1, &res1); 4450 secp256k1_ge_set_gej(&mid2, &res2); 4451 secp256k1_ecmult_const(&res1, &mid1, &b); 4452 secp256k1_ecmult_const(&res2, &mid2, &a); 4453 secp256k1_ge_set_gej(&mid1, &res1); 4454 secp256k1_ge_set_gej(&mid2, &res2); 4455 CHECK(secp256k1_ge_eq_var(&mid1, &mid2)); 4456 } 4457 4458 static void ecmult_const_mult_zero_one(void) { 4459 secp256k1_scalar s; 4460 secp256k1_scalar negone; 4461 secp256k1_gej res1; 4462 secp256k1_ge res2; 4463 secp256k1_ge point; 4464 secp256k1_ge inf; 4465 4466 testutil_random_scalar_order_test(&s); 4467 secp256k1_scalar_negate(&negone, &secp256k1_scalar_one); 4468 testutil_random_ge_test(&point); 4469 secp256k1_ge_set_infinity(&inf); 4470 4471 /* 0*point */ 4472 secp256k1_ecmult_const(&res1, &point, &secp256k1_scalar_zero); 4473 CHECK(secp256k1_gej_is_infinity(&res1)); 4474 4475 /* s*inf */ 4476 secp256k1_ecmult_const(&res1, &inf, &s); 4477 CHECK(secp256k1_gej_is_infinity(&res1)); 4478 4479 /* 1*point */ 4480 secp256k1_ecmult_const(&res1, &point, &secp256k1_scalar_one); 4481 secp256k1_ge_set_gej(&res2, &res1); 4482 CHECK(secp256k1_ge_eq_var(&res2, &point)); 4483 4484 /* -1*point */ 4485 secp256k1_ecmult_const(&res1, &point, &negone); 4486 secp256k1_gej_neg(&res1, &res1); 4487 secp256k1_ge_set_gej(&res2, &res1); 4488 CHECK(secp256k1_ge_eq_var(&res2, &point)); 4489 } 4490 4491 static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar* q, const secp256k1_gej *res) { 4492 secp256k1_gej pointj, res2j; 4493 secp256k1_ge res2; 4494 secp256k1_gej_set_ge(&pointj, A); 4495 secp256k1_ecmult(&res2j, &pointj, q, &secp256k1_scalar_zero); 4496 secp256k1_ge_set_gej(&res2, &res2j); 4497 CHECK(secp256k1_gej_eq_ge_var(res, &res2)); 4498 } 4499 4500 static void ecmult_const_edges(void) { 4501 secp256k1_scalar q; 4502 secp256k1_ge point; 4503 secp256k1_gej res; 4504 size_t i; 4505 size_t cases = 1 + sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); 4506 4507 /* We are trying to reach the following edge cases (variables are defined as 4508 * in ecmult_const_impl.h): 4509 * 1. i = 0: s = 0 <=> q = -K 4510 * 2. i > 0: v1, v2 large values 4511 * <=> s1, s2 large values 4512 * <=> s = scalars_near_split_bounds[i] 4513 * <=> q = 2*scalars_near_split_bounds[i] - K 4514 */ 4515 for (i = 0; i < cases; ++i) { 4516 secp256k1_scalar_negate(&q, &secp256k1_ecmult_const_K); 4517 if (i > 0) { 4518 secp256k1_scalar_add(&q, &q, &scalars_near_split_bounds[i - 1]); 4519 secp256k1_scalar_add(&q, &q, &scalars_near_split_bounds[i - 1]); 4520 } 4521 testutil_random_ge_test(&point); 4522 secp256k1_ecmult_const(&res, &point, &q); 4523 ecmult_const_check_result(&point, &q, &res); 4524 } 4525 } 4526 4527 static void ecmult_const_mult_xonly(void) { 4528 int i; 4529 4530 /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */ 4531 for (i = 0; i < 2*COUNT; ++i) { 4532 secp256k1_ge base; 4533 secp256k1_gej basej, resj; 4534 secp256k1_fe n, d, resx, v; 4535 secp256k1_scalar q; 4536 int res; 4537 /* Random base point. */ 4538 testutil_random_ge_test(&base); 4539 /* Random scalar to multiply it with. */ 4540 testutil_random_scalar_order_test(&q); 4541 /* If i is odd, n=d*base.x for random non-zero d */ 4542 if (i & 1) { 4543 testutil_random_fe_non_zero_test(&d); 4544 secp256k1_fe_mul(&n, &base.x, &d); 4545 } else { 4546 n = base.x; 4547 } 4548 /* Perform x-only multiplication. */ 4549 res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2); 4550 CHECK(res); 4551 /* Perform normal multiplication. */ 4552 secp256k1_gej_set_ge(&basej, &base); 4553 secp256k1_ecmult(&resj, &basej, &q, NULL); 4554 /* Check that resj's X coordinate corresponds with resx. */ 4555 secp256k1_fe_sqr(&v, &resj.z); 4556 secp256k1_fe_mul(&v, &v, &resx); 4557 CHECK(fe_equal(&v, &resj.x)); 4558 } 4559 4560 /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */ 4561 for (i = 0; i < 2*COUNT; ++i) { 4562 secp256k1_fe x, n, d, r; 4563 int res; 4564 secp256k1_scalar q; 4565 testutil_random_scalar_order_test(&q); 4566 /* Generate random X coordinate not on the curve. */ 4567 do { 4568 testutil_random_fe_test(&x); 4569 } while (secp256k1_ge_x_on_curve_var(&x)); 4570 /* If i is odd, n=d*x for random non-zero d. */ 4571 if (i & 1) { 4572 testutil_random_fe_non_zero_test(&d); 4573 secp256k1_fe_mul(&n, &x, &d); 4574 } else { 4575 n = x; 4576 } 4577 res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0); 4578 CHECK(res == 0); 4579 } 4580 } 4581 4582 static void ecmult_const_chain_multiply(void) { 4583 /* Check known result (randomly generated test problem from sage) */ 4584 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST( 4585 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d, 4586 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b 4587 ); 4588 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST( 4589 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd, 4590 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f, 4591 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196, 4592 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435 4593 ); 4594 secp256k1_gej point; 4595 secp256k1_ge res; 4596 int i; 4597 4598 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g); 4599 for (i = 0; i < 100; ++i) { 4600 secp256k1_ge tmp; 4601 secp256k1_ge_set_gej(&tmp, &point); 4602 secp256k1_ecmult_const(&point, &tmp, &scalar); 4603 } 4604 secp256k1_ge_set_gej(&res, &point); 4605 CHECK(secp256k1_gej_eq_ge_var(&expected_point, &res)); 4606 } 4607 4608 static void run_ecmult_const_tests(void) { 4609 ecmult_const_mult_zero_one(); 4610 ecmult_const_edges(); 4611 ecmult_const_random_mult(); 4612 ecmult_const_commutativity(); 4613 ecmult_const_chain_multiply(); 4614 ecmult_const_mult_xonly(); 4615 } 4616 4617 typedef struct { 4618 secp256k1_scalar *sc; 4619 secp256k1_ge *pt; 4620 } ecmult_multi_data; 4621 4622 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) { 4623 ecmult_multi_data *data = (ecmult_multi_data*) cbdata; 4624 *sc = data->sc[idx]; 4625 *pt = data->pt[idx]; 4626 return 1; 4627 } 4628 4629 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) { 4630 (void)sc; 4631 (void)pt; 4632 (void)idx; 4633 (void)cbdata; 4634 return 0; 4635 } 4636 4637 static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) { 4638 int ncount; 4639 secp256k1_scalar sc[32]; 4640 secp256k1_ge pt[32]; 4641 secp256k1_gej r; 4642 secp256k1_gej r2; 4643 ecmult_multi_data data; 4644 4645 data.sc = sc; 4646 data.pt = pt; 4647 4648 /* No points to multiply */ 4649 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0)); 4650 4651 /* Check 1- and 2-point multiplies against ecmult */ 4652 for (ncount = 0; ncount < COUNT; ncount++) { 4653 secp256k1_ge ptg; 4654 secp256k1_gej ptgj; 4655 testutil_random_scalar_order(&sc[0]); 4656 testutil_random_scalar_order(&sc[1]); 4657 4658 testutil_random_ge_test(&ptg); 4659 secp256k1_gej_set_ge(&ptgj, &ptg); 4660 pt[0] = ptg; 4661 pt[1] = secp256k1_ge_const_g; 4662 4663 /* only G scalar */ 4664 secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]); 4665 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0)); 4666 CHECK(secp256k1_gej_eq_var(&r, &r2)); 4667 4668 /* 1-point */ 4669 secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero); 4670 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1)); 4671 CHECK(secp256k1_gej_eq_var(&r, &r2)); 4672 4673 /* Try to multiply 1 point, but callback returns false */ 4674 CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1)); 4675 4676 /* 2-point */ 4677 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]); 4678 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2)); 4679 CHECK(secp256k1_gej_eq_var(&r, &r2)); 4680 4681 /* 2-point with G scalar */ 4682 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]); 4683 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1)); 4684 CHECK(secp256k1_gej_eq_var(&r, &r2)); 4685 } 4686 4687 /* Check infinite outputs of various forms */ 4688 for (ncount = 0; ncount < COUNT; ncount++) { 4689 secp256k1_ge ptg; 4690 size_t i, j; 4691 size_t sizes[] = { 2, 10, 32 }; 4692 4693 for (j = 0; j < 3; j++) { 4694 for (i = 0; i < 32; i++) { 4695 testutil_random_scalar_order(&sc[i]); 4696 secp256k1_ge_set_infinity(&pt[i]); 4697 } 4698 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j])); 4699 CHECK(secp256k1_gej_is_infinity(&r)); 4700 } 4701 4702 for (j = 0; j < 3; j++) { 4703 for (i = 0; i < 32; i++) { 4704 testutil_random_ge_test(&ptg); 4705 pt[i] = ptg; 4706 secp256k1_scalar_set_int(&sc[i], 0); 4707 } 4708 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j])); 4709 CHECK(secp256k1_gej_is_infinity(&r)); 4710 } 4711 4712 for (j = 0; j < 3; j++) { 4713 testutil_random_ge_test(&ptg); 4714 for (i = 0; i < 16; i++) { 4715 testutil_random_scalar_order(&sc[2*i]); 4716 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]); 4717 pt[2 * i] = ptg; 4718 pt[2 * i + 1] = ptg; 4719 } 4720 4721 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j])); 4722 CHECK(secp256k1_gej_is_infinity(&r)); 4723 4724 testutil_random_scalar_order(&sc[0]); 4725 for (i = 0; i < 16; i++) { 4726 testutil_random_ge_test(&ptg); 4727 4728 sc[2*i] = sc[0]; 4729 sc[2*i+1] = sc[0]; 4730 pt[2 * i] = ptg; 4731 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]); 4732 } 4733 4734 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j])); 4735 CHECK(secp256k1_gej_is_infinity(&r)); 4736 } 4737 4738 testutil_random_ge_test(&ptg); 4739 secp256k1_scalar_set_int(&sc[0], 0); 4740 pt[0] = ptg; 4741 for (i = 1; i < 32; i++) { 4742 pt[i] = ptg; 4743 4744 testutil_random_scalar_order(&sc[i]); 4745 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]); 4746 secp256k1_scalar_negate(&sc[i], &sc[i]); 4747 } 4748 4749 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32)); 4750 CHECK(secp256k1_gej_is_infinity(&r)); 4751 } 4752 4753 /* Check random points, constant scalar */ 4754 for (ncount = 0; ncount < COUNT; ncount++) { 4755 size_t i; 4756 secp256k1_gej_set_infinity(&r); 4757 4758 testutil_random_scalar_order(&sc[0]); 4759 for (i = 0; i < 20; i++) { 4760 secp256k1_ge ptg; 4761 sc[i] = sc[0]; 4762 testutil_random_ge_test(&ptg); 4763 pt[i] = ptg; 4764 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL); 4765 } 4766 4767 secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero); 4768 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20)); 4769 CHECK(secp256k1_gej_eq_var(&r, &r2)); 4770 } 4771 4772 /* Check random scalars, constant point */ 4773 for (ncount = 0; ncount < COUNT; ncount++) { 4774 size_t i; 4775 secp256k1_ge ptg; 4776 secp256k1_gej p0j; 4777 secp256k1_scalar rs; 4778 secp256k1_scalar_set_int(&rs, 0); 4779 4780 testutil_random_ge_test(&ptg); 4781 for (i = 0; i < 20; i++) { 4782 testutil_random_scalar_order(&sc[i]); 4783 pt[i] = ptg; 4784 secp256k1_scalar_add(&rs, &rs, &sc[i]); 4785 } 4786 4787 secp256k1_gej_set_ge(&p0j, &pt[0]); 4788 secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero); 4789 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20)); 4790 CHECK(secp256k1_gej_eq_var(&r, &r2)); 4791 } 4792 4793 /* Sanity check that zero scalars don't cause problems */ 4794 for (ncount = 0; ncount < 20; ncount++) { 4795 testutil_random_scalar_order(&sc[ncount]); 4796 testutil_random_ge_test(&pt[ncount]); 4797 } 4798 4799 secp256k1_scalar_set_int(&sc[0], 0); 4800 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20)); 4801 secp256k1_scalar_set_int(&sc[1], 0); 4802 secp256k1_scalar_set_int(&sc[2], 0); 4803 secp256k1_scalar_set_int(&sc[3], 0); 4804 secp256k1_scalar_set_int(&sc[4], 0); 4805 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6)); 4806 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5)); 4807 CHECK(secp256k1_gej_is_infinity(&r)); 4808 4809 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */ 4810 { 4811 const size_t TOP = 8; 4812 size_t s0i, s1i; 4813 size_t t0i, t1i; 4814 secp256k1_ge ptg; 4815 secp256k1_gej ptgj; 4816 4817 testutil_random_ge_test(&ptg); 4818 secp256k1_gej_set_ge(&ptgj, &ptg); 4819 4820 for(t0i = 0; t0i < TOP; t0i++) { 4821 for(t1i = 0; t1i < TOP; t1i++) { 4822 secp256k1_gej t0p, t1p; 4823 secp256k1_scalar t0, t1; 4824 4825 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2); 4826 secp256k1_scalar_cond_negate(&t0, t0i & 1); 4827 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2); 4828 secp256k1_scalar_cond_negate(&t1, t1i & 1); 4829 4830 secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero); 4831 secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero); 4832 4833 for(s0i = 0; s0i < TOP; s0i++) { 4834 for(s1i = 0; s1i < TOP; s1i++) { 4835 secp256k1_scalar tmp1, tmp2; 4836 secp256k1_gej expected, actual; 4837 4838 secp256k1_ge_set_gej(&pt[0], &t0p); 4839 secp256k1_ge_set_gej(&pt[1], &t1p); 4840 4841 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2); 4842 secp256k1_scalar_cond_negate(&sc[0], s0i & 1); 4843 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2); 4844 secp256k1_scalar_cond_negate(&sc[1], s1i & 1); 4845 4846 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]); 4847 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]); 4848 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2); 4849 4850 secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero); 4851 CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2)); 4852 CHECK(secp256k1_gej_eq_var(&actual, &expected)); 4853 } 4854 } 4855 } 4856 } 4857 } 4858 } 4859 4860 static int test_ecmult_multi_random(secp256k1_scratch *scratch) { 4861 /* Large random test for ecmult_multi_* functions which exercises: 4862 * - Few or many inputs (0 up to 128, roughly exponentially distributed). 4863 * - Few or many 0*P or a*INF inputs (roughly uniformly distributed). 4864 * - Including or excluding an nonzero a*G term (or such a term at all). 4865 * - Final expected result equal to infinity or not (roughly 50%). 4866 * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch 4867 */ 4868 4869 /* These 4 variables define the eventual input to the ecmult_multi function. 4870 * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and 4871 * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points 4872 * which form its normal inputs. */ 4873 int filled = 0; 4874 secp256k1_scalar g_scalar = secp256k1_scalar_zero; 4875 secp256k1_scalar scalars[128]; 4876 secp256k1_gej gejs[128]; 4877 /* The expected result, and the computed result. */ 4878 secp256k1_gej expected, computed; 4879 /* Temporaries. */ 4880 secp256k1_scalar sc_tmp; 4881 secp256k1_ge ge_tmp; 4882 /* Variables needed for the actual input to ecmult_multi. */ 4883 secp256k1_ge ges[128]; 4884 ecmult_multi_data data; 4885 4886 int i; 4887 /* Which multiplication function to use */ 4888 int fn = testrand_int(3); 4889 secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var : 4890 fn == 1 ? secp256k1_ecmult_strauss_batch_single : 4891 secp256k1_ecmult_pippenger_batch_single; 4892 /* Simulate exponentially distributed num. */ 4893 int num_bits = 2 + testrand_int(6); 4894 /* Number of (scalar, point) inputs (excluding g). */ 4895 int num = testrand_int((1 << num_bits) + 1); 4896 /* Number of those which are nonzero. */ 4897 int num_nonzero = testrand_int(num + 1); 4898 /* Whether we're aiming to create an input with nonzero expected result. */ 4899 int nonzero_result = testrand_bits(1); 4900 /* Whether we will provide nonzero g multiplicand. In some cases our hand 4901 * is forced here based on num_nonzero and nonzero_result. */ 4902 int g_nonzero = num_nonzero == 0 ? nonzero_result : 4903 num_nonzero == 1 && !nonzero_result ? 1 : 4904 (int)testrand_bits(1); 4905 /* Which g_scalar pointer to pass into ecmult_multi(). */ 4906 const secp256k1_scalar* g_scalar_ptr = (g_nonzero || testrand_bits(1)) ? &g_scalar : NULL; 4907 /* How many EC multiplications were performed in this function. */ 4908 int mults = 0; 4909 /* How many randomization steps to apply to the input list. */ 4910 int rands = (int)testrand_bits(3); 4911 if (rands > num_nonzero) rands = num_nonzero; 4912 4913 secp256k1_gej_set_infinity(&expected); 4914 secp256k1_gej_set_infinity(&gejs[0]); 4915 secp256k1_scalar_set_int(&scalars[0], 0); 4916 4917 if (g_nonzero) { 4918 /* If g_nonzero, set g_scalar to nonzero value r. */ 4919 testutil_random_scalar_order_test(&g_scalar); 4920 if (!nonzero_result) { 4921 /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */ 4922 CHECK(num_nonzero > filled); 4923 testutil_random_scalar_order_test(&sc_tmp); 4924 secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar); 4925 secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp); 4926 secp256k1_scalar_negate(&sc_tmp, &sc_tmp); 4927 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp); 4928 ++filled; 4929 ++mults; 4930 } 4931 } 4932 4933 if (nonzero_result && filled < num_nonzero) { 4934 /* If a nonzero result is desired, and there is space, add a random nonzero term. */ 4935 testutil_random_scalar_order_test(&scalars[filled]); 4936 testutil_random_ge_test(&ge_tmp); 4937 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp); 4938 ++filled; 4939 } 4940 4941 if (nonzero_result) { 4942 /* Compute the expected result using normal ecmult. */ 4943 CHECK(filled <= 1); 4944 secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar); 4945 mults += filled + g_nonzero; 4946 } 4947 4948 /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */ 4949 CHECK(filled <= 1 + !nonzero_result); 4950 CHECK(filled <= num_nonzero); 4951 4952 /* Add entries to scalars,gejs so that there are num of them. All the added entries 4953 * either have scalar=0 or point=infinity, so these do not change the expected result. */ 4954 while (filled < num) { 4955 if (testrand_bits(1)) { 4956 secp256k1_gej_set_infinity(&gejs[filled]); 4957 testutil_random_scalar_order_test(&scalars[filled]); 4958 } else { 4959 secp256k1_scalar_set_int(&scalars[filled], 0); 4960 testutil_random_ge_test(&ge_tmp); 4961 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp); 4962 } 4963 ++filled; 4964 } 4965 4966 /* Now perform cheapish transformations on gejs and scalars, for indices 4967 * 0..num_nonzero-1, which do not change the expected result, but may 4968 * convert some of them to be both non-0-scalar and non-infinity-point. */ 4969 for (i = 0; i < rands; ++i) { 4970 int j; 4971 secp256k1_scalar v, iv; 4972 /* Shuffle the entries. */ 4973 for (j = 0; j < num_nonzero; ++j) { 4974 int k = testrand_int(num_nonzero - j); 4975 if (k != 0) { 4976 secp256k1_gej gej = gejs[j]; 4977 secp256k1_scalar sc = scalars[j]; 4978 gejs[j] = gejs[j + k]; 4979 scalars[j] = scalars[j + k]; 4980 gejs[j + k] = gej; 4981 scalars[j + k] = sc; 4982 } 4983 } 4984 /* Perturb all consecutive pairs of inputs: 4985 * a*P + b*Q -> (a+b)*P + b*(Q-P). */ 4986 for (j = 0; j + 1 < num_nonzero; j += 2) { 4987 secp256k1_gej gej; 4988 secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]); 4989 secp256k1_gej_neg(&gej, &gejs[j]); 4990 secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL); 4991 } 4992 /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */ 4993 CHECK(num_nonzero >= 1); 4994 testutil_random_scalar_order_test(&v); 4995 secp256k1_scalar_inverse(&iv, &v); 4996 secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v); 4997 secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL); 4998 ++mults; 4999 } 5000 5001 /* Shuffle all entries (0..num-1). */ 5002 for (i = 0; i < num; ++i) { 5003 int j = testrand_int(num - i); 5004 if (j != 0) { 5005 secp256k1_gej gej = gejs[i]; 5006 secp256k1_scalar sc = scalars[i]; 5007 gejs[i] = gejs[i + j]; 5008 scalars[i] = scalars[i + j]; 5009 gejs[i + j] = gej; 5010 scalars[i + j] = sc; 5011 } 5012 } 5013 5014 /* Compute affine versions of all inputs. */ 5015 secp256k1_ge_set_all_gej_var(ges, gejs, filled); 5016 /* Invoke ecmult_multi code. */ 5017 data.sc = scalars; 5018 data.pt = ges; 5019 CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled)); 5020 mults += num_nonzero + g_nonzero; 5021 /* Compare with expected result. */ 5022 CHECK(secp256k1_gej_eq_var(&computed, &expected)); 5023 return mults; 5024 } 5025 5026 static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) { 5027 secp256k1_scalar sc; 5028 secp256k1_ge pt; 5029 secp256k1_gej r; 5030 ecmult_multi_data data; 5031 secp256k1_scratch *scratch_empty; 5032 5033 testutil_random_ge_test(&pt); 5034 testutil_random_scalar_order(&sc); 5035 data.sc = ≻ 5036 data.pt = &pt; 5037 5038 /* Try to multiply 1 point, but scratch space is empty.*/ 5039 scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0); 5040 CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1)); 5041 secp256k1_scratch_destroy(&CTX->error_callback, scratch_empty); 5042 } 5043 5044 static void test_secp256k1_pippenger_bucket_window_inv(void) { 5045 int i; 5046 5047 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0); 5048 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) { 5049 /* Bucket_window of 8 is not used with endo */ 5050 if (i == 8) { 5051 continue; 5052 } 5053 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i); 5054 if (i != PIPPENGER_MAX_BUCKET_WINDOW) { 5055 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i); 5056 } 5057 } 5058 } 5059 5060 /** 5061 * Probabilistically test the function returning the maximum number of possible points 5062 * for a given scratch space. 5063 */ 5064 static void test_ecmult_multi_pippenger_max_points(void) { 5065 size_t scratch_size = testrand_bits(8); 5066 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12); 5067 secp256k1_scratch *scratch; 5068 size_t n_points_supported; 5069 int bucket_window = 0; 5070 5071 for(; scratch_size < max_size; scratch_size+=256) { 5072 size_t i; 5073 size_t total_alloc; 5074 size_t checkpoint; 5075 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size); 5076 CHECK(scratch != NULL); 5077 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch); 5078 n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch); 5079 if (n_points_supported == 0) { 5080 secp256k1_scratch_destroy(&CTX->error_callback, scratch); 5081 continue; 5082 } 5083 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported); 5084 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */ 5085 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window); 5086 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) { 5087 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 1)); 5088 total_alloc--; 5089 } 5090 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc)); 5091 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint); 5092 secp256k1_scratch_destroy(&CTX->error_callback, scratch); 5093 } 5094 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW); 5095 } 5096 5097 static void test_ecmult_multi_batch_size_helper(void) { 5098 size_t n_batches, n_batch_points, max_n_batch_points, n; 5099 5100 max_n_batch_points = 0; 5101 n = 1; 5102 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0); 5103 5104 max_n_batch_points = 1; 5105 n = 0; 5106 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5107 CHECK(n_batches == 0); 5108 CHECK(n_batch_points == 0); 5109 5110 max_n_batch_points = 2; 5111 n = 5; 5112 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5113 CHECK(n_batches == 3); 5114 CHECK(n_batch_points == 2); 5115 5116 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH; 5117 n = ECMULT_MAX_POINTS_PER_BATCH; 5118 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5119 CHECK(n_batches == 1); 5120 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH); 5121 5122 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1; 5123 n = ECMULT_MAX_POINTS_PER_BATCH + 1; 5124 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5125 CHECK(n_batches == 2); 5126 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1); 5127 5128 max_n_batch_points = 1; 5129 n = SIZE_MAX; 5130 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5131 CHECK(n_batches == SIZE_MAX); 5132 CHECK(n_batch_points == 1); 5133 5134 max_n_batch_points = 2; 5135 n = SIZE_MAX; 5136 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5137 CHECK(n_batches == SIZE_MAX/2 + 1); 5138 CHECK(n_batch_points == 2); 5139 } 5140 5141 /** 5142 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 5143 * 1 <= i <= num points. 5144 */ 5145 static void test_ecmult_multi_batching(void) { 5146 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD; 5147 secp256k1_scalar scG; 5148 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_scalar) * n_points); 5149 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * n_points); 5150 secp256k1_gej r; 5151 secp256k1_gej r2; 5152 ecmult_multi_data data; 5153 int i; 5154 secp256k1_scratch *scratch; 5155 5156 secp256k1_gej_set_infinity(&r2); 5157 5158 /* Get random scalars and group elements and compute result */ 5159 testutil_random_scalar_order(&scG); 5160 secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG); 5161 for(i = 0; i < n_points; i++) { 5162 secp256k1_ge ptg; 5163 secp256k1_gej ptgj; 5164 testutil_random_ge_test(&ptg); 5165 secp256k1_gej_set_ge(&ptgj, &ptg); 5166 pt[i] = ptg; 5167 testutil_random_scalar_order(&sc[i]); 5168 secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL); 5169 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL); 5170 } 5171 data.sc = sc; 5172 data.pt = pt; 5173 secp256k1_gej_neg(&r2, &r2); 5174 5175 /* Test with empty scratch space. It should compute the correct result using 5176 * ecmult_mult_simple algorithm which doesn't require a scratch space. */ 5177 scratch = secp256k1_scratch_create(&CTX->error_callback, 0); 5178 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); 5179 secp256k1_gej_add_var(&r, &r, &r2, NULL); 5180 CHECK(secp256k1_gej_is_infinity(&r)); 5181 secp256k1_scratch_destroy(&CTX->error_callback, scratch); 5182 5183 /* Test with space for 1 point in pippenger. That's not enough because 5184 * ecmult_multi selects strauss which requires more memory. It should 5185 * therefore select the simple algorithm. */ 5186 scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); 5187 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); 5188 secp256k1_gej_add_var(&r, &r, &r2, NULL); 5189 CHECK(secp256k1_gej_is_infinity(&r)); 5190 secp256k1_scratch_destroy(&CTX->error_callback, scratch); 5191 5192 for(i = 1; i <= n_points; i++) { 5193 if (i > ECMULT_PIPPENGER_THRESHOLD) { 5194 int bucket_window = secp256k1_pippenger_bucket_window(i); 5195 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window); 5196 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); 5197 } else { 5198 size_t scratch_size = secp256k1_strauss_scratch_size(i); 5199 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); 5200 } 5201 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); 5202 secp256k1_gej_add_var(&r, &r, &r2, NULL); 5203 CHECK(secp256k1_gej_is_infinity(&r)); 5204 secp256k1_scratch_destroy(&CTX->error_callback, scratch); 5205 } 5206 free(sc); 5207 free(pt); 5208 } 5209 5210 static void run_ecmult_multi_tests(void) { 5211 secp256k1_scratch *scratch; 5212 int64_t todo = (int64_t)320 * COUNT; 5213 5214 test_secp256k1_pippenger_bucket_window_inv(); 5215 test_ecmult_multi_pippenger_max_points(); 5216 scratch = secp256k1_scratch_create(&CTX->error_callback, 819200); 5217 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var); 5218 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var); 5219 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single); 5220 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single); 5221 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single); 5222 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single); 5223 while (todo > 0) { 5224 todo -= test_ecmult_multi_random(scratch); 5225 } 5226 secp256k1_scratch_destroy(&CTX->error_callback, scratch); 5227 5228 /* Run test_ecmult_multi with space for exactly one point */ 5229 scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); 5230 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var); 5231 secp256k1_scratch_destroy(&CTX->error_callback, scratch); 5232 5233 test_ecmult_multi_batch_size_helper(); 5234 test_ecmult_multi_batching(); 5235 } 5236 5237 static void test_wnaf(const secp256k1_scalar *number, int w) { 5238 secp256k1_scalar x, two, t; 5239 int wnaf[256]; 5240 int zeroes = -1; 5241 int i; 5242 int bits; 5243 secp256k1_scalar_set_int(&x, 0); 5244 secp256k1_scalar_set_int(&two, 2); 5245 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w); 5246 CHECK(bits <= 256); 5247 for (i = bits-1; i >= 0; i--) { 5248 int v = wnaf[i]; 5249 secp256k1_scalar_mul(&x, &x, &two); 5250 if (v) { 5251 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */ 5252 zeroes=0; 5253 CHECK((v & 1) == 1); /* check non-zero elements are odd */ 5254 CHECK(v <= (1 << (w-1)) - 1); /* check range below */ 5255 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */ 5256 } else { 5257 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */ 5258 zeroes++; 5259 } 5260 if (v >= 0) { 5261 secp256k1_scalar_set_int(&t, v); 5262 } else { 5263 secp256k1_scalar_set_int(&t, -v); 5264 secp256k1_scalar_negate(&t, &t); 5265 } 5266 secp256k1_scalar_add(&x, &x, &t); 5267 } 5268 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */ 5269 } 5270 5271 static void test_fixed_wnaf(const secp256k1_scalar *number, int w) { 5272 secp256k1_scalar x, shift; 5273 int wnaf[256] = {0}; 5274 int i; 5275 int skew; 5276 secp256k1_scalar num, unused; 5277 5278 secp256k1_scalar_set_int(&x, 0); 5279 secp256k1_scalar_set_int(&shift, 1 << w); 5280 /* Make num a 128-bit scalar. */ 5281 secp256k1_scalar_split_128(&num, &unused, number); 5282 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 5283 5284 for (i = WNAF_SIZE(w)-1; i >= 0; --i) { 5285 secp256k1_scalar t; 5286 int v = wnaf[i]; 5287 CHECK(v == 0 || v & 1); /* check parity */ 5288 CHECK(v > -(1 << w)); /* check range above */ 5289 CHECK(v < (1 << w)); /* check range below */ 5290 5291 secp256k1_scalar_mul(&x, &x, &shift); 5292 if (v >= 0) { 5293 secp256k1_scalar_set_int(&t, v); 5294 } else { 5295 secp256k1_scalar_set_int(&t, -v); 5296 secp256k1_scalar_negate(&t, &t); 5297 } 5298 secp256k1_scalar_add(&x, &x, &t); 5299 } 5300 /* If skew is 1 then add 1 to num */ 5301 secp256k1_scalar_cadd_bit(&num, 0, skew == 1); 5302 CHECK(secp256k1_scalar_eq(&x, &num)); 5303 } 5304 5305 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the 5306 * rest is 0.*/ 5307 static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) { 5308 int i; 5309 for (i = WNAF_SIZE(w)-1; i >= 8; --i) { 5310 CHECK(wnaf[i] == 0); 5311 } 5312 for (i = 7; i >= 0; --i) { 5313 CHECK(wnaf[i] == wnaf_expected[i]); 5314 } 5315 } 5316 5317 static void test_fixed_wnaf_small(void) { 5318 int w = 4; 5319 int wnaf[256] = {0}; 5320 int i; 5321 int skew; 5322 secp256k1_scalar num; 5323 5324 secp256k1_scalar_set_int(&num, 0); 5325 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 5326 for (i = WNAF_SIZE(w)-1; i >= 0; --i) { 5327 int v = wnaf[i]; 5328 CHECK(v == 0); 5329 } 5330 CHECK(skew == 0); 5331 5332 secp256k1_scalar_set_int(&num, 1); 5333 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 5334 for (i = WNAF_SIZE(w)-1; i >= 1; --i) { 5335 int v = wnaf[i]; 5336 CHECK(v == 0); 5337 } 5338 CHECK(wnaf[0] == 1); 5339 CHECK(skew == 0); 5340 5341 { 5342 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf }; 5343 secp256k1_scalar_set_int(&num, 0xffffffff); 5344 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 5345 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 5346 CHECK(skew == 0); 5347 } 5348 { 5349 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf }; 5350 secp256k1_scalar_set_int(&num, 0xeeeeeeee); 5351 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 5352 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 5353 CHECK(skew == 1); 5354 } 5355 { 5356 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 }; 5357 secp256k1_scalar_set_int(&num, 0x01010101); 5358 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 5359 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 5360 CHECK(skew == 0); 5361 } 5362 { 5363 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 }; 5364 secp256k1_scalar_set_int(&num, 0x01ef1ef1); 5365 skew = secp256k1_wnaf_fixed(wnaf, &num, w); 5366 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 5367 CHECK(skew == 0); 5368 } 5369 } 5370 5371 static void run_wnaf(void) { 5372 int i; 5373 secp256k1_scalar n; 5374 5375 /* Test 0 for fixed wnaf */ 5376 test_fixed_wnaf_small(); 5377 /* Random tests */ 5378 for (i = 0; i < COUNT; i++) { 5379 testutil_random_scalar_order(&n); 5380 test_wnaf(&n, 4+(i%10)); 5381 test_fixed_wnaf(&n, 4 + (i % 10)); 5382 } 5383 secp256k1_scalar_set_int(&n, 0); 5384 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1); 5385 CHECK(secp256k1_scalar_is_zero(&n)); 5386 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1); 5387 CHECK(secp256k1_scalar_is_zero(&n)); 5388 } 5389 5390 static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) { 5391 const secp256k1_scalar* indata = (const secp256k1_scalar*)data; 5392 *sc = *indata; 5393 *pt = secp256k1_ge_const_g; 5394 CHECK(idx == 0); 5395 return 1; 5396 } 5397 5398 static void test_ecmult_accumulate(secp256k1_sha256* acc, const secp256k1_scalar* x, secp256k1_scratch* scratch) { 5399 /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */ 5400 secp256k1_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj; 5401 secp256k1_ge r; 5402 unsigned char bytes[65]; 5403 size_t size = 65; 5404 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g); 5405 secp256k1_gej_set_infinity(&infj); 5406 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &rj1, x); 5407 secp256k1_ecmult(&rj2, &gj, x, &secp256k1_scalar_zero); 5408 secp256k1_ecmult(&rj3, &infj, &secp256k1_scalar_zero, x); 5409 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &rj4, x, NULL, NULL, 0)); 5410 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &rj5, &secp256k1_scalar_zero, test_ecmult_accumulate_cb, (void*)x, 1)); 5411 secp256k1_ecmult_const(&rj6, &secp256k1_ge_const_g, x); 5412 secp256k1_ge_set_gej_var(&r, &rj1); 5413 CHECK(secp256k1_gej_eq_ge_var(&rj2, &r)); 5414 CHECK(secp256k1_gej_eq_ge_var(&rj3, &r)); 5415 CHECK(secp256k1_gej_eq_ge_var(&rj4, &r)); 5416 CHECK(secp256k1_gej_eq_ge_var(&rj5, &r)); 5417 CHECK(secp256k1_gej_eq_ge_var(&rj6, &r)); 5418 if (secp256k1_ge_is_infinity(&r)) { 5419 /* Store infinity as 0x00 */ 5420 const unsigned char zerobyte[1] = {0}; 5421 secp256k1_sha256_write(acc, zerobyte, 1); 5422 } else { 5423 /* Store other points using their uncompressed serialization. */ 5424 secp256k1_eckey_pubkey_serialize(&r, bytes, &size, 0); 5425 CHECK(size == 65); 5426 secp256k1_sha256_write(acc, bytes, size); 5427 } 5428 } 5429 5430 static void test_ecmult_constants_2bit(void) { 5431 /* Using test_ecmult_accumulate, test ecmult for: 5432 * - For i in 0..36: 5433 * - Key i 5434 * - Key -i 5435 * - For i in 0..255: 5436 * - For j in 1..255 (only odd values): 5437 * - Key (j*2^i) mod order 5438 */ 5439 secp256k1_scalar x; 5440 secp256k1_sha256 acc; 5441 unsigned char b32[32]; 5442 int i, j; 5443 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536); 5444 5445 /* Expected hash of all the computed points; created with an independent 5446 * implementation. */ 5447 static const unsigned char expected32[32] = { 5448 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48, 5449 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14, 5450 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60, 5451 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4 5452 }; 5453 secp256k1_sha256_initialize(&acc); 5454 for (i = 0; i <= 36; ++i) { 5455 secp256k1_scalar_set_int(&x, i); 5456 test_ecmult_accumulate(&acc, &x, scratch); 5457 secp256k1_scalar_negate(&x, &x); 5458 test_ecmult_accumulate(&acc, &x, scratch); 5459 }; 5460 for (i = 0; i < 256; ++i) { 5461 for (j = 1; j < 256; j += 2) { 5462 int k; 5463 secp256k1_scalar_set_int(&x, j); 5464 for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x); 5465 test_ecmult_accumulate(&acc, &x, scratch); 5466 } 5467 } 5468 secp256k1_sha256_finalize(&acc, b32); 5469 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0); 5470 5471 secp256k1_scratch_space_destroy(CTX, scratch); 5472 } 5473 5474 static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) { 5475 /* Using test_ecmult_accumulate, test ecmult for: 5476 * - Key 0 5477 * - Key 1 5478 * - Key -1 5479 * - For i in range(iter): 5480 * - Key SHA256(LE32(prefix) || LE16(i)) 5481 */ 5482 secp256k1_scalar x; 5483 secp256k1_sha256 acc; 5484 unsigned char b32[32]; 5485 unsigned char inp[6]; 5486 size_t i; 5487 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536); 5488 5489 inp[0] = prefix & 0xFF; 5490 inp[1] = (prefix >> 8) & 0xFF; 5491 inp[2] = (prefix >> 16) & 0xFF; 5492 inp[3] = (prefix >> 24) & 0xFF; 5493 secp256k1_sha256_initialize(&acc); 5494 secp256k1_scalar_set_int(&x, 0); 5495 test_ecmult_accumulate(&acc, &x, scratch); 5496 secp256k1_scalar_set_int(&x, 1); 5497 test_ecmult_accumulate(&acc, &x, scratch); 5498 secp256k1_scalar_negate(&x, &x); 5499 test_ecmult_accumulate(&acc, &x, scratch); 5500 5501 for (i = 0; i < iter; ++i) { 5502 secp256k1_sha256 gen; 5503 inp[4] = i & 0xff; 5504 inp[5] = (i >> 8) & 0xff; 5505 secp256k1_sha256_initialize(&gen); 5506 secp256k1_sha256_write(&gen, inp, sizeof(inp)); 5507 secp256k1_sha256_finalize(&gen, b32); 5508 secp256k1_scalar_set_b32(&x, b32, NULL); 5509 test_ecmult_accumulate(&acc, &x, scratch); 5510 } 5511 secp256k1_sha256_finalize(&acc, b32); 5512 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0); 5513 5514 secp256k1_scratch_space_destroy(CTX, scratch); 5515 } 5516 5517 static void run_ecmult_constants(void) { 5518 /* Expected hashes of all points in the tests below. Computed using an 5519 * independent implementation. */ 5520 static const unsigned char expected32_6bit20[32] = { 5521 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f, 5522 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e, 5523 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e, 5524 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e 5525 }; 5526 static const unsigned char expected32_8bit8[32] = { 5527 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95, 5528 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec, 5529 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12, 5530 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6 5531 }; 5532 /* For every combination of 6 bit positions out of 256, restricted to 5533 * 20-bit windows (i.e., the first and last bit position are no more than 5534 * 19 bits apart), all 64 bit patterns occur in the input scalars used in 5535 * this test. */ 5536 CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") { 5537 test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20); 5538 } 5539 5540 /* For every combination of 8 consecutive bit positions, all 256 bit 5541 * patterns occur in the input scalars used in this test. */ 5542 CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") { 5543 test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8); 5544 } 5545 5546 CONDITIONAL_TEST(16, "test_ecmult_constants_2bit") { 5547 test_ecmult_constants_2bit(); 5548 } 5549 } 5550 5551 static void test_ecmult_gen_blind(void) { 5552 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */ 5553 secp256k1_scalar key; 5554 secp256k1_scalar b; 5555 unsigned char seed32[32]; 5556 secp256k1_gej pgej; 5557 secp256k1_gej pgej2; 5558 secp256k1_ge p; 5559 secp256k1_ge pge; 5560 testutil_random_scalar_order_test(&key); 5561 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej, &key); 5562 testrand256(seed32); 5563 b = CTX->ecmult_gen_ctx.scalar_offset; 5564 p = CTX->ecmult_gen_ctx.ge_offset; 5565 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, seed32); 5566 CHECK(!secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.scalar_offset)); 5567 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej2, &key); 5568 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2)); 5569 CHECK(!secp256k1_ge_eq_var(&p, &CTX->ecmult_gen_ctx.ge_offset)); 5570 secp256k1_ge_set_gej(&pge, &pgej); 5571 CHECK(secp256k1_gej_eq_ge_var(&pgej2, &pge)); 5572 } 5573 5574 static void test_ecmult_gen_blind_reset(void) { 5575 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */ 5576 secp256k1_scalar b; 5577 secp256k1_ge p1, p2; 5578 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0); 5579 b = CTX->ecmult_gen_ctx.scalar_offset; 5580 p1 = CTX->ecmult_gen_ctx.ge_offset; 5581 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0); 5582 CHECK(secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.scalar_offset)); 5583 p2 = CTX->ecmult_gen_ctx.ge_offset; 5584 CHECK(secp256k1_ge_eq_var(&p1, &p2)); 5585 } 5586 5587 /* Verify that ecmult_gen for scalars gn for which gn + scalar_offset = {-1,0,1}. */ 5588 static void test_ecmult_gen_edge_cases(void) { 5589 int i; 5590 secp256k1_gej res1, res2, res3; 5591 secp256k1_scalar gn = secp256k1_scalar_one; /* gn = 1 */ 5592 secp256k1_scalar_add(&gn, &gn, &CTX->ecmult_gen_ctx.scalar_offset); /* gn = 1 + scalar_offset */ 5593 secp256k1_scalar_negate(&gn, &gn); /* gn = -1 - scalar_offset */ 5594 5595 for (i = -1; i < 2; ++i) { 5596 /* Run test with gn = i - scalar_offset (so that the ecmult_gen recoded value represents i). */ 5597 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &res1, &gn); 5598 secp256k1_ecmult(&res2, NULL, &secp256k1_scalar_zero, &gn); 5599 secp256k1_ecmult_const(&res3, &secp256k1_ge_const_g, &gn); 5600 CHECK(secp256k1_gej_eq_var(&res1, &res2)); 5601 CHECK(secp256k1_gej_eq_var(&res1, &res3)); 5602 secp256k1_scalar_add(&gn, &gn, &secp256k1_scalar_one); 5603 } 5604 } 5605 5606 static void run_ecmult_gen_blind(void) { 5607 int i; 5608 test_ecmult_gen_blind_reset(); 5609 test_ecmult_gen_edge_cases(); 5610 for (i = 0; i < 10; i++) { 5611 test_ecmult_gen_blind(); 5612 } 5613 } 5614 5615 /***** ENDOMORPHISH TESTS *****/ 5616 static void test_scalar_split(const secp256k1_scalar* full) { 5617 secp256k1_scalar s, s1, slam; 5618 const unsigned char zero[32] = {0}; 5619 unsigned char tmp[32]; 5620 5621 secp256k1_scalar_split_lambda(&s1, &slam, full); 5622 5623 /* check slam*lambda + s1 == full */ 5624 secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam); 5625 secp256k1_scalar_add(&s, &s, &s1); 5626 CHECK(secp256k1_scalar_eq(&s, full)); 5627 5628 /* check that both are <= 128 bits in size */ 5629 if (secp256k1_scalar_is_high(&s1)) { 5630 secp256k1_scalar_negate(&s1, &s1); 5631 } 5632 if (secp256k1_scalar_is_high(&slam)) { 5633 secp256k1_scalar_negate(&slam, &slam); 5634 } 5635 5636 secp256k1_scalar_get_b32(tmp, &s1); 5637 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0); 5638 secp256k1_scalar_get_b32(tmp, &slam); 5639 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0); 5640 } 5641 5642 5643 static void run_endomorphism_tests(void) { 5644 unsigned i; 5645 static secp256k1_scalar s; 5646 test_scalar_split(&secp256k1_scalar_zero); 5647 test_scalar_split(&secp256k1_scalar_one); 5648 secp256k1_scalar_negate(&s,&secp256k1_scalar_one); 5649 test_scalar_split(&s); 5650 test_scalar_split(&secp256k1_const_lambda); 5651 secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one); 5652 test_scalar_split(&s); 5653 5654 for (i = 0; i < 100U * COUNT; ++i) { 5655 secp256k1_scalar full; 5656 testutil_random_scalar_order_test(&full); 5657 test_scalar_split(&full); 5658 } 5659 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) { 5660 test_scalar_split(&scalars_near_split_bounds[i]); 5661 } 5662 } 5663 5664 static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) { 5665 unsigned char pubkeyc[65]; 5666 secp256k1_pubkey pubkey; 5667 secp256k1_ge ge; 5668 size_t pubkeyclen; 5669 5670 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) { 5671 /* Smaller sizes are tested exhaustively elsewhere. */ 5672 int32_t i; 5673 memcpy(&pubkeyc[1], input, 64); 5674 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[pubkeyclen], 65 - pubkeyclen); 5675 for (i = 0; i < 256; i++) { 5676 /* Try all type bytes. */ 5677 int xpass; 5678 int ypass; 5679 int ysign; 5680 pubkeyc[0] = i; 5681 /* What sign does this point have? */ 5682 ysign = (input[63] & 1) + 2; 5683 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */ 5684 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2); 5685 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */ 5686 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) && 5687 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65)); 5688 if (xpass || ypass) { 5689 /* These cases must parse. */ 5690 unsigned char pubkeyo[65]; 5691 size_t outl; 5692 memset(&pubkey, 0, sizeof(pubkey)); 5693 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5694 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1); 5695 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5696 outl = 65; 5697 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65); 5698 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1); 5699 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl); 5700 CHECK(outl == 33); 5701 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0); 5702 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0])); 5703 if (ypass) { 5704 /* This test isn't always done because we decode with alternative signs, so the y won't match. */ 5705 CHECK(pubkeyo[0] == ysign); 5706 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1); 5707 memset(&pubkey, 0, sizeof(pubkey)); 5708 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5709 secp256k1_pubkey_save(&pubkey, &ge); 5710 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5711 outl = 65; 5712 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65); 5713 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); 5714 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl); 5715 CHECK(outl == 65); 5716 CHECK(pubkeyo[0] == 4); 5717 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0); 5718 } 5719 } else { 5720 /* These cases must fail to parse. */ 5721 memset(&pubkey, 0xfe, sizeof(pubkey)); 5722 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5723 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 0); 5724 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5725 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 5726 } 5727 } 5728 } 5729 } 5730 5731 static void run_ec_pubkey_parse_test(void) { 5732 #define SECP256K1_EC_PARSE_TEST_NVALID (12) 5733 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = { 5734 { 5735 /* Point with leading and trailing zeros in x and y serialization. */ 5736 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52, 5737 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5738 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83, 5739 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00 5740 }, 5741 { 5742 /* Point with x equal to a 3rd root of unity.*/ 5743 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9, 5744 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee, 5745 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14, 5746 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee, 5747 }, 5748 { 5749 /* Point with largest x. (1/2) */ 5750 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5751 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c, 5752 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e, 5753 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d, 5754 }, 5755 { 5756 /* Point with largest x. (2/2) */ 5757 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5758 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c, 5759 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1, 5760 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2, 5761 }, 5762 { 5763 /* Point with smallest x. (1/2) */ 5764 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5765 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 5766 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14, 5767 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee, 5768 }, 5769 { 5770 /* Point with smallest x. (2/2) */ 5771 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5772 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 5773 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb, 5774 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41, 5775 }, 5776 { 5777 /* Point with largest y. (1/3) */ 5778 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6, 5779 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07, 5780 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5781 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 5782 }, 5783 { 5784 /* Point with largest y. (2/3) */ 5785 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c, 5786 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73, 5787 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5788 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 5789 }, 5790 { 5791 /* Point with largest y. (3/3) */ 5792 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc, 5793 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5, 5794 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5795 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 5796 }, 5797 { 5798 /* Point with smallest y. (1/3) */ 5799 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6, 5800 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07, 5801 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5802 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 5803 }, 5804 { 5805 /* Point with smallest y. (2/3) */ 5806 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c, 5807 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73, 5808 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5809 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 5810 }, 5811 { 5812 /* Point with smallest y. (3/3) */ 5813 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc, 5814 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5, 5815 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5816 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 5817 } 5818 }; 5819 #define SECP256K1_EC_PARSE_TEST_NXVALID (4) 5820 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = { 5821 { 5822 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */ 5823 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6, 5824 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07, 5825 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5826 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 5827 }, 5828 { 5829 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */ 5830 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c, 5831 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73, 5832 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5833 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 5834 }, 5835 { 5836 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/ 5837 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc, 5838 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5, 5839 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5840 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 5841 }, 5842 { 5843 /* x on curve, y is from y^2 = x^3 + 8. */ 5844 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5845 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 5846 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5847 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03 5848 } 5849 }; 5850 #define SECP256K1_EC_PARSE_TEST_NINVALID (7) 5851 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = { 5852 { 5853 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */ 5854 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c, 5855 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53, 5856 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5857 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 5858 }, 5859 { 5860 /* Valid if x overflow ignored (x = 1 mod p). */ 5861 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5862 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 5863 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14, 5864 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee, 5865 }, 5866 { 5867 /* Valid if x overflow ignored (x = 1 mod p). */ 5868 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5869 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 5870 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb, 5871 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41, 5872 }, 5873 { 5874 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */ 5875 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5876 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 5877 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f, 5878 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28, 5879 }, 5880 { 5881 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */ 5882 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5883 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 5884 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0, 5885 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07, 5886 }, 5887 { 5888 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */ 5889 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5890 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5891 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d, 5892 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc, 5893 }, 5894 { 5895 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */ 5896 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5897 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5898 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2, 5899 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53 5900 } 5901 }; 5902 const unsigned char pubkeyc[66] = { 5903 /* Serialization of G. */ 5904 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B, 5905 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 5906 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08, 5907 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4, 5908 0xB8, 0x00 5909 }; 5910 unsigned char sout[65]; 5911 unsigned char shortkey[2] = { 0 }; 5912 secp256k1_ge ge; 5913 secp256k1_pubkey pubkey; 5914 size_t len; 5915 int32_t i; 5916 5917 /* Nothing should be reading this far into pubkeyc. */ 5918 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[65], 1); 5919 /* Zero length claimed, fail, zeroize, no illegal arg error. */ 5920 memset(&pubkey, 0xfe, sizeof(pubkey)); 5921 SECP256K1_CHECKMEM_UNDEFINE(shortkey, 2); 5922 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5923 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 0) == 0); 5924 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5925 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 5926 /* Length one claimed, fail, zeroize, no illegal arg error. */ 5927 for (i = 0; i < 256 ; i++) { 5928 memset(&pubkey, 0xfe, sizeof(pubkey)); 5929 shortkey[0] = i; 5930 SECP256K1_CHECKMEM_UNDEFINE(&shortkey[1], 1); 5931 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5932 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 1) == 0); 5933 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5934 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 5935 } 5936 /* Length two claimed, fail, zeroize, no illegal arg error. */ 5937 for (i = 0; i < 65536 ; i++) { 5938 memset(&pubkey, 0xfe, sizeof(pubkey)); 5939 shortkey[0] = i & 255; 5940 shortkey[1] = i >> 8; 5941 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5942 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 2) == 0); 5943 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5944 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 5945 } 5946 memset(&pubkey, 0xfe, sizeof(pubkey)); 5947 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5948 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */ 5949 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 33) == 0); 5950 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5951 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 5952 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */ 5953 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, pubkeyc, 65)); 5954 /* NULL input string. Illegal arg and zeroize output. */ 5955 memset(&pubkey, 0xfe, sizeof(pubkey)); 5956 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5957 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, &pubkey, NULL, 65)); 5958 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5959 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 5960 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */ 5961 memset(&pubkey, 0xfe, sizeof(pubkey)); 5962 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5963 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 64) == 0); 5964 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5965 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 5966 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */ 5967 memset(&pubkey, 0xfe, sizeof(pubkey)); 5968 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5969 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 66) == 0); 5970 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5971 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey)); 5972 /* Valid parse. */ 5973 memset(&pubkey, 0, sizeof(pubkey)); 5974 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5975 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 65) == 1); 5976 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, pubkeyc, 65) == 1); 5977 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5978 SECP256K1_CHECKMEM_UNDEFINE(&ge, sizeof(ge)); 5979 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1); 5980 SECP256K1_CHECKMEM_CHECK(&ge.x, sizeof(ge.x)); 5981 SECP256K1_CHECKMEM_CHECK(&ge.y, sizeof(ge.y)); 5982 SECP256K1_CHECKMEM_CHECK(&ge.infinity, sizeof(ge.infinity)); 5983 CHECK(secp256k1_ge_eq_var(&ge, &secp256k1_ge_const_g)); 5984 /* secp256k1_ec_pubkey_serialize illegal args. */ 5985 len = 65; 5986 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED)); 5987 CHECK(len == 0); 5988 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED)); 5989 len = 65; 5990 SECP256K1_CHECKMEM_UNDEFINE(sout, 65); 5991 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED)); 5992 SECP256K1_CHECKMEM_CHECK(sout, 65); 5993 CHECK(len == 0); 5994 len = 65; 5995 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, ~0)); 5996 CHECK(len == 0); 5997 len = 65; 5998 SECP256K1_CHECKMEM_UNDEFINE(sout, 65); 5999 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); 6000 SECP256K1_CHECKMEM_CHECK(sout, 65); 6001 CHECK(len == 65); 6002 /* Multiple illegal args. Should still set arg error only once. */ 6003 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, NULL, 65)); 6004 /* Try a bunch of prefabbed points with all possible encodings. */ 6005 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) { 6006 ec_pubkey_parse_pointtest(valid[i], 1, 1); 6007 } 6008 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) { 6009 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0); 6010 } 6011 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) { 6012 ec_pubkey_parse_pointtest(invalid[i], 0, 0); 6013 } 6014 } 6015 6016 static void run_eckey_edge_case_test(void) { 6017 const unsigned char orderc[32] = { 6018 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6019 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 6020 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 6021 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41 6022 }; 6023 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00}; 6024 unsigned char ctmp[33]; 6025 unsigned char ctmp2[33]; 6026 secp256k1_pubkey pubkey; 6027 secp256k1_pubkey pubkey2; 6028 secp256k1_pubkey pubkey_one; 6029 secp256k1_pubkey pubkey_negone; 6030 const secp256k1_pubkey *pubkeys[3]; 6031 size_t len; 6032 /* Group order is too large, reject. */ 6033 CHECK(secp256k1_ec_seckey_verify(CTX, orderc) == 0); 6034 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6035 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, orderc) == 0); 6036 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6037 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6038 /* Maximum value is too large, reject. */ 6039 memset(ctmp, 255, 32); 6040 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0); 6041 memset(&pubkey, 1, sizeof(pubkey)); 6042 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6043 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0); 6044 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6045 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6046 /* Zero is too small, reject. */ 6047 memset(ctmp, 0, 32); 6048 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0); 6049 memset(&pubkey, 1, sizeof(pubkey)); 6050 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6051 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0); 6052 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6053 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6054 /* One must be accepted. */ 6055 ctmp[31] = 0x01; 6056 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1); 6057 memset(&pubkey, 0, sizeof(pubkey)); 6058 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6059 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1); 6060 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6061 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); 6062 pubkey_one = pubkey; 6063 /* Group order + 1 is too large, reject. */ 6064 memcpy(ctmp, orderc, 32); 6065 ctmp[31] = 0x42; 6066 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0); 6067 memset(&pubkey, 1, sizeof(pubkey)); 6068 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6069 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0); 6070 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6071 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6072 /* -1 must be accepted. */ 6073 ctmp[31] = 0x40; 6074 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1); 6075 memset(&pubkey, 0, sizeof(pubkey)); 6076 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6077 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1); 6078 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6079 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); 6080 pubkey_negone = pubkey; 6081 /* Tweak of zero leaves the value unchanged. */ 6082 memset(ctmp2, 0, 32); 6083 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 1); 6084 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40); 6085 memcpy(&pubkey2, &pubkey, sizeof(pubkey)); 6086 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1); 6087 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 6088 /* Multiply tweak of zero zeroizes the output. */ 6089 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0); 6090 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0); 6091 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp2) == 0); 6092 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); 6093 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 6094 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing 6095 seckey, the seckey is zeroized. */ 6096 memcpy(ctmp, orderc, 32); 6097 memset(ctmp2, 0, 32); 6098 ctmp2[31] = 0x01; 6099 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp2) == 1); 6100 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0); 6101 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 0); 6102 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0); 6103 memcpy(ctmp, orderc, 32); 6104 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0); 6105 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0); 6106 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing 6107 tweak, the seckey is zeroized. */ 6108 memcpy(ctmp, orderc, 32); 6109 ctmp[31] = 0x40; 6110 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, orderc) == 0); 6111 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0); 6112 memcpy(ctmp, orderc, 32); 6113 ctmp[31] = 0x40; 6114 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, orderc) == 0); 6115 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0); 6116 memcpy(ctmp, orderc, 32); 6117 ctmp[31] = 0x40; 6118 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing 6119 tweak, the pubkey is zeroized. */ 6120 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, orderc) == 0); 6121 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); 6122 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 6123 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, orderc) == 0); 6124 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); 6125 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 6126 /* If the resulting key in secp256k1_ec_seckey_tweak_add and 6127 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter 6128 * case the pubkey is zeroized. */ 6129 memcpy(ctmp, orderc, 32); 6130 ctmp[31] = 0x40; 6131 memset(ctmp2, 0, 32); 6132 ctmp2[31] = 1; 6133 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 0); 6134 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0); 6135 ctmp2[31] = 1; 6136 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0); 6137 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); 6138 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 6139 /* Tweak computation wraps and results in a key of 1. */ 6140 ctmp2[31] = 2; 6141 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 1); 6142 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1); 6143 ctmp2[31] = 2; 6144 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1); 6145 ctmp2[31] = 1; 6146 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, ctmp2) == 1); 6147 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 6148 /* Tweak mul * 2 = 1+1. */ 6149 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1); 6150 ctmp2[31] = 2; 6151 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 1); 6152 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 6153 /* Zeroize pubkey on parse error. */ 6154 memset(&pubkey, 0, 32); 6155 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2)); 6156 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); 6157 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 6158 memset(&pubkey2, 0, 32); 6159 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2)); 6160 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0); 6161 /* Plain argument errors. */ 6162 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1); 6163 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_verify(CTX, NULL)); 6164 memset(ctmp2, 0, 32); 6165 ctmp2[31] = 4; 6166 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_add(CTX, NULL, ctmp2)); 6167 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, NULL)); 6168 memset(ctmp2, 0, 32); 6169 ctmp2[31] = 4; 6170 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, NULL, ctmp2)); 6171 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, NULL)); 6172 memset(ctmp2, 0, 32); 6173 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_add(CTX, NULL, ctmp2)); 6174 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_add(CTX, ctmp, NULL)); 6175 memset(ctmp2, 0, 32); 6176 ctmp2[31] = 1; 6177 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_mul(CTX, NULL, ctmp2)); 6178 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_mul(CTX, ctmp, NULL)); 6179 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, NULL, ctmp)); 6180 memset(&pubkey, 1, sizeof(pubkey)); 6181 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, &pubkey, NULL)); 6182 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6183 /* secp256k1_ec_pubkey_combine tests. */ 6184 pubkeys[0] = &pubkey_one; 6185 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[0], sizeof(secp256k1_pubkey *)); 6186 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[1], sizeof(secp256k1_pubkey *)); 6187 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[2], sizeof(secp256k1_pubkey *)); 6188 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 6189 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey)); 6190 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 0)); 6191 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 6192 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6193 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, NULL, pubkeys, 1)); 6194 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6195 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 6196 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey)); 6197 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, NULL, 1)); 6198 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 6199 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6200 pubkeys[0] = &pubkey_negone; 6201 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 6202 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey)); 6203 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 1) == 1); 6204 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 6205 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); 6206 len = 33; 6207 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); 6208 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1); 6209 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0); 6210 /* Result is infinity. */ 6211 pubkeys[0] = &pubkey_one; 6212 pubkeys[1] = &pubkey_negone; 6213 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 6214 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey)); 6215 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 0); 6216 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 6217 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0); 6218 /* Passes through infinity but comes out one. */ 6219 pubkeys[2] = &pubkey_one; 6220 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 6221 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey)); 6222 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 3) == 1); 6223 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 6224 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); 6225 len = 33; 6226 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); 6227 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1); 6228 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0); 6229 /* Adds to two. */ 6230 pubkeys[1] = &pubkey_one; 6231 memset(&pubkey, 255, sizeof(secp256k1_pubkey)); 6232 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey)); 6233 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 1); 6234 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey)); 6235 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0); 6236 } 6237 6238 static void run_eckey_negate_test(void) { 6239 unsigned char seckey[32]; 6240 unsigned char seckey_tmp[32]; 6241 6242 testutil_random_scalar_order_b32(seckey); 6243 memcpy(seckey_tmp, seckey, 32); 6244 6245 /* Verify negation changes the key and changes it back */ 6246 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1); 6247 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0); 6248 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1); 6249 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0); 6250 6251 /* Check that privkey alias gives same result */ 6252 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1); 6253 CHECK(secp256k1_ec_privkey_negate(CTX, seckey_tmp) == 1); 6254 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0); 6255 6256 /* Negating all 0s fails */ 6257 memset(seckey, 0, 32); 6258 memset(seckey_tmp, 0, 32); 6259 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0); 6260 /* Check that seckey is not modified */ 6261 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0); 6262 6263 /* Negating an overflowing seckey fails and the seckey is zeroed. In this 6264 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate 6265 * doesn't just set seckey to a constant value in case of failure. */ 6266 testutil_random_scalar_order_b32(seckey); 6267 memset(seckey, 0xFF, 16); 6268 memset(seckey_tmp, 0, 32); 6269 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0); 6270 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0); 6271 } 6272 6273 static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) { 6274 secp256k1_scalar nonce; 6275 do { 6276 testutil_random_scalar_order_test(&nonce); 6277 } while(!secp256k1_ecdsa_sig_sign(&CTX->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid)); 6278 } 6279 6280 static void test_ecdsa_sign_verify(void) { 6281 secp256k1_gej pubj; 6282 secp256k1_ge pub; 6283 secp256k1_scalar one; 6284 secp256k1_scalar msg, key; 6285 secp256k1_scalar sigr, sigs; 6286 int getrec; 6287 int recid; 6288 testutil_random_scalar_order_test(&msg); 6289 testutil_random_scalar_order_test(&key); 6290 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pubj, &key); 6291 secp256k1_ge_set_gej(&pub, &pubj); 6292 getrec = testrand_bits(1); 6293 /* The specific way in which this conditional is written sidesteps a potential bug in clang. 6294 See the commit messages of the commit that introduced this comment for details. */ 6295 if (getrec) { 6296 random_sign(&sigr, &sigs, &key, &msg, &recid); 6297 CHECK(recid >= 0 && recid < 4); 6298 } else { 6299 random_sign(&sigr, &sigs, &key, &msg, NULL); 6300 } 6301 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg)); 6302 secp256k1_scalar_set_int(&one, 1); 6303 secp256k1_scalar_add(&msg, &msg, &one); 6304 CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg)); 6305 } 6306 6307 static void run_ecdsa_sign_verify(void) { 6308 int i; 6309 for (i = 0; i < 10*COUNT; i++) { 6310 test_ecdsa_sign_verify(); 6311 } 6312 } 6313 6314 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */ 6315 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 6316 (void)msg32; 6317 (void)key32; 6318 (void)algo16; 6319 memcpy(nonce32, data, 32); 6320 return (counter == 0); 6321 } 6322 6323 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 6324 /* Dummy nonce generator that has a fatal error on the first counter value. */ 6325 if (counter == 0) { 6326 return 0; 6327 } 6328 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1); 6329 } 6330 6331 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 6332 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */ 6333 if (counter < 3) { 6334 memset(nonce32, counter==0 ? 0 : 255, 32); 6335 if (counter == 2) { 6336 nonce32[31]--; 6337 } 6338 return 1; 6339 } 6340 if (counter < 5) { 6341 static const unsigned char order[] = { 6342 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 6343 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE, 6344 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B, 6345 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41 6346 }; 6347 memcpy(nonce32, order, 32); 6348 if (counter == 4) { 6349 nonce32[31]++; 6350 } 6351 return 1; 6352 } 6353 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */ 6354 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */ 6355 if (counter > 5) { 6356 return 0; 6357 } 6358 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5); 6359 } 6360 6361 static int is_empty_signature(const secp256k1_ecdsa_signature *sig) { 6362 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0}; 6363 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0; 6364 } 6365 6366 static void test_ecdsa_end_to_end(void) { 6367 unsigned char extra[32] = {0x00}; 6368 unsigned char privkey[32]; 6369 unsigned char message[32]; 6370 unsigned char privkey2[32]; 6371 secp256k1_ecdsa_signature signature[6]; 6372 secp256k1_scalar r, s; 6373 unsigned char sig[74]; 6374 size_t siglen = 74; 6375 unsigned char pubkeyc[65]; 6376 size_t pubkeyclen = 65; 6377 secp256k1_pubkey pubkey; 6378 secp256k1_pubkey pubkey_tmp; 6379 unsigned char seckey[300]; 6380 size_t seckeylen = 300; 6381 6382 /* Generate a random key and message. */ 6383 { 6384 secp256k1_scalar msg, key; 6385 testutil_random_scalar_order_test(&msg); 6386 testutil_random_scalar_order_test(&key); 6387 secp256k1_scalar_get_b32(privkey, &key); 6388 secp256k1_scalar_get_b32(message, &msg); 6389 } 6390 6391 /* Construct and verify corresponding public key. */ 6392 CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1); 6393 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1); 6394 6395 /* Verify exporting and importing public key. */ 6396 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyc, &pubkeyclen, &pubkey, testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED)); 6397 memset(&pubkey, 0, sizeof(pubkey)); 6398 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1); 6399 6400 /* Verify negation changes the key and changes it back */ 6401 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey)); 6402 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1); 6403 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0); 6404 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1); 6405 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0); 6406 6407 /* Verify private key import and export. */ 6408 CHECK(ec_privkey_export_der(CTX, seckey, &seckeylen, privkey, testrand_bits(1) == 1)); 6409 CHECK(ec_privkey_import_der(CTX, privkey2, seckey, seckeylen) == 1); 6410 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0); 6411 6412 /* Optionally tweak the keys using addition. */ 6413 if (testrand_int(3) == 0) { 6414 int ret1; 6415 int ret2; 6416 int ret3; 6417 unsigned char rnd[32]; 6418 unsigned char privkey_tmp[32]; 6419 secp256k1_pubkey pubkey2; 6420 testrand256_test(rnd); 6421 memcpy(privkey_tmp, privkey, 32); 6422 ret1 = secp256k1_ec_seckey_tweak_add(CTX, privkey, rnd); 6423 ret2 = secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, rnd); 6424 /* Check that privkey alias gives same result */ 6425 ret3 = secp256k1_ec_privkey_tweak_add(CTX, privkey_tmp, rnd); 6426 CHECK(ret1 == ret2); 6427 CHECK(ret2 == ret3); 6428 if (ret1 == 0) { 6429 return; 6430 } 6431 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0); 6432 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1); 6433 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 6434 } 6435 6436 /* Optionally tweak the keys using multiplication. */ 6437 if (testrand_int(3) == 0) { 6438 int ret1; 6439 int ret2; 6440 int ret3; 6441 unsigned char rnd[32]; 6442 unsigned char privkey_tmp[32]; 6443 secp256k1_pubkey pubkey2; 6444 testrand256_test(rnd); 6445 memcpy(privkey_tmp, privkey, 32); 6446 ret1 = secp256k1_ec_seckey_tweak_mul(CTX, privkey, rnd); 6447 ret2 = secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, rnd); 6448 /* Check that privkey alias gives same result */ 6449 ret3 = secp256k1_ec_privkey_tweak_mul(CTX, privkey_tmp, rnd); 6450 CHECK(ret1 == ret2); 6451 CHECK(ret2 == ret3); 6452 if (ret1 == 0) { 6453 return; 6454 } 6455 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0); 6456 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1); 6457 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 6458 } 6459 6460 /* Sign. */ 6461 CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1); 6462 CHECK(secp256k1_ecdsa_sign(CTX, &signature[4], message, privkey, NULL, NULL) == 1); 6463 CHECK(secp256k1_ecdsa_sign(CTX, &signature[1], message, privkey, NULL, extra) == 1); 6464 extra[31] = 1; 6465 CHECK(secp256k1_ecdsa_sign(CTX, &signature[2], message, privkey, NULL, extra) == 1); 6466 extra[31] = 0; 6467 extra[0] = 1; 6468 CHECK(secp256k1_ecdsa_sign(CTX, &signature[3], message, privkey, NULL, extra) == 1); 6469 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0); 6470 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0); 6471 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0); 6472 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0); 6473 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0); 6474 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0); 6475 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0); 6476 /* Verify. */ 6477 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1); 6478 CHECK(secp256k1_ecdsa_verify(CTX, &signature[1], message, &pubkey) == 1); 6479 CHECK(secp256k1_ecdsa_verify(CTX, &signature[2], message, &pubkey) == 1); 6480 CHECK(secp256k1_ecdsa_verify(CTX, &signature[3], message, &pubkey) == 1); 6481 /* Test lower-S form, malleate, verify and fail, test again, malleate again */ 6482 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[0])); 6483 secp256k1_ecdsa_signature_load(CTX, &r, &s, &signature[0]); 6484 secp256k1_scalar_negate(&s, &s); 6485 secp256k1_ecdsa_signature_save(&signature[5], &r, &s); 6486 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 0); 6487 CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5])); 6488 CHECK(secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5])); 6489 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5])); 6490 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5])); 6491 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1); 6492 secp256k1_scalar_negate(&s, &s); 6493 secp256k1_ecdsa_signature_save(&signature[5], &r, &s); 6494 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5])); 6495 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1); 6496 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0); 6497 6498 /* Serialize/parse DER and verify again */ 6499 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1); 6500 memset(&signature[0], 0, sizeof(signature[0])); 6501 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 1); 6502 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1); 6503 /* Serialize/destroy/parse DER and verify again. */ 6504 siglen = 74; 6505 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1); 6506 sig[testrand_int(siglen)] += 1 + testrand_int(255); 6507 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 0 || 6508 secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 0); 6509 } 6510 6511 static void test_random_pubkeys(void) { 6512 secp256k1_ge elem; 6513 secp256k1_ge elem2; 6514 unsigned char in[65]; 6515 /* Generate some randomly sized pubkeys. */ 6516 size_t len = testrand_bits(2) == 0 ? 65 : 33; 6517 if (testrand_bits(2) == 0) { 6518 len = testrand_bits(6); 6519 } 6520 if (len == 65) { 6521 in[0] = testrand_bits(1) ? 4 : (testrand_bits(1) ? 6 : 7); 6522 } else { 6523 in[0] = testrand_bits(1) ? 2 : 3; 6524 } 6525 if (testrand_bits(3) == 0) { 6526 in[0] = testrand_bits(8); 6527 } 6528 if (len > 1) { 6529 testrand256(&in[1]); 6530 } 6531 if (len > 33) { 6532 testrand256(&in[33]); 6533 } 6534 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) { 6535 unsigned char out[65]; 6536 unsigned char firstb; 6537 int res; 6538 size_t size = len; 6539 firstb = in[0]; 6540 /* If the pubkey can be parsed, it should round-trip... */ 6541 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33)); 6542 CHECK(size == len); 6543 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0); 6544 /* ... except for the type of hybrid inputs. */ 6545 if ((in[0] != 6) && (in[0] != 7)) { 6546 CHECK(in[0] == out[0]); 6547 } 6548 size = 65; 6549 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0)); 6550 CHECK(size == 65); 6551 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size)); 6552 CHECK(secp256k1_ge_eq_var(&elem2, &elem)); 6553 /* Check that the X9.62 hybrid type is checked. */ 6554 in[0] = testrand_bits(1) ? 6 : 7; 6555 res = secp256k1_eckey_pubkey_parse(&elem2, in, size); 6556 if (firstb == 2 || firstb == 3) { 6557 if (in[0] == firstb + 4) { 6558 CHECK(res); 6559 } else { 6560 CHECK(!res); 6561 } 6562 } 6563 if (res) { 6564 CHECK(secp256k1_ge_eq_var(&elem, &elem2)); 6565 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0)); 6566 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0); 6567 } 6568 } 6569 } 6570 6571 static void run_pubkey_comparison(void) { 6572 unsigned char pk1_ser[33] = { 6573 0x02, 6574 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11, 6575 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23 6576 }; 6577 const unsigned char pk2_ser[33] = { 6578 0x02, 6579 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d, 6580 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c 6581 }; 6582 secp256k1_pubkey pk1; 6583 secp256k1_pubkey pk2; 6584 6585 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1); 6586 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1); 6587 6588 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, NULL, &pk2) < 0)); 6589 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, NULL) > 0)); 6590 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0); 6591 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0); 6592 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk1) == 0); 6593 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk2) == 0); 6594 { 6595 secp256k1_pubkey pk_tmp; 6596 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */ 6597 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk2) < 0)); 6598 { 6599 int32_t ecount = 0; 6600 secp256k1_context_set_illegal_callback(CTX, counting_callback_fn, &ecount); 6601 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk_tmp) == 0); 6602 CHECK(ecount == 2); 6603 secp256k1_context_set_illegal_callback(CTX, NULL, NULL); 6604 } 6605 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk_tmp) > 0)); 6606 } 6607 6608 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in 6609 * an uncompressed encoding, these would have the opposite ordering */ 6610 pk1_ser[0] = 3; 6611 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk1_ser, sizeof(pk1_ser)) == 1); 6612 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0); 6613 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0); 6614 } 6615 6616 static void test_sort_helper(secp256k1_pubkey *pk, size_t *pk_order, size_t n_pk) { 6617 size_t i; 6618 const secp256k1_pubkey *pk_test[5]; 6619 6620 for (i = 0; i < n_pk; i++) { 6621 pk_test[i] = &pk[pk_order[i]]; 6622 } 6623 secp256k1_ec_pubkey_sort(CTX, pk_test, n_pk); 6624 for (i = 0; i < n_pk; i++) { 6625 CHECK(secp256k1_memcmp_var(pk_test[i], &pk[i], sizeof(*pk_test[i])) == 0); 6626 } 6627 } 6628 6629 static void permute(size_t *arr, size_t n) { 6630 size_t i; 6631 for (i = n - 1; i >= 1; i--) { 6632 size_t tmp, j; 6633 j = testrand_int(i + 1); 6634 tmp = arr[i]; 6635 arr[i] = arr[j]; 6636 arr[j] = tmp; 6637 } 6638 } 6639 6640 static void test_sort_api(void) { 6641 secp256k1_pubkey pks[2]; 6642 const secp256k1_pubkey *pks_ptr[2]; 6643 6644 pks_ptr[0] = &pks[0]; 6645 pks_ptr[1] = &pks[1]; 6646 6647 testutil_random_pubkey_test(&pks[0]); 6648 testutil_random_pubkey_test(&pks[1]); 6649 6650 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1); 6651 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_sort(CTX, NULL, 2)); 6652 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 0) == 1); 6653 /* Test illegal public keys */ 6654 memset(&pks[0], 0, sizeof(pks[0])); 6655 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1)); 6656 memset(&pks[1], 0, sizeof(pks[1])); 6657 { 6658 int32_t ecount = 0; 6659 secp256k1_context_set_illegal_callback(CTX, counting_callback_fn, &ecount); 6660 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1); 6661 CHECK(ecount == 2); 6662 secp256k1_context_set_illegal_callback(CTX, NULL, NULL); 6663 } 6664 } 6665 6666 static void test_sort(void) { 6667 secp256k1_pubkey pk[5]; 6668 unsigned char pk_ser[5][33] = { 6669 { 0x02, 0x08 }, 6670 { 0x02, 0x0b }, 6671 { 0x02, 0x0c }, 6672 { 0x03, 0x05 }, 6673 { 0x03, 0x0a }, 6674 }; 6675 int i; 6676 size_t pk_order[5] = { 0, 1, 2, 3, 4 }; 6677 6678 for (i = 0; i < 5; i++) { 6679 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk[i], pk_ser[i], sizeof(pk_ser[i]))); 6680 } 6681 6682 permute(pk_order, 1); 6683 test_sort_helper(pk, pk_order, 1); 6684 permute(pk_order, 2); 6685 test_sort_helper(pk, pk_order, 2); 6686 permute(pk_order, 3); 6687 test_sort_helper(pk, pk_order, 3); 6688 for (i = 0; i < COUNT; i++) { 6689 permute(pk_order, 4); 6690 test_sort_helper(pk, pk_order, 4); 6691 } 6692 for (i = 0; i < COUNT; i++) { 6693 permute(pk_order, 5); 6694 test_sort_helper(pk, pk_order, 5); 6695 } 6696 /* Check that sorting also works for random pubkeys */ 6697 for (i = 0; i < COUNT; i++) { 6698 int j; 6699 const secp256k1_pubkey *pk_ptr[5]; 6700 for (j = 0; j < 5; j++) { 6701 testutil_random_pubkey_test(&pk[j]); 6702 pk_ptr[j] = &pk[j]; 6703 } 6704 secp256k1_ec_pubkey_sort(CTX, pk_ptr, 5); 6705 for (j = 1; j < 5; j++) { 6706 CHECK(secp256k1_ec_pubkey_sort_cmp(&pk_ptr[j - 1], &pk_ptr[j], CTX) <= 0); 6707 } 6708 } 6709 } 6710 6711 /* Test vectors from BIP-MuSig2 */ 6712 static void test_sort_vectors(void) { 6713 enum { N_PUBKEYS = 6 }; 6714 unsigned char pk_ser[N_PUBKEYS][33] = { 6715 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F, 6716 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09, 6717 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 }, 6718 { 0x02, 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10, 0x49, 0x34, 6719 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29, 0xB5, 0x31, 0xC8, 0x45, 0x83, 6720 0x6F, 0x99, 0xB0, 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9 }, 6721 { 0x03, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 0x36, 0x18, 6722 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2, 6723 0xDE, 0xCE, 0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 }, 6724 { 0x02, 0x35, 0x90, 0xA9, 0x4E, 0x76, 0x8F, 0x8E, 0x18, 0x15, 0xC2, 6725 0xF2, 0x4B, 0x4D, 0x80, 0xA8, 0xE3, 0x14, 0x93, 0x16, 0xC3, 0x51, 6726 0x8C, 0xE7, 0xB7, 0xAD, 0x33, 0x83, 0x68, 0xD0, 0x38, 0xCA, 0x66 }, 6727 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F, 6728 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09, 6729 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xFF }, 6730 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F, 6731 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09, 6732 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 } 6733 }; 6734 secp256k1_pubkey pubkeys[N_PUBKEYS]; 6735 secp256k1_pubkey *sorted[N_PUBKEYS]; 6736 const secp256k1_pubkey *pks_ptr[N_PUBKEYS]; 6737 int i; 6738 6739 sorted[0] = &pubkeys[3]; 6740 sorted[1] = &pubkeys[0]; 6741 sorted[2] = &pubkeys[0]; 6742 sorted[3] = &pubkeys[4]; 6743 sorted[4] = &pubkeys[1]; 6744 sorted[5] = &pubkeys[2]; 6745 6746 for (i = 0; i < N_PUBKEYS; i++) { 6747 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkeys[i], pk_ser[i], sizeof(pk_ser[i]))); 6748 pks_ptr[i] = &pubkeys[i]; 6749 } 6750 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, N_PUBKEYS) == 1); 6751 for (i = 0; i < N_PUBKEYS; i++) { 6752 CHECK(secp256k1_memcmp_var(pks_ptr[i], sorted[i], sizeof(secp256k1_pubkey)) == 0); 6753 } 6754 } 6755 6756 static void run_pubkey_sort(void) { 6757 test_sort_api(); 6758 test_sort(); 6759 test_sort_vectors(); 6760 } 6761 6762 6763 static void run_random_pubkeys(void) { 6764 int i; 6765 for (i = 0; i < 10*COUNT; i++) { 6766 test_random_pubkeys(); 6767 } 6768 } 6769 6770 static void run_ecdsa_end_to_end(void) { 6771 int i; 6772 for (i = 0; i < 64*COUNT; i++) { 6773 test_ecdsa_end_to_end(); 6774 } 6775 } 6776 6777 static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) { 6778 static const unsigned char zeroes[32] = {0}; 6779 6780 int ret = 0; 6781 6782 secp256k1_ecdsa_signature sig_der; 6783 unsigned char roundtrip_der[2048]; 6784 unsigned char compact_der[64]; 6785 size_t len_der = 2048; 6786 int parsed_der = 0, valid_der = 0, roundtrips_der = 0; 6787 6788 secp256k1_ecdsa_signature sig_der_lax; 6789 unsigned char roundtrip_der_lax[2048]; 6790 unsigned char compact_der_lax[64]; 6791 size_t len_der_lax = 2048; 6792 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0; 6793 6794 parsed_der = secp256k1_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen); 6795 if (parsed_der) { 6796 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0; 6797 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0); 6798 } 6799 if (valid_der) { 6800 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1; 6801 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0; 6802 } 6803 6804 parsed_der_lax = ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen); 6805 if (parsed_der_lax) { 6806 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10; 6807 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0); 6808 } 6809 if (valid_der_lax) { 6810 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11; 6811 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0; 6812 } 6813 6814 if (certainly_der) { 6815 ret |= (!parsed_der) << 2; 6816 } 6817 if (certainly_not_der) { 6818 ret |= (parsed_der) << 17; 6819 } 6820 if (valid_der) { 6821 ret |= (!roundtrips_der) << 3; 6822 } 6823 6824 if (valid_der) { 6825 ret |= (!roundtrips_der_lax) << 12; 6826 ret |= (len_der != len_der_lax) << 13; 6827 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14; 6828 } 6829 ret |= (roundtrips_der != roundtrips_der_lax) << 15; 6830 if (parsed_der) { 6831 ret |= (!parsed_der_lax) << 16; 6832 } 6833 6834 return ret; 6835 } 6836 6837 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) { 6838 size_t i; 6839 for (i = 0; i < ptrlen; i++) { 6840 int shift = ptrlen - 1 - i; 6841 if (shift >= 4) { 6842 ptr[i] = 0; 6843 } else { 6844 ptr[i] = (val >> shift) & 0xFF; 6845 } 6846 } 6847 } 6848 6849 static void damage_array(unsigned char *sig, size_t *len) { 6850 int pos; 6851 int action = testrand_bits(3); 6852 if (action < 1 && *len > 3) { 6853 /* Delete a byte. */ 6854 pos = testrand_int(*len); 6855 memmove(sig + pos, sig + pos + 1, *len - pos - 1); 6856 (*len)--; 6857 return; 6858 } else if (action < 2 && *len < 2048) { 6859 /* Insert a byte. */ 6860 pos = testrand_int(1 + *len); 6861 memmove(sig + pos + 1, sig + pos, *len - pos); 6862 sig[pos] = testrand_bits(8); 6863 (*len)++; 6864 return; 6865 } else if (action < 4) { 6866 /* Modify a byte. */ 6867 sig[testrand_int(*len)] += 1 + testrand_int(255); 6868 return; 6869 } else { /* action < 8 */ 6870 /* Modify a bit. */ 6871 sig[testrand_int(*len)] ^= 1 << testrand_bits(3); 6872 return; 6873 } 6874 } 6875 6876 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) { 6877 int der; 6878 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2]; 6879 size_t tlen, elen, glen; 6880 int indet; 6881 int n; 6882 6883 *len = 0; 6884 der = testrand_bits(2) == 0; 6885 *certainly_der = der; 6886 *certainly_not_der = 0; 6887 indet = der ? 0 : testrand_int(10) == 0; 6888 6889 for (n = 0; n < 2; n++) { 6890 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */ 6891 nlow[n] = der ? 1 : (testrand_bits(3) != 0); 6892 /* The length of the number in bytes (the first byte of which will always be nonzero) */ 6893 nlen[n] = nlow[n] ? testrand_int(33) : 32 + testrand_int(200) * testrand_bits(3) / 8; 6894 CHECK(nlen[n] <= 232); 6895 /* The top bit of the number. */ 6896 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : testrand_bits(1)); 6897 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */ 6898 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + testrand_bits(7) : 1 + testrand_int(127)); 6899 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */ 6900 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? testrand_int(3) : testrand_int(300 - nlen[n]) * testrand_bits(3) / 8); 6901 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) { 6902 *certainly_not_der = 1; 6903 } 6904 CHECK(nlen[n] + nzlen[n] <= 300); 6905 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */ 6906 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2); 6907 if (!der) { 6908 /* nlenlen[n] max 127 bytes */ 6909 int add = testrand_int(127 - nlenlen[n]) * testrand_bits(4) * testrand_bits(4) / 256; 6910 nlenlen[n] += add; 6911 if (add != 0) { 6912 *certainly_not_der = 1; 6913 } 6914 } 6915 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427); 6916 } 6917 6918 /* The total length of the data to go, so far */ 6919 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1]; 6920 CHECK(tlen <= 856); 6921 6922 /* The length of the garbage inside the tuple. */ 6923 elen = (der || indet) ? 0 : testrand_int(980 - tlen) * testrand_bits(3) / 8; 6924 if (elen != 0) { 6925 *certainly_not_der = 1; 6926 } 6927 tlen += elen; 6928 CHECK(tlen <= 980); 6929 6930 /* The length of the garbage after the end of the tuple. */ 6931 glen = der ? 0 : testrand_int(990 - tlen) * testrand_bits(3) / 8; 6932 if (glen != 0) { 6933 *certainly_not_der = 1; 6934 } 6935 CHECK(tlen + glen <= 990); 6936 6937 /* Write the tuple header. */ 6938 sig[(*len)++] = 0x30; 6939 if (indet) { 6940 /* Indeterminate length */ 6941 sig[(*len)++] = 0x80; 6942 *certainly_not_der = 1; 6943 } else { 6944 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2); 6945 if (!der) { 6946 int add = testrand_int(127 - tlenlen) * testrand_bits(4) * testrand_bits(4) / 256; 6947 tlenlen += add; 6948 if (add != 0) { 6949 *certainly_not_der = 1; 6950 } 6951 } 6952 if (tlenlen == 0) { 6953 /* Short length notation */ 6954 sig[(*len)++] = tlen; 6955 } else { 6956 /* Long length notation */ 6957 sig[(*len)++] = 128 + tlenlen; 6958 assign_big_endian(sig + *len, tlenlen, tlen); 6959 *len += tlenlen; 6960 } 6961 tlen += tlenlen; 6962 } 6963 tlen += 2; 6964 CHECK(tlen + glen <= 1119); 6965 6966 for (n = 0; n < 2; n++) { 6967 /* Write the integer header. */ 6968 sig[(*len)++] = 0x02; 6969 if (nlenlen[n] == 0) { 6970 /* Short length notation */ 6971 sig[(*len)++] = nlen[n] + nzlen[n]; 6972 } else { 6973 /* Long length notation. */ 6974 sig[(*len)++] = 128 + nlenlen[n]; 6975 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]); 6976 *len += nlenlen[n]; 6977 } 6978 /* Write zero padding */ 6979 while (nzlen[n] > 0) { 6980 sig[(*len)++] = 0x00; 6981 nzlen[n]--; 6982 } 6983 if (nlen[n] == 32 && !nlow[n]) { 6984 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */ 6985 int i; 6986 for (i = 0; i < 16; i++) { 6987 sig[(*len)++] = 0xFF; 6988 } 6989 nlen[n] -= 16; 6990 } 6991 /* Write first byte of number */ 6992 if (nlen[n] > 0) { 6993 sig[(*len)++] = nhbyte[n]; 6994 nlen[n]--; 6995 } 6996 /* Generate remaining random bytes of number */ 6997 testrand_bytes_test(sig + *len, nlen[n]); 6998 *len += nlen[n]; 6999 nlen[n] = 0; 7000 } 7001 7002 /* Generate random garbage inside tuple. */ 7003 testrand_bytes_test(sig + *len, elen); 7004 *len += elen; 7005 7006 /* Generate end-of-contents bytes. */ 7007 if (indet) { 7008 sig[(*len)++] = 0; 7009 sig[(*len)++] = 0; 7010 tlen += 2; 7011 } 7012 CHECK(tlen + glen <= 1121); 7013 7014 /* Generate random garbage outside tuple. */ 7015 testrand_bytes_test(sig + *len, glen); 7016 *len += glen; 7017 tlen += glen; 7018 CHECK(tlen <= 1121); 7019 CHECK(tlen == *len); 7020 } 7021 7022 static void run_ecdsa_der_parse(void) { 7023 int i,j; 7024 for (i = 0; i < 200 * COUNT; i++) { 7025 unsigned char buffer[2048]; 7026 size_t buflen = 0; 7027 int certainly_der = 0; 7028 int certainly_not_der = 0; 7029 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der); 7030 CHECK(buflen <= 2048); 7031 for (j = 0; j < 16; j++) { 7032 int ret = 0; 7033 if (j > 0) { 7034 damage_array(buffer, &buflen); 7035 /* We don't know anything anymore about the DERness of the result */ 7036 certainly_der = 0; 7037 certainly_not_der = 0; 7038 } 7039 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der); 7040 if (ret != 0) { 7041 size_t k; 7042 fprintf(stderr, "Failure %x on ", ret); 7043 for (k = 0; k < buflen; k++) { 7044 fprintf(stderr, "%02x ", buffer[k]); 7045 } 7046 fprintf(stderr, "\n"); 7047 } 7048 CHECK(ret == 0); 7049 } 7050 } 7051 } 7052 7053 /* Tests several edge cases. */ 7054 static void test_ecdsa_edge_cases(void) { 7055 int t; 7056 secp256k1_ecdsa_signature sig; 7057 7058 /* Test the case where ECDSA recomputes a point that is infinity. */ 7059 { 7060 secp256k1_gej keyj; 7061 secp256k1_ge key; 7062 secp256k1_scalar msg; 7063 secp256k1_scalar sr, ss; 7064 secp256k1_scalar_set_int(&ss, 1); 7065 secp256k1_scalar_negate(&ss, &ss); 7066 secp256k1_scalar_inverse(&ss, &ss); 7067 secp256k1_scalar_set_int(&sr, 1); 7068 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &keyj, &sr); 7069 secp256k1_ge_set_gej(&key, &keyj); 7070 msg = ss; 7071 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); 7072 } 7073 7074 /* Verify signature with r of zero fails. */ 7075 { 7076 const unsigned char pubkey_mods_zero[33] = { 7077 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 7078 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 7079 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 7080 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 7081 0x41 7082 }; 7083 secp256k1_ge key; 7084 secp256k1_scalar msg; 7085 secp256k1_scalar sr, ss; 7086 secp256k1_scalar_set_int(&ss, 1); 7087 secp256k1_scalar_set_int(&msg, 0); 7088 secp256k1_scalar_set_int(&sr, 0); 7089 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33)); 7090 CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0); 7091 } 7092 7093 /* Verify signature with s of zero fails. */ 7094 { 7095 const unsigned char pubkey[33] = { 7096 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7097 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7098 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7099 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7100 0x01 7101 }; 7102 secp256k1_ge key; 7103 secp256k1_scalar msg; 7104 secp256k1_scalar sr, ss; 7105 secp256k1_scalar_set_int(&ss, 0); 7106 secp256k1_scalar_set_int(&msg, 0); 7107 secp256k1_scalar_set_int(&sr, 1); 7108 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); 7109 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); 7110 } 7111 7112 /* Verify signature with message 0 passes. */ 7113 { 7114 const unsigned char pubkey[33] = { 7115 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7116 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7117 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7118 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7119 0x02 7120 }; 7121 const unsigned char pubkey2[33] = { 7122 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 7123 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 7124 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 7125 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 7126 0x43 7127 }; 7128 secp256k1_ge key; 7129 secp256k1_ge key2; 7130 secp256k1_scalar msg; 7131 secp256k1_scalar sr, ss; 7132 secp256k1_scalar_set_int(&ss, 2); 7133 secp256k1_scalar_set_int(&msg, 0); 7134 secp256k1_scalar_set_int(&sr, 2); 7135 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); 7136 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33)); 7137 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7138 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); 7139 secp256k1_scalar_negate(&ss, &ss); 7140 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7141 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); 7142 secp256k1_scalar_set_int(&ss, 1); 7143 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); 7144 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0); 7145 } 7146 7147 /* Verify signature with message 1 passes. */ 7148 { 7149 const unsigned char pubkey[33] = { 7150 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22, 7151 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05, 7152 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c, 7153 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76, 7154 0x25 7155 }; 7156 const unsigned char pubkey2[33] = { 7157 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40, 7158 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae, 7159 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f, 7160 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10, 7161 0x62 7162 }; 7163 const unsigned char csr[32] = { 7164 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7165 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 7166 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 7167 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb 7168 }; 7169 secp256k1_ge key; 7170 secp256k1_ge key2; 7171 secp256k1_scalar msg; 7172 secp256k1_scalar sr, ss; 7173 secp256k1_scalar_set_int(&ss, 1); 7174 secp256k1_scalar_set_int(&msg, 1); 7175 secp256k1_scalar_set_b32(&sr, csr, NULL); 7176 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); 7177 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33)); 7178 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7179 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); 7180 secp256k1_scalar_negate(&ss, &ss); 7181 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7182 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); 7183 secp256k1_scalar_set_int(&ss, 2); 7184 secp256k1_scalar_inverse_var(&ss, &ss); 7185 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); 7186 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0); 7187 } 7188 7189 /* Verify signature with message -1 passes. */ 7190 { 7191 const unsigned char pubkey[33] = { 7192 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0, 7193 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52, 7194 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27, 7195 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20, 7196 0xf1 7197 }; 7198 const unsigned char csr[32] = { 7199 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7200 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 7201 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 7202 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee 7203 }; 7204 secp256k1_ge key; 7205 secp256k1_scalar msg; 7206 secp256k1_scalar sr, ss; 7207 secp256k1_scalar_set_int(&ss, 1); 7208 secp256k1_scalar_set_int(&msg, 1); 7209 secp256k1_scalar_negate(&msg, &msg); 7210 secp256k1_scalar_set_b32(&sr, csr, NULL); 7211 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33)); 7212 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7213 secp256k1_scalar_negate(&ss, &ss); 7214 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7215 secp256k1_scalar_set_int(&ss, 3); 7216 secp256k1_scalar_inverse_var(&ss, &ss); 7217 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); 7218 } 7219 7220 /* Signature where s would be zero. */ 7221 { 7222 secp256k1_pubkey pubkey; 7223 size_t siglen; 7224 unsigned char signature[72]; 7225 static const unsigned char nonce[32] = { 7226 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7227 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7228 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7229 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 7230 }; 7231 static const unsigned char nonce2[32] = { 7232 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 7233 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE, 7234 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B, 7235 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40 7236 }; 7237 const unsigned char key[32] = { 7238 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7239 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7240 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7241 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 7242 }; 7243 unsigned char msg[32] = { 7244 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53, 7245 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7, 7246 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62, 7247 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9, 7248 }; 7249 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 0); 7250 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 0); 7251 msg[31] = 0xaa; 7252 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 1); 7253 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign(CTX, NULL, msg, key, precomputed_nonce_function, nonce2)); 7254 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign(CTX, &sig, NULL, key, precomputed_nonce_function, nonce2)); 7255 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign(CTX, &sig, msg, NULL, precomputed_nonce_function, nonce2)); 7256 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 1); 7257 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, key) == 1); 7258 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, NULL, msg, &pubkey)); 7259 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, NULL, &pubkey)); 7260 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, msg, NULL)); 7261 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1); 7262 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, &pubkey, NULL)); 7263 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */ 7264 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey)); 7265 siglen = 72; 7266 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, NULL, &siglen, &sig)); 7267 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, signature, NULL, &sig)); 7268 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, NULL)); 7269 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 1); 7270 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_der(CTX, NULL, signature, siglen)); 7271 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_der(CTX, &sig, NULL, siglen)); 7272 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, signature, siglen) == 1); 7273 siglen = 10; 7274 /* Too little room for a signature does not fail via ARGCHECK. */ 7275 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 0); 7276 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_normalize(CTX, NULL, NULL)); 7277 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_compact(CTX, NULL, &sig)); 7278 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_compact(CTX, signature, NULL)); 7279 CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, &sig) == 1); 7280 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_compact(CTX, NULL, signature)); 7281 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_compact(CTX, &sig, NULL)); 7282 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 1); 7283 memset(signature, 255, 64); 7284 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 0); 7285 } 7286 7287 /* Nonce function corner cases. */ 7288 for (t = 0; t < 2; t++) { 7289 static const unsigned char zero[32] = {0x00}; 7290 int i; 7291 unsigned char key[32]; 7292 unsigned char msg[32]; 7293 secp256k1_ecdsa_signature sig2; 7294 secp256k1_scalar sr[512], ss; 7295 const unsigned char *extra; 7296 extra = t == 0 ? NULL : zero; 7297 memset(msg, 0, 32); 7298 msg[31] = 1; 7299 /* High key results in signature failure. */ 7300 memset(key, 0xFF, 32); 7301 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0); 7302 CHECK(is_empty_signature(&sig)); 7303 /* Zero key results in signature failure. */ 7304 memset(key, 0, 32); 7305 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0); 7306 CHECK(is_empty_signature(&sig)); 7307 /* Nonce function failure results in signature failure. */ 7308 key[31] = 1; 7309 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_fail, extra) == 0); 7310 CHECK(is_empty_signature(&sig)); 7311 /* The retry loop successfully makes its way to the first good value. */ 7312 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_retry, extra) == 1); 7313 CHECK(!is_empty_signature(&sig)); 7314 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, nonce_function_rfc6979, extra) == 1); 7315 CHECK(!is_empty_signature(&sig2)); 7316 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0); 7317 /* The default nonce function is deterministic. */ 7318 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1); 7319 CHECK(!is_empty_signature(&sig2)); 7320 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0); 7321 /* The default nonce function changes output with different messages. */ 7322 for(i = 0; i < 256; i++) { 7323 int j; 7324 msg[0] = i; 7325 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1); 7326 CHECK(!is_empty_signature(&sig2)); 7327 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2); 7328 for (j = 0; j < i; j++) { 7329 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j])); 7330 } 7331 } 7332 msg[0] = 0; 7333 msg[31] = 2; 7334 /* The default nonce function changes output with different keys. */ 7335 for(i = 256; i < 512; i++) { 7336 int j; 7337 key[0] = i - 256; 7338 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1); 7339 CHECK(!is_empty_signature(&sig2)); 7340 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2); 7341 for (j = 0; j < i; j++) { 7342 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j])); 7343 } 7344 } 7345 key[0] = 0; 7346 } 7347 7348 { 7349 /* Check that optional nonce arguments do not have equivalent effect. */ 7350 const unsigned char zeros[32] = {0}; 7351 unsigned char nonce[32]; 7352 unsigned char nonce2[32]; 7353 unsigned char nonce3[32]; 7354 unsigned char nonce4[32]; 7355 SECP256K1_CHECKMEM_UNDEFINE(nonce,32); 7356 SECP256K1_CHECKMEM_UNDEFINE(nonce2,32); 7357 SECP256K1_CHECKMEM_UNDEFINE(nonce3,32); 7358 SECP256K1_CHECKMEM_UNDEFINE(nonce4,32); 7359 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1); 7360 SECP256K1_CHECKMEM_CHECK(nonce,32); 7361 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1); 7362 SECP256K1_CHECKMEM_CHECK(nonce2,32); 7363 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1); 7364 SECP256K1_CHECKMEM_CHECK(nonce3,32); 7365 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1); 7366 SECP256K1_CHECKMEM_CHECK(nonce4,32); 7367 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0); 7368 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0); 7369 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0); 7370 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0); 7371 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0); 7372 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0); 7373 } 7374 7375 7376 /* Privkey export where pubkey is the point at infinity. */ 7377 { 7378 unsigned char privkey[300]; 7379 unsigned char seckey[32] = { 7380 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 7381 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 7382 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 7383 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41, 7384 }; 7385 size_t outlen = 300; 7386 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 0)); 7387 outlen = 300; 7388 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 1)); 7389 } 7390 } 7391 7392 static void run_ecdsa_edge_cases(void) { 7393 test_ecdsa_edge_cases(); 7394 } 7395 7396 /** Wycheproof tests 7397 7398 The tests check for known attacks (range checks in (r,s), arithmetic errors, malleability). 7399 */ 7400 static void test_ecdsa_wycheproof(void) { 7401 #include "wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.h" 7402 7403 int t; 7404 for (t = 0; t < SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS; t++) { 7405 secp256k1_ecdsa_signature signature; 7406 secp256k1_sha256 hasher; 7407 secp256k1_pubkey pubkey; 7408 const unsigned char *msg, *sig, *pk; 7409 unsigned char out[32] = {0}; 7410 int actual_verify = 0; 7411 7412 memset(&pubkey, 0, sizeof(pubkey)); 7413 pk = &wycheproof_ecdsa_public_keys[testvectors[t].pk_offset]; 7414 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pk, 65) == 1); 7415 7416 secp256k1_sha256_initialize(&hasher); 7417 msg = &wycheproof_ecdsa_messages[testvectors[t].msg_offset]; 7418 secp256k1_sha256_write(&hasher, msg, testvectors[t].msg_len); 7419 secp256k1_sha256_finalize(&hasher, out); 7420 7421 sig = &wycheproof_ecdsa_signatures[testvectors[t].sig_offset]; 7422 if (secp256k1_ecdsa_signature_parse_der(CTX, &signature, sig, testvectors[t].sig_len) == 1) { 7423 actual_verify = secp256k1_ecdsa_verify(CTX, (const secp256k1_ecdsa_signature *)&signature, out, &pubkey); 7424 } 7425 CHECK(testvectors[t].expected_verify == actual_verify); 7426 } 7427 } 7428 7429 /* Tests cases from Wycheproof test suite. */ 7430 static void run_ecdsa_wycheproof(void) { 7431 test_ecdsa_wycheproof(); 7432 } 7433 7434 #ifdef ENABLE_MODULE_ECDH 7435 # include "modules/ecdh/tests_impl.h" 7436 #endif 7437 7438 #ifdef ENABLE_MODULE_RECOVERY 7439 # include "modules/recovery/tests_impl.h" 7440 #endif 7441 7442 #ifdef ENABLE_MODULE_EXTRAKEYS 7443 # include "modules/extrakeys/tests_impl.h" 7444 #endif 7445 7446 #ifdef ENABLE_MODULE_SCHNORRSIG 7447 # include "modules/schnorrsig/tests_impl.h" 7448 #endif 7449 7450 #ifdef ENABLE_MODULE_MUSIG 7451 # include "modules/musig/tests_impl.h" 7452 #endif 7453 7454 #ifdef ENABLE_MODULE_ELLSWIFT 7455 # include "modules/ellswift/tests_impl.h" 7456 #endif 7457 7458 static void run_secp256k1_memczero_test(void) { 7459 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6}; 7460 unsigned char buf2[sizeof(buf1)]; 7461 7462 /* secp256k1_memczero(..., ..., 0) is a noop. */ 7463 memcpy(buf2, buf1, sizeof(buf1)); 7464 secp256k1_memczero(buf1, sizeof(buf1), 0); 7465 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0); 7466 7467 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */ 7468 memset(buf2, 0, sizeof(buf2)); 7469 secp256k1_memczero(buf1, sizeof(buf1) , 1); 7470 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0); 7471 } 7472 7473 7474 static void run_secp256k1_is_zero_array_test(void) { 7475 unsigned char buf1[3] = {0, 1}; 7476 unsigned char buf2[3] = {1, 0}; 7477 7478 CHECK(secp256k1_is_zero_array(buf1, 0) == 1); 7479 CHECK(secp256k1_is_zero_array(buf1, 1) == 1); 7480 CHECK(secp256k1_is_zero_array(buf1, 2) == 0); 7481 CHECK(secp256k1_is_zero_array(buf2, 1) == 0); 7482 CHECK(secp256k1_is_zero_array(buf2, 2) == 0); 7483 } 7484 7485 static void run_secp256k1_byteorder_tests(void) { 7486 { 7487 const uint32_t x = 0xFF03AB45; 7488 const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45}; 7489 unsigned char buf[4]; 7490 uint32_t x_; 7491 7492 secp256k1_write_be32(buf, x); 7493 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0); 7494 7495 x_ = secp256k1_read_be32(buf); 7496 CHECK(x == x_); 7497 } 7498 7499 { 7500 const uint64_t x = 0xCAFE0123BEEF4567; 7501 const unsigned char x_be[8] = {0xCA, 0xFE, 0x01, 0x23, 0xBE, 0xEF, 0x45, 0x67}; 7502 unsigned char buf[8]; 7503 uint64_t x_; 7504 7505 secp256k1_write_be64(buf, x); 7506 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0); 7507 7508 x_ = secp256k1_read_be64(buf); 7509 CHECK(x == x_); 7510 } 7511 } 7512 7513 static void int_cmov_test(void) { 7514 int r = INT_MAX; 7515 int a = 0; 7516 7517 secp256k1_int_cmov(&r, &a, 0); 7518 CHECK(r == INT_MAX); 7519 7520 r = 0; a = INT_MAX; 7521 secp256k1_int_cmov(&r, &a, 1); 7522 CHECK(r == INT_MAX); 7523 7524 a = 0; 7525 secp256k1_int_cmov(&r, &a, 1); 7526 CHECK(r == 0); 7527 7528 a = 1; 7529 secp256k1_int_cmov(&r, &a, 1); 7530 CHECK(r == 1); 7531 7532 r = 1; a = 0; 7533 secp256k1_int_cmov(&r, &a, 0); 7534 CHECK(r == 1); 7535 7536 } 7537 7538 static void fe_cmov_test(void) { 7539 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0); 7540 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); 7541 static const secp256k1_fe max = SECP256K1_FE_CONST( 7542 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 7543 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL 7544 ); 7545 secp256k1_fe r = max; 7546 secp256k1_fe a = zero; 7547 7548 secp256k1_fe_cmov(&r, &a, 0); 7549 CHECK(fe_identical(&r, &max)); 7550 7551 r = zero; a = max; 7552 secp256k1_fe_cmov(&r, &a, 1); 7553 CHECK(fe_identical(&r, &max)); 7554 7555 a = zero; 7556 secp256k1_fe_cmov(&r, &a, 1); 7557 CHECK(fe_identical(&r, &zero)); 7558 7559 a = one; 7560 secp256k1_fe_cmov(&r, &a, 1); 7561 CHECK(fe_identical(&r, &one)); 7562 7563 r = one; a = zero; 7564 secp256k1_fe_cmov(&r, &a, 0); 7565 CHECK(fe_identical(&r, &one)); 7566 } 7567 7568 static void fe_storage_cmov_test(void) { 7569 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0); 7570 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1); 7571 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST( 7572 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 7573 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL 7574 ); 7575 secp256k1_fe_storage r = max; 7576 secp256k1_fe_storage a = zero; 7577 7578 secp256k1_fe_storage_cmov(&r, &a, 0); 7579 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); 7580 7581 r = zero; a = max; 7582 secp256k1_fe_storage_cmov(&r, &a, 1); 7583 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); 7584 7585 a = zero; 7586 secp256k1_fe_storage_cmov(&r, &a, 1); 7587 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0); 7588 7589 a = one; 7590 secp256k1_fe_storage_cmov(&r, &a, 1); 7591 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); 7592 7593 r = one; a = zero; 7594 secp256k1_fe_storage_cmov(&r, &a, 0); 7595 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); 7596 } 7597 7598 static void scalar_cmov_test(void) { 7599 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST( 7600 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL, 7601 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL 7602 ); 7603 secp256k1_scalar r = max; 7604 secp256k1_scalar a = secp256k1_scalar_zero; 7605 7606 secp256k1_scalar_cmov(&r, &a, 0); 7607 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); 7608 7609 r = secp256k1_scalar_zero; a = max; 7610 secp256k1_scalar_cmov(&r, &a, 1); 7611 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); 7612 7613 a = secp256k1_scalar_zero; 7614 secp256k1_scalar_cmov(&r, &a, 1); 7615 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_zero, sizeof(r)) == 0); 7616 7617 a = secp256k1_scalar_one; 7618 secp256k1_scalar_cmov(&r, &a, 1); 7619 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0); 7620 7621 r = secp256k1_scalar_one; a = secp256k1_scalar_zero; 7622 secp256k1_scalar_cmov(&r, &a, 0); 7623 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0); 7624 } 7625 7626 static void ge_storage_cmov_test(void) { 7627 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); 7628 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1); 7629 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST( 7630 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 7631 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 7632 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 7633 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL 7634 ); 7635 secp256k1_ge_storage r = max; 7636 secp256k1_ge_storage a = zero; 7637 7638 secp256k1_ge_storage_cmov(&r, &a, 0); 7639 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); 7640 7641 r = zero; a = max; 7642 secp256k1_ge_storage_cmov(&r, &a, 1); 7643 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0); 7644 7645 a = zero; 7646 secp256k1_ge_storage_cmov(&r, &a, 1); 7647 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0); 7648 7649 a = one; 7650 secp256k1_ge_storage_cmov(&r, &a, 1); 7651 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); 7652 7653 r = one; a = zero; 7654 secp256k1_ge_storage_cmov(&r, &a, 0); 7655 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0); 7656 } 7657 7658 static void run_cmov_tests(void) { 7659 int_cmov_test(); 7660 fe_cmov_test(); 7661 fe_storage_cmov_test(); 7662 scalar_cmov_test(); 7663 ge_storage_cmov_test(); 7664 } 7665 7666 int main(int argc, char **argv) { 7667 /* Disable buffering for stdout to improve reliability of getting 7668 * diagnostic information. Happens right at the start of main because 7669 * setbuf must be used before any other operation on the stream. */ 7670 setbuf(stdout, NULL); 7671 /* Also disable buffering for stderr because it's not guaranteed that it's 7672 * unbuffered on all systems. */ 7673 setbuf(stderr, NULL); 7674 7675 /* find iteration count */ 7676 if (argc > 1) { 7677 COUNT = strtol(argv[1], NULL, 0); 7678 } else { 7679 const char* env = getenv("SECP256K1_TEST_ITERS"); 7680 if (env && strlen(env) > 0) { 7681 COUNT = strtol(env, NULL, 0); 7682 } 7683 } 7684 if (COUNT <= 0) { 7685 fputs("An iteration count of 0 or less is not allowed.\n", stderr); 7686 return EXIT_FAILURE; 7687 } 7688 printf("test count = %i\n", COUNT); 7689 7690 /* run test RNG tests (must run before we really initialize the test RNG) */ 7691 run_xoshiro256pp_tests(); 7692 7693 /* find random seed */ 7694 testrand_init(argc > 2 ? argv[2] : NULL); 7695 7696 /*** Setup test environment ***/ 7697 7698 /* Create a global context available to all tests */ 7699 CTX = secp256k1_context_create(SECP256K1_CONTEXT_NONE); 7700 /* Randomize the context only with probability 15/16 7701 to make sure we test without context randomization from time to time. 7702 TODO Reconsider this when recalibrating the tests. */ 7703 if (testrand_bits(4)) { 7704 unsigned char rand32[32]; 7705 testrand256(rand32); 7706 CHECK(secp256k1_context_randomize(CTX, rand32)); 7707 } 7708 /* Make a writable copy of secp256k1_context_static in order to test the effect of API functions 7709 that write to the context. The API does not support cloning the static context, so we use 7710 memcpy instead. The user is not supposed to copy a context but we should still ensure that 7711 the API functions handle copies of the static context gracefully. */ 7712 STATIC_CTX = malloc(sizeof(*secp256k1_context_static)); 7713 CHECK(STATIC_CTX != NULL); 7714 memcpy(STATIC_CTX, secp256k1_context_static, sizeof(secp256k1_context)); 7715 CHECK(!secp256k1_context_is_proper(STATIC_CTX)); 7716 7717 /*** Run actual tests ***/ 7718 7719 /* selftest tests */ 7720 run_selftest_tests(); 7721 7722 /* context tests */ 7723 run_proper_context_tests(0); run_proper_context_tests(1); 7724 run_static_context_tests(0); run_static_context_tests(1); 7725 run_deprecated_context_flags_test(); 7726 7727 /* scratch tests */ 7728 run_scratch_tests(); 7729 7730 /* integer arithmetic tests */ 7731 #ifdef SECP256K1_WIDEMUL_INT128 7732 run_int128_tests(); 7733 #endif 7734 run_ctz_tests(); 7735 run_modinv_tests(); 7736 run_inverse_tests(); 7737 7738 /* sorting tests */ 7739 run_hsort_tests(); 7740 7741 /* hash tests */ 7742 run_sha256_known_output_tests(); 7743 run_sha256_counter_tests(); 7744 run_hmac_sha256_tests(); 7745 run_rfc6979_hmac_sha256_tests(); 7746 run_tagged_sha256_tests(); 7747 7748 /* scalar tests */ 7749 run_scalar_tests(); 7750 7751 /* field tests */ 7752 run_field_half(); 7753 run_field_misc(); 7754 run_field_convert(); 7755 run_field_be32_overflow(); 7756 run_fe_mul(); 7757 run_sqr(); 7758 run_sqrt(); 7759 7760 /* group tests */ 7761 run_ge(); 7762 run_gej(); 7763 run_group_decompress(); 7764 7765 /* ecmult tests */ 7766 run_ecmult_pre_g(); 7767 run_wnaf(); 7768 run_point_times_order(); 7769 run_ecmult_near_split_bound(); 7770 run_ecmult_chain(); 7771 run_ecmult_constants(); 7772 run_ecmult_gen_blind(); 7773 run_ecmult_const_tests(); 7774 run_ecmult_multi_tests(); 7775 run_ec_combine(); 7776 7777 /* endomorphism tests */ 7778 run_endomorphism_tests(); 7779 7780 /* EC point parser test */ 7781 run_ec_pubkey_parse_test(); 7782 7783 /* EC key edge cases */ 7784 run_eckey_edge_case_test(); 7785 7786 /* EC key arithmetic test */ 7787 run_eckey_negate_test(); 7788 7789 #ifdef ENABLE_MODULE_ECDH 7790 /* ecdh tests */ 7791 run_ecdh_tests(); 7792 #endif 7793 7794 /* ecdsa tests */ 7795 run_ec_illegal_argument_tests(); 7796 run_pubkey_comparison(); 7797 run_pubkey_sort(); 7798 run_random_pubkeys(); 7799 run_ecdsa_der_parse(); 7800 run_ecdsa_sign_verify(); 7801 run_ecdsa_end_to_end(); 7802 run_ecdsa_edge_cases(); 7803 run_ecdsa_wycheproof(); 7804 7805 #ifdef ENABLE_MODULE_RECOVERY 7806 /* ECDSA pubkey recovery tests */ 7807 run_recovery_tests(); 7808 #endif 7809 7810 #ifdef ENABLE_MODULE_EXTRAKEYS 7811 run_extrakeys_tests(); 7812 #endif 7813 7814 #ifdef ENABLE_MODULE_SCHNORRSIG 7815 run_schnorrsig_tests(); 7816 #endif 7817 7818 #ifdef ENABLE_MODULE_MUSIG 7819 run_musig_tests(); 7820 #endif 7821 7822 #ifdef ENABLE_MODULE_ELLSWIFT 7823 run_ellswift_tests(); 7824 #endif 7825 7826 /* util tests */ 7827 run_secp256k1_memczero_test(); 7828 run_secp256k1_is_zero_array_test(); 7829 run_secp256k1_byteorder_tests(); 7830 7831 run_cmov_tests(); 7832 7833 /*** Tear down test environment ***/ 7834 free(STATIC_CTX); 7835 secp256k1_context_destroy(CTX); 7836 7837 testrand_finish(); 7838 7839 printf("no problems found\n"); 7840 return EXIT_SUCCESS; 7841 }