github.com/ethereumproject/go-ethereum@v5.5.2+incompatible/crypto/secp256k1/libsecp256k1/src/tests.c (about) 1 /********************************************************************** 2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.* 5 **********************************************************************/ 6 7 #if defined HAVE_CONFIG_H 8 #include "libsecp256k1-config.h" 9 #endif 10 11 #include <stdio.h> 12 #include <stdlib.h> 13 14 #include <time.h> 15 16 #include "include/secp256k1.h" 17 #include "secp256k1.c" 18 #include "testrand_impl.h" 19 20 #ifdef ENABLE_OPENSSL_TESTS 21 #include "openssl/bn.h" 22 #include "openssl/ec.h" 23 #include "openssl/ecdsa.h" 24 #include "openssl/obj_mac.h" 25 #endif 26 27 static int count = 64; 28 static secp256k1_context *ctx = NULL; 29 30 void random_field_element_test(secp256k1_fe *fe) { 31 do { 32 unsigned char b32[32]; 33 secp256k1_rand256_test(b32); 34 if (secp256k1_fe_set_b32(fe, b32)) { 35 break; 36 } 37 } while(1); 38 } 39 40 void random_field_element_magnitude(secp256k1_fe *fe) { 41 secp256k1_fe zero; 42 int n = secp256k1_rand32() % 9; 43 secp256k1_fe_normalize(fe); 44 if (n == 0) { 45 return; 46 } 47 secp256k1_fe_clear(&zero); 48 secp256k1_fe_negate(&zero, &zero, 0); 49 secp256k1_fe_mul_int(&zero, n - 1); 50 secp256k1_fe_add(fe, &zero); 51 VERIFY_CHECK(fe->magnitude == n); 52 } 53 54 void random_group_element_test(secp256k1_ge *ge) { 55 secp256k1_fe fe; 56 do { 57 random_field_element_test(&fe); 58 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand32() & 1)) { 59 secp256k1_fe_normalize(&ge->y); 60 break; 61 } 62 } while(1); 63 } 64 65 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) { 66 secp256k1_fe z2, z3; 67 do { 68 random_field_element_test(&gej->z); 69 if (!secp256k1_fe_is_zero(&gej->z)) { 70 break; 71 } 72 } while(1); 73 secp256k1_fe_sqr(&z2, &gej->z); 74 secp256k1_fe_mul(&z3, &z2, &gej->z); 75 secp256k1_fe_mul(&gej->x, &ge->x, &z2); 76 secp256k1_fe_mul(&gej->y, &ge->y, &z3); 77 gej->infinity = ge->infinity; 78 } 79 80 void random_scalar_order_test(secp256k1_scalar *num) { 81 do { 82 unsigned char b32[32]; 83 int overflow = 0; 84 secp256k1_rand256_test(b32); 85 secp256k1_scalar_set_b32(num, b32, &overflow); 86 if (overflow || secp256k1_scalar_is_zero(num)) { 87 continue; 88 } 89 break; 90 } while(1); 91 } 92 93 void random_scalar_order(secp256k1_scalar *num) { 94 do { 95 unsigned char b32[32]; 96 int overflow = 0; 97 secp256k1_rand256(b32); 98 secp256k1_scalar_set_b32(num, b32, &overflow); 99 if (overflow || secp256k1_scalar_is_zero(num)) { 100 continue; 101 } 102 break; 103 } while(1); 104 } 105 106 void run_context_tests(void) { 107 secp256k1_context *none = secp256k1_context_create(0); 108 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN); 109 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY); 110 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); 111 112 secp256k1_gej pubj; 113 secp256k1_ge pub; 114 secp256k1_scalar msg, key, nonce; 115 secp256k1_scalar sigr, sigs; 116 117 /*** clone and destroy all of them to make sure cloning was complete ***/ 118 { 119 secp256k1_context *ctx_tmp; 120 121 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp); 122 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp); 123 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp); 124 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp); 125 } 126 127 /*** attempt to use them ***/ 128 random_scalar_order_test(&msg); 129 random_scalar_order_test(&key); 130 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key); 131 secp256k1_ge_set_gej(&pub, &pubj); 132 133 /* obtain a working nonce */ 134 do { 135 random_scalar_order_test(&nonce); 136 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); 137 138 /* try signing */ 139 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); 140 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); 141 142 /* try verifying */ 143 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg)); 144 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg)); 145 146 /* cleanup */ 147 secp256k1_context_destroy(none); 148 secp256k1_context_destroy(sign); 149 secp256k1_context_destroy(vrfy); 150 secp256k1_context_destroy(both); 151 } 152 153 /***** HASH TESTS *****/ 154 155 void run_sha256_tests(void) { 156 static const char *inputs[8] = { 157 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe", 158 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 159 "For this sample, this 63-byte string will be used as input data", 160 "This is exactly 64 bytes long, not counting the terminating byte" 161 }; 162 static const unsigned char outputs[8][32] = { 163 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}, 164 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad}, 165 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50}, 166 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d}, 167 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30}, 168 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1}, 169 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42}, 170 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8} 171 }; 172 int i; 173 for (i = 0; i < 8; i++) { 174 unsigned char out[32]; 175 secp256k1_sha256_t hasher; 176 secp256k1_sha256_initialize(&hasher); 177 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); 178 secp256k1_sha256_finalize(&hasher, out); 179 CHECK(memcmp(out, outputs[i], 32) == 0); 180 if (strlen(inputs[i]) > 0) { 181 int split = secp256k1_rand32() % strlen(inputs[i]); 182 secp256k1_sha256_initialize(&hasher); 183 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); 184 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); 185 secp256k1_sha256_finalize(&hasher, out); 186 CHECK(memcmp(out, outputs[i], 32) == 0); 187 } 188 } 189 } 190 191 void run_hmac_sha256_tests(void) { 192 static const char *keys[6] = { 193 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 194 "\x4a\x65\x66\x65", 195 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 196 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19", 197 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 198 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 199 }; 200 static const char *inputs[6] = { 201 "\x48\x69\x20\x54\x68\x65\x72\x65", 202 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f", 203 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd", 204 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd", 205 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74", 206 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e" 207 }; 208 static const unsigned char outputs[6][32] = { 209 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7}, 210 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43}, 211 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe}, 212 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b}, 213 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54}, 214 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2} 215 }; 216 int i; 217 for (i = 0; i < 6; i++) { 218 secp256k1_hmac_sha256_t hasher; 219 unsigned char out[32]; 220 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); 221 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); 222 secp256k1_hmac_sha256_finalize(&hasher, out); 223 CHECK(memcmp(out, outputs[i], 32) == 0); 224 if (strlen(inputs[i]) > 0) { 225 int split = secp256k1_rand32() % strlen(inputs[i]); 226 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); 227 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); 228 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); 229 secp256k1_hmac_sha256_finalize(&hasher, out); 230 CHECK(memcmp(out, outputs[i], 32) == 0); 231 } 232 } 233 } 234 235 void run_rfc6979_hmac_sha256_tests(void) { 236 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0}; 237 static const unsigned char out1[3][32] = { 238 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb}, 239 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a}, 240 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e} 241 }; 242 243 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}; 244 static const unsigned char out2[3][32] = { 245 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95}, 246 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9}, 247 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94} 248 }; 249 250 secp256k1_rfc6979_hmac_sha256_t rng; 251 unsigned char out[32]; 252 int i; 253 254 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64); 255 for (i = 0; i < 3; i++) { 256 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32); 257 CHECK(memcmp(out, out1[i], 32) == 0); 258 } 259 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 260 261 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65); 262 for (i = 0; i < 3; i++) { 263 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32); 264 CHECK(memcmp(out, out1[i], 32) != 0); 265 } 266 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 267 268 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64); 269 for (i = 0; i < 3; i++) { 270 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32); 271 CHECK(memcmp(out, out2[i], 32) == 0); 272 } 273 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 274 } 275 276 /***** NUM TESTS *****/ 277 278 #ifndef USE_NUM_NONE 279 void random_num_negate(secp256k1_num *num) { 280 if (secp256k1_rand32() & 1) { 281 secp256k1_num_negate(num); 282 } 283 } 284 285 void random_num_order_test(secp256k1_num *num) { 286 secp256k1_scalar sc; 287 random_scalar_order_test(&sc); 288 secp256k1_scalar_get_num(num, &sc); 289 } 290 291 void random_num_order(secp256k1_num *num) { 292 secp256k1_scalar sc; 293 random_scalar_order(&sc); 294 secp256k1_scalar_get_num(num, &sc); 295 } 296 297 void test_num_negate(void) { 298 secp256k1_num n1; 299 secp256k1_num n2; 300 random_num_order_test(&n1); /* n1 = R */ 301 random_num_negate(&n1); 302 secp256k1_num_copy(&n2, &n1); /* n2 = R */ 303 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */ 304 CHECK(secp256k1_num_is_zero(&n1)); 305 secp256k1_num_copy(&n1, &n2); /* n1 = R */ 306 secp256k1_num_negate(&n1); /* n1 = -R */ 307 CHECK(!secp256k1_num_is_zero(&n1)); 308 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */ 309 CHECK(secp256k1_num_is_zero(&n1)); 310 secp256k1_num_copy(&n1, &n2); /* n1 = R */ 311 secp256k1_num_negate(&n1); /* n1 = -R */ 312 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2)); 313 secp256k1_num_negate(&n1); /* n1 = R */ 314 CHECK(secp256k1_num_eq(&n1, &n2)); 315 } 316 317 void test_num_add_sub(void) { 318 secp256k1_num n1; 319 secp256k1_num n2; 320 secp256k1_num n1p2, n2p1, n1m2, n2m1; 321 int r = secp256k1_rand32(); 322 random_num_order_test(&n1); /* n1 = R1 */ 323 if (r & 1) { 324 random_num_negate(&n1); 325 } 326 random_num_order_test(&n2); /* n2 = R2 */ 327 if (r & 2) { 328 random_num_negate(&n2); 329 } 330 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */ 331 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */ 332 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */ 333 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */ 334 CHECK(secp256k1_num_eq(&n1p2, &n2p1)); 335 CHECK(!secp256k1_num_eq(&n1p2, &n1m2)); 336 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */ 337 CHECK(secp256k1_num_eq(&n2m1, &n1m2)); 338 CHECK(!secp256k1_num_eq(&n2m1, &n1)); 339 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */ 340 CHECK(secp256k1_num_eq(&n2m1, &n1)); 341 CHECK(!secp256k1_num_eq(&n2p1, &n1)); 342 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */ 343 CHECK(secp256k1_num_eq(&n2p1, &n1)); 344 } 345 346 void run_num_smalltests(void) { 347 int i; 348 for (i = 0; i < 100*count; i++) { 349 test_num_negate(); 350 test_num_add_sub(); 351 } 352 } 353 #endif 354 355 /***** SCALAR TESTS *****/ 356 357 void scalar_test(void) { 358 secp256k1_scalar s; 359 secp256k1_scalar s1; 360 secp256k1_scalar s2; 361 #ifndef USE_NUM_NONE 362 secp256k1_num snum, s1num, s2num; 363 secp256k1_num order, half_order; 364 #endif 365 unsigned char c[32]; 366 367 /* Set 's' to a random scalar, with value 'snum'. */ 368 random_scalar_order_test(&s); 369 370 /* Set 's1' to a random scalar, with value 's1num'. */ 371 random_scalar_order_test(&s1); 372 373 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */ 374 random_scalar_order_test(&s2); 375 secp256k1_scalar_get_b32(c, &s2); 376 377 #ifndef USE_NUM_NONE 378 secp256k1_scalar_get_num(&snum, &s); 379 secp256k1_scalar_get_num(&s1num, &s1); 380 secp256k1_scalar_get_num(&s2num, &s2); 381 382 secp256k1_scalar_order_get_num(&order); 383 half_order = order; 384 secp256k1_num_shift(&half_order, 1); 385 #endif 386 387 { 388 int i; 389 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */ 390 secp256k1_scalar n; 391 secp256k1_scalar_set_int(&n, 0); 392 for (i = 0; i < 256; i += 4) { 393 secp256k1_scalar t; 394 int j; 395 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4)); 396 for (j = 0; j < 4; j++) { 397 secp256k1_scalar_add(&n, &n, &n); 398 } 399 secp256k1_scalar_add(&n, &n, &t); 400 } 401 CHECK(secp256k1_scalar_eq(&n, &s)); 402 } 403 404 { 405 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */ 406 secp256k1_scalar n; 407 int i = 0; 408 secp256k1_scalar_set_int(&n, 0); 409 while (i < 256) { 410 secp256k1_scalar t; 411 int j; 412 int now = (secp256k1_rand32() % 15) + 1; 413 if (now + i > 256) { 414 now = 256 - i; 415 } 416 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now)); 417 for (j = 0; j < now; j++) { 418 secp256k1_scalar_add(&n, &n, &n); 419 } 420 secp256k1_scalar_add(&n, &n, &t); 421 i += now; 422 } 423 CHECK(secp256k1_scalar_eq(&n, &s)); 424 } 425 426 #ifndef USE_NUM_NONE 427 { 428 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */ 429 secp256k1_num rnum; 430 secp256k1_num r2num; 431 secp256k1_scalar r; 432 secp256k1_num_add(&rnum, &snum, &s2num); 433 secp256k1_num_mod(&rnum, &order); 434 secp256k1_scalar_add(&r, &s, &s2); 435 secp256k1_scalar_get_num(&r2num, &r); 436 CHECK(secp256k1_num_eq(&rnum, &r2num)); 437 } 438 439 { 440 /* Test that multipying the scalars is equal to multiplying their numbers modulo the order. */ 441 secp256k1_scalar r; 442 secp256k1_num r2num; 443 secp256k1_num rnum; 444 secp256k1_num_mul(&rnum, &snum, &s2num); 445 secp256k1_num_mod(&rnum, &order); 446 secp256k1_scalar_mul(&r, &s, &s2); 447 secp256k1_scalar_get_num(&r2num, &r); 448 CHECK(secp256k1_num_eq(&rnum, &r2num)); 449 /* The result can only be zero if at least one of the factors was zero. */ 450 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2))); 451 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */ 452 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2))); 453 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s))); 454 } 455 456 { 457 secp256k1_scalar neg; 458 secp256k1_num negnum; 459 secp256k1_num negnum2; 460 /* Check that comparison with zero matches comparison with zero on the number. */ 461 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s)); 462 /* Check that comparison with the half order is equal to testing for high scalar. */ 463 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0)); 464 secp256k1_scalar_negate(&neg, &s); 465 secp256k1_num_sub(&negnum, &order, &snum); 466 secp256k1_num_mod(&negnum, &order); 467 /* Check that comparison with the half order is equal to testing for high scalar after negation. */ 468 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0)); 469 /* Negating should change the high property, unless the value was already zero. */ 470 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s)); 471 secp256k1_scalar_get_num(&negnum2, &neg); 472 /* Negating a scalar should be equal to (order - n) mod order on the number. */ 473 CHECK(secp256k1_num_eq(&negnum, &negnum2)); 474 secp256k1_scalar_add(&neg, &neg, &s); 475 /* Adding a number to its negation should result in zero. */ 476 CHECK(secp256k1_scalar_is_zero(&neg)); 477 secp256k1_scalar_negate(&neg, &neg); 478 /* Negating zero should still result in zero. */ 479 CHECK(secp256k1_scalar_is_zero(&neg)); 480 } 481 482 { 483 /* Test secp256k1_scalar_mul_shift_var. */ 484 secp256k1_scalar r; 485 secp256k1_num one; 486 secp256k1_num rnum; 487 secp256k1_num rnum2; 488 unsigned char cone[1] = {0x01}; 489 unsigned int shift = 256 + (secp256k1_rand32() % 257); 490 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift); 491 secp256k1_num_mul(&rnum, &s1num, &s2num); 492 secp256k1_num_shift(&rnum, shift - 1); 493 secp256k1_num_set_bin(&one, cone, 1); 494 secp256k1_num_add(&rnum, &rnum, &one); 495 secp256k1_num_shift(&rnum, 1); 496 secp256k1_scalar_get_num(&rnum2, &r); 497 CHECK(secp256k1_num_eq(&rnum, &rnum2)); 498 } 499 500 { 501 /* test secp256k1_scalar_shr_int */ 502 secp256k1_scalar r; 503 int i; 504 random_scalar_order_test(&r); 505 for (i = 0; i < 100; ++i) { 506 int low; 507 int shift = 1 + (secp256k1_rand32() % 15); 508 int expected = r.d[0] % (1 << shift); 509 low = secp256k1_scalar_shr_int(&r, shift); 510 CHECK(expected == low); 511 } 512 } 513 #endif 514 515 { 516 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */ 517 if (!secp256k1_scalar_is_zero(&s)) { 518 secp256k1_scalar inv; 519 #ifndef USE_NUM_NONE 520 secp256k1_num invnum; 521 secp256k1_num invnum2; 522 #endif 523 secp256k1_scalar_inverse(&inv, &s); 524 #ifndef USE_NUM_NONE 525 secp256k1_num_mod_inverse(&invnum, &snum, &order); 526 secp256k1_scalar_get_num(&invnum2, &inv); 527 CHECK(secp256k1_num_eq(&invnum, &invnum2)); 528 #endif 529 secp256k1_scalar_mul(&inv, &inv, &s); 530 /* Multiplying a scalar with its inverse must result in one. */ 531 CHECK(secp256k1_scalar_is_one(&inv)); 532 secp256k1_scalar_inverse(&inv, &inv); 533 /* Inverting one must result in one. */ 534 CHECK(secp256k1_scalar_is_one(&inv)); 535 } 536 } 537 538 { 539 /* Test commutativity of add. */ 540 secp256k1_scalar r1, r2; 541 secp256k1_scalar_add(&r1, &s1, &s2); 542 secp256k1_scalar_add(&r2, &s2, &s1); 543 CHECK(secp256k1_scalar_eq(&r1, &r2)); 544 } 545 546 { 547 secp256k1_scalar r1, r2; 548 secp256k1_scalar b; 549 int i; 550 /* Test add_bit. */ 551 int bit = secp256k1_rand32() % 256; 552 secp256k1_scalar_set_int(&b, 1); 553 CHECK(secp256k1_scalar_is_one(&b)); 554 for (i = 0; i < bit; i++) { 555 secp256k1_scalar_add(&b, &b, &b); 556 } 557 r1 = s1; 558 r2 = s1; 559 if (!secp256k1_scalar_add(&r1, &r1, &b)) { 560 /* No overflow happened. */ 561 secp256k1_scalar_cadd_bit(&r2, bit, 1); 562 CHECK(secp256k1_scalar_eq(&r1, &r2)); 563 /* cadd is a noop when flag is zero */ 564 secp256k1_scalar_cadd_bit(&r2, bit, 0); 565 CHECK(secp256k1_scalar_eq(&r1, &r2)); 566 } 567 } 568 569 { 570 /* Test commutativity of mul. */ 571 secp256k1_scalar r1, r2; 572 secp256k1_scalar_mul(&r1, &s1, &s2); 573 secp256k1_scalar_mul(&r2, &s2, &s1); 574 CHECK(secp256k1_scalar_eq(&r1, &r2)); 575 } 576 577 { 578 /* Test associativity of add. */ 579 secp256k1_scalar r1, r2; 580 secp256k1_scalar_add(&r1, &s1, &s2); 581 secp256k1_scalar_add(&r1, &r1, &s); 582 secp256k1_scalar_add(&r2, &s2, &s); 583 secp256k1_scalar_add(&r2, &s1, &r2); 584 CHECK(secp256k1_scalar_eq(&r1, &r2)); 585 } 586 587 { 588 /* Test associativity of mul. */ 589 secp256k1_scalar r1, r2; 590 secp256k1_scalar_mul(&r1, &s1, &s2); 591 secp256k1_scalar_mul(&r1, &r1, &s); 592 secp256k1_scalar_mul(&r2, &s2, &s); 593 secp256k1_scalar_mul(&r2, &s1, &r2); 594 CHECK(secp256k1_scalar_eq(&r1, &r2)); 595 } 596 597 { 598 /* Test distributitivity of mul over add. */ 599 secp256k1_scalar r1, r2, t; 600 secp256k1_scalar_add(&r1, &s1, &s2); 601 secp256k1_scalar_mul(&r1, &r1, &s); 602 secp256k1_scalar_mul(&r2, &s1, &s); 603 secp256k1_scalar_mul(&t, &s2, &s); 604 secp256k1_scalar_add(&r2, &r2, &t); 605 CHECK(secp256k1_scalar_eq(&r1, &r2)); 606 } 607 608 { 609 /* Test square. */ 610 secp256k1_scalar r1, r2; 611 secp256k1_scalar_sqr(&r1, &s1); 612 secp256k1_scalar_mul(&r2, &s1, &s1); 613 CHECK(secp256k1_scalar_eq(&r1, &r2)); 614 } 615 616 { 617 /* Test multiplicative identity. */ 618 secp256k1_scalar r1, v1; 619 secp256k1_scalar_set_int(&v1,1); 620 secp256k1_scalar_mul(&r1, &s1, &v1); 621 CHECK(secp256k1_scalar_eq(&r1, &s1)); 622 } 623 624 { 625 /* Test additive identity. */ 626 secp256k1_scalar r1, v0; 627 secp256k1_scalar_set_int(&v0,0); 628 secp256k1_scalar_add(&r1, &s1, &v0); 629 CHECK(secp256k1_scalar_eq(&r1, &s1)); 630 } 631 632 { 633 /* Test zero product property. */ 634 secp256k1_scalar r1, v0; 635 secp256k1_scalar_set_int(&v0,0); 636 secp256k1_scalar_mul(&r1, &s1, &v0); 637 CHECK(secp256k1_scalar_eq(&r1, &v0)); 638 } 639 640 } 641 642 void run_scalar_tests(void) { 643 int i; 644 for (i = 0; i < 128 * count; i++) { 645 scalar_test(); 646 } 647 648 { 649 /* (-1)+1 should be zero. */ 650 secp256k1_scalar s, o; 651 secp256k1_scalar_set_int(&s, 1); 652 CHECK(secp256k1_scalar_is_one(&s)); 653 secp256k1_scalar_negate(&o, &s); 654 secp256k1_scalar_add(&o, &o, &s); 655 CHECK(secp256k1_scalar_is_zero(&o)); 656 secp256k1_scalar_negate(&o, &o); 657 CHECK(secp256k1_scalar_is_zero(&o)); 658 } 659 660 #ifndef USE_NUM_NONE 661 { 662 /* A scalar with value of the curve order should be 0. */ 663 secp256k1_num order; 664 secp256k1_scalar zero; 665 unsigned char bin[32]; 666 int overflow = 0; 667 secp256k1_scalar_order_get_num(&order); 668 secp256k1_num_get_bin(bin, 32, &order); 669 secp256k1_scalar_set_b32(&zero, bin, &overflow); 670 CHECK(overflow == 1); 671 CHECK(secp256k1_scalar_is_zero(&zero)); 672 } 673 #endif 674 } 675 676 /***** FIELD TESTS *****/ 677 678 void random_fe(secp256k1_fe *x) { 679 unsigned char bin[32]; 680 do { 681 secp256k1_rand256(bin); 682 if (secp256k1_fe_set_b32(x, bin)) { 683 return; 684 } 685 } while(1); 686 } 687 688 void random_fe_non_zero(secp256k1_fe *nz) { 689 int tries = 10; 690 while (--tries >= 0) { 691 random_fe(nz); 692 secp256k1_fe_normalize(nz); 693 if (!secp256k1_fe_is_zero(nz)) { 694 break; 695 } 696 } 697 /* Infinitesimal probability of spurious failure here */ 698 CHECK(tries >= 0); 699 } 700 701 void random_fe_non_square(secp256k1_fe *ns) { 702 secp256k1_fe r; 703 random_fe_non_zero(ns); 704 if (secp256k1_fe_sqrt_var(&r, ns)) { 705 secp256k1_fe_negate(ns, ns, 1); 706 } 707 } 708 709 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) { 710 secp256k1_fe an = *a; 711 secp256k1_fe bn = *b; 712 secp256k1_fe_normalize_weak(&an); 713 secp256k1_fe_normalize_var(&bn); 714 return secp256k1_fe_equal_var(&an, &bn); 715 } 716 717 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) { 718 secp256k1_fe x; 719 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); 720 secp256k1_fe_mul(&x, a, ai); 721 return check_fe_equal(&x, &one); 722 } 723 724 void run_field_convert(void) { 725 static const unsigned char b32[32] = { 726 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 727 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 728 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 729 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40 730 }; 731 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST( 732 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, 733 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL 734 ); 735 static const secp256k1_fe fe = SECP256K1_FE_CONST( 736 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, 737 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL 738 ); 739 secp256k1_fe fe2; 740 unsigned char b322[32]; 741 secp256k1_fe_storage fes2; 742 /* Check conversions to fe. */ 743 CHECK(secp256k1_fe_set_b32(&fe2, b32)); 744 CHECK(secp256k1_fe_equal_var(&fe, &fe2)); 745 secp256k1_fe_from_storage(&fe2, &fes); 746 CHECK(secp256k1_fe_equal_var(&fe, &fe2)); 747 /* Check conversion from fe. */ 748 secp256k1_fe_get_b32(b322, &fe); 749 CHECK(memcmp(b322, b32, 32) == 0); 750 secp256k1_fe_to_storage(&fes2, &fe); 751 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0); 752 } 753 754 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) { 755 secp256k1_fe t = *b; 756 #ifdef VERIFY 757 t.magnitude = a->magnitude; 758 t.normalized = a->normalized; 759 #endif 760 return memcmp(a, &t, sizeof(secp256k1_fe)); 761 } 762 763 void run_field_misc(void) { 764 secp256k1_fe x; 765 secp256k1_fe y; 766 secp256k1_fe z; 767 secp256k1_fe q; 768 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5); 769 int i, j; 770 for (i = 0; i < 5*count; i++) { 771 secp256k1_fe_storage xs, ys, zs; 772 random_fe(&x); 773 random_fe_non_zero(&y); 774 /* Test the fe equality and comparison operations. */ 775 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0); 776 CHECK(secp256k1_fe_equal_var(&x, &x)); 777 z = x; 778 secp256k1_fe_add(&z,&y); 779 /* Test fe conditional move; z is not normalized here. */ 780 q = x; 781 secp256k1_fe_cmov(&x, &z, 0); 782 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude); 783 secp256k1_fe_cmov(&x, &x, 1); 784 CHECK(fe_memcmp(&x, &z) != 0); 785 CHECK(fe_memcmp(&x, &q) == 0); 786 secp256k1_fe_cmov(&q, &z, 1); 787 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude); 788 CHECK(fe_memcmp(&q, &z) == 0); 789 secp256k1_fe_normalize_var(&x); 790 secp256k1_fe_normalize_var(&z); 791 CHECK(!secp256k1_fe_equal_var(&x, &z)); 792 secp256k1_fe_normalize_var(&q); 793 secp256k1_fe_cmov(&q, &z, (i&1)); 794 VERIFY_CHECK(q.normalized && q.magnitude == 1); 795 for (j = 0; j < 6; j++) { 796 secp256k1_fe_negate(&z, &z, j+1); 797 secp256k1_fe_normalize_var(&q); 798 secp256k1_fe_cmov(&q, &z, (j&1)); 799 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2)); 800 } 801 secp256k1_fe_normalize_var(&z); 802 /* Test storage conversion and conditional moves. */ 803 secp256k1_fe_to_storage(&xs, &x); 804 secp256k1_fe_to_storage(&ys, &y); 805 secp256k1_fe_to_storage(&zs, &z); 806 secp256k1_fe_storage_cmov(&zs, &xs, 0); 807 secp256k1_fe_storage_cmov(&zs, &zs, 1); 808 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0); 809 secp256k1_fe_storage_cmov(&ys, &xs, 1); 810 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0); 811 secp256k1_fe_from_storage(&x, &xs); 812 secp256k1_fe_from_storage(&y, &ys); 813 secp256k1_fe_from_storage(&z, &zs); 814 /* Test that mul_int, mul, and add agree. */ 815 secp256k1_fe_add(&y, &x); 816 secp256k1_fe_add(&y, &x); 817 z = x; 818 secp256k1_fe_mul_int(&z, 3); 819 CHECK(check_fe_equal(&y, &z)); 820 secp256k1_fe_add(&y, &x); 821 secp256k1_fe_add(&z, &x); 822 CHECK(check_fe_equal(&z, &y)); 823 z = x; 824 secp256k1_fe_mul_int(&z, 5); 825 secp256k1_fe_mul(&q, &x, &fe5); 826 CHECK(check_fe_equal(&z, &q)); 827 secp256k1_fe_negate(&x, &x, 1); 828 secp256k1_fe_add(&z, &x); 829 secp256k1_fe_add(&q, &x); 830 CHECK(check_fe_equal(&y, &z)); 831 CHECK(check_fe_equal(&q, &y)); 832 } 833 } 834 835 void run_field_inv(void) { 836 secp256k1_fe x, xi, xii; 837 int i; 838 for (i = 0; i < 10*count; i++) { 839 random_fe_non_zero(&x); 840 secp256k1_fe_inv(&xi, &x); 841 CHECK(check_fe_inverse(&x, &xi)); 842 secp256k1_fe_inv(&xii, &xi); 843 CHECK(check_fe_equal(&x, &xii)); 844 } 845 } 846 847 void run_field_inv_var(void) { 848 secp256k1_fe x, xi, xii; 849 int i; 850 for (i = 0; i < 10*count; i++) { 851 random_fe_non_zero(&x); 852 secp256k1_fe_inv_var(&xi, &x); 853 CHECK(check_fe_inverse(&x, &xi)); 854 secp256k1_fe_inv_var(&xii, &xi); 855 CHECK(check_fe_equal(&x, &xii)); 856 } 857 } 858 859 void run_field_inv_all_var(void) { 860 secp256k1_fe x[16], xi[16], xii[16]; 861 int i; 862 /* Check it's safe to call for 0 elements */ 863 secp256k1_fe_inv_all_var(0, xi, x); 864 for (i = 0; i < count; i++) { 865 size_t j; 866 size_t len = (secp256k1_rand32() & 15) + 1; 867 for (j = 0; j < len; j++) { 868 random_fe_non_zero(&x[j]); 869 } 870 secp256k1_fe_inv_all_var(len, xi, x); 871 for (j = 0; j < len; j++) { 872 CHECK(check_fe_inverse(&x[j], &xi[j])); 873 } 874 secp256k1_fe_inv_all_var(len, xii, xi); 875 for (j = 0; j < len; j++) { 876 CHECK(check_fe_equal(&x[j], &xii[j])); 877 } 878 } 879 } 880 881 void run_sqr(void) { 882 secp256k1_fe x, s; 883 884 { 885 int i; 886 secp256k1_fe_set_int(&x, 1); 887 secp256k1_fe_negate(&x, &x, 1); 888 889 for (i = 1; i <= 512; ++i) { 890 secp256k1_fe_mul_int(&x, 2); 891 secp256k1_fe_normalize(&x); 892 secp256k1_fe_sqr(&s, &x); 893 } 894 } 895 } 896 897 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) { 898 secp256k1_fe r1, r2; 899 int v = secp256k1_fe_sqrt_var(&r1, a); 900 CHECK((v == 0) == (k == NULL)); 901 902 if (k != NULL) { 903 /* Check that the returned root is +/- the given known answer */ 904 secp256k1_fe_negate(&r2, &r1, 1); 905 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k); 906 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2); 907 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2)); 908 } 909 } 910 911 void run_sqrt(void) { 912 secp256k1_fe ns, x, s, t; 913 int i; 914 915 /* Check sqrt(0) is 0 */ 916 secp256k1_fe_set_int(&x, 0); 917 secp256k1_fe_sqr(&s, &x); 918 test_sqrt(&s, &x); 919 920 /* Check sqrt of small squares (and their negatives) */ 921 for (i = 1; i <= 100; i++) { 922 secp256k1_fe_set_int(&x, i); 923 secp256k1_fe_sqr(&s, &x); 924 test_sqrt(&s, &x); 925 secp256k1_fe_negate(&t, &s, 1); 926 test_sqrt(&t, NULL); 927 } 928 929 /* Consistency checks for large random values */ 930 for (i = 0; i < 10; i++) { 931 int j; 932 random_fe_non_square(&ns); 933 for (j = 0; j < count; j++) { 934 random_fe(&x); 935 secp256k1_fe_sqr(&s, &x); 936 test_sqrt(&s, &x); 937 secp256k1_fe_negate(&t, &s, 1); 938 test_sqrt(&t, NULL); 939 secp256k1_fe_mul(&t, &s, &ns); 940 test_sqrt(&t, NULL); 941 } 942 } 943 } 944 945 /***** GROUP TESTS *****/ 946 947 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) { 948 CHECK(a->infinity == b->infinity); 949 if (a->infinity) { 950 return; 951 } 952 CHECK(secp256k1_fe_equal_var(&a->x, &b->x)); 953 CHECK(secp256k1_fe_equal_var(&a->y, &b->y)); 954 } 955 956 /* This compares jacobian points including their Z, not just their geometric meaning. */ 957 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) { 958 secp256k1_gej a2; 959 secp256k1_gej b2; 960 int ret = 1; 961 ret &= a->infinity == b->infinity; 962 if (ret && !a->infinity) { 963 a2 = *a; 964 b2 = *b; 965 secp256k1_fe_normalize(&a2.x); 966 secp256k1_fe_normalize(&a2.y); 967 secp256k1_fe_normalize(&a2.z); 968 secp256k1_fe_normalize(&b2.x); 969 secp256k1_fe_normalize(&b2.y); 970 secp256k1_fe_normalize(&b2.z); 971 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0; 972 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0; 973 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0; 974 } 975 return ret; 976 } 977 978 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) { 979 secp256k1_fe z2s; 980 secp256k1_fe u1, u2, s1, s2; 981 CHECK(a->infinity == b->infinity); 982 if (a->infinity) { 983 return; 984 } 985 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */ 986 secp256k1_fe_sqr(&z2s, &b->z); 987 secp256k1_fe_mul(&u1, &a->x, &z2s); 988 u2 = b->x; secp256k1_fe_normalize_weak(&u2); 989 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z); 990 s2 = b->y; secp256k1_fe_normalize_weak(&s2); 991 CHECK(secp256k1_fe_equal_var(&u1, &u2)); 992 CHECK(secp256k1_fe_equal_var(&s1, &s2)); 993 } 994 995 void test_ge(void) { 996 int i, i1; 997 #ifdef USE_ENDOMORPHISM 998 int runs = 6; 999 #else 1000 int runs = 4; 1001 #endif 1002 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4). 1003 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form. 1004 * All magnitudes are randomized. 1005 * All 17*17 combinations of points are added to eachother, using all applicable methods. 1006 * 1007 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well. 1008 */ 1009 secp256k1_ge *ge = (secp256k1_ge *)malloc(sizeof(secp256k1_ge) * (1 + 4 * runs)); 1010 secp256k1_gej *gej = (secp256k1_gej *)malloc(sizeof(secp256k1_gej) * (1 + 4 * runs)); 1011 secp256k1_fe *zinv = (secp256k1_fe *)malloc(sizeof(secp256k1_fe) * (1 + 4 * runs)); 1012 secp256k1_fe zf; 1013 secp256k1_fe zfi2, zfi3; 1014 1015 secp256k1_gej_set_infinity(&gej[0]); 1016 secp256k1_ge_clear(&ge[0]); 1017 secp256k1_ge_set_gej_var(&ge[0], &gej[0]); 1018 for (i = 0; i < runs; i++) { 1019 int j; 1020 secp256k1_ge g; 1021 random_group_element_test(&g); 1022 #ifdef USE_ENDOMORPHISM 1023 if (i >= runs - 2) { 1024 secp256k1_ge_mul_lambda(&g, &ge[1]); 1025 } 1026 if (i >= runs - 1) { 1027 secp256k1_ge_mul_lambda(&g, &g); 1028 } 1029 #endif 1030 ge[1 + 4 * i] = g; 1031 ge[2 + 4 * i] = g; 1032 secp256k1_ge_neg(&ge[3 + 4 * i], &g); 1033 secp256k1_ge_neg(&ge[4 + 4 * i], &g); 1034 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]); 1035 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]); 1036 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]); 1037 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]); 1038 for (j = 0; j < 4; j++) { 1039 random_field_element_magnitude(&ge[1 + j + 4 * i].x); 1040 random_field_element_magnitude(&ge[1 + j + 4 * i].y); 1041 random_field_element_magnitude(&gej[1 + j + 4 * i].x); 1042 random_field_element_magnitude(&gej[1 + j + 4 * i].y); 1043 random_field_element_magnitude(&gej[1 + j + 4 * i].z); 1044 } 1045 } 1046 1047 /* Compute z inverses. */ 1048 { 1049 secp256k1_fe *zs = malloc(sizeof(secp256k1_fe) * (1 + 4 * runs)); 1050 for (i = 0; i < 4 * runs + 1; i++) { 1051 if (i == 0) { 1052 /* The point at infinity does not have a meaningful z inverse. Any should do. */ 1053 do { 1054 random_field_element_test(&zs[i]); 1055 } while(secp256k1_fe_is_zero(&zs[i])); 1056 } else { 1057 zs[i] = gej[i].z; 1058 } 1059 } 1060 secp256k1_fe_inv_all_var(4 * runs + 1, zinv, zs); 1061 free(zs); 1062 } 1063 1064 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */ 1065 do { 1066 random_field_element_test(&zf); 1067 } while(secp256k1_fe_is_zero(&zf)); 1068 random_field_element_magnitude(&zf); 1069 secp256k1_fe_inv_var(&zfi3, &zf); 1070 secp256k1_fe_sqr(&zfi2, &zfi3); 1071 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2); 1072 1073 for (i1 = 0; i1 < 1 + 4 * runs; i1++) { 1074 int i2; 1075 for (i2 = 0; i2 < 1 + 4 * runs; i2++) { 1076 /* Compute reference result using gej + gej (var). */ 1077 secp256k1_gej refj, resj; 1078 secp256k1_ge ref; 1079 secp256k1_fe zr; 1080 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr); 1081 /* Check Z ratio. */ 1082 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) { 1083 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z); 1084 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z)); 1085 } 1086 secp256k1_ge_set_gej_var(&ref, &refj); 1087 1088 /* Test gej + ge with Z ratio result (var). */ 1089 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr); 1090 ge_equals_gej(&ref, &resj); 1091 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) { 1092 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z); 1093 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z)); 1094 } 1095 1096 /* Test gej + ge (var, with additional Z factor). */ 1097 { 1098 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */ 1099 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2); 1100 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3); 1101 random_field_element_magnitude(&ge2_zfi.x); 1102 random_field_element_magnitude(&ge2_zfi.y); 1103 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf); 1104 ge_equals_gej(&ref, &resj); 1105 } 1106 1107 /* Test gej + ge (const). */ 1108 if (i2 != 0) { 1109 /* secp256k1_gej_add_ge does not support its second argument being infinity. */ 1110 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]); 1111 ge_equals_gej(&ref, &resj); 1112 } 1113 1114 /* Test doubling (var). */ 1115 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) { 1116 secp256k1_fe zr2; 1117 /* Normal doubling with Z ratio result. */ 1118 secp256k1_gej_double_var(&resj, &gej[i1], &zr2); 1119 ge_equals_gej(&ref, &resj); 1120 /* Check Z ratio. */ 1121 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z); 1122 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z)); 1123 /* Normal doubling. */ 1124 secp256k1_gej_double_var(&resj, &gej[i2], NULL); 1125 ge_equals_gej(&ref, &resj); 1126 } 1127 1128 /* Test adding opposites. */ 1129 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) { 1130 CHECK(secp256k1_ge_is_infinity(&ref)); 1131 } 1132 1133 /* Test adding infinity. */ 1134 if (i1 == 0) { 1135 CHECK(secp256k1_ge_is_infinity(&ge[i1])); 1136 CHECK(secp256k1_gej_is_infinity(&gej[i1])); 1137 ge_equals_gej(&ref, &gej[i2]); 1138 } 1139 if (i2 == 0) { 1140 CHECK(secp256k1_ge_is_infinity(&ge[i2])); 1141 CHECK(secp256k1_gej_is_infinity(&gej[i2])); 1142 ge_equals_gej(&ref, &gej[i1]); 1143 } 1144 } 1145 } 1146 1147 /* Test adding all points together in random order equals infinity. */ 1148 { 1149 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY; 1150 secp256k1_gej *gej_shuffled = (secp256k1_gej *)malloc((4 * runs + 1) * sizeof(secp256k1_gej)); 1151 for (i = 0; i < 4 * runs + 1; i++) { 1152 gej_shuffled[i] = gej[i]; 1153 } 1154 for (i = 0; i < 4 * runs + 1; i++) { 1155 int swap = i + secp256k1_rand32() % (4 * runs + 1 - i); 1156 if (swap != i) { 1157 secp256k1_gej t = gej_shuffled[i]; 1158 gej_shuffled[i] = gej_shuffled[swap]; 1159 gej_shuffled[swap] = t; 1160 } 1161 } 1162 for (i = 0; i < 4 * runs + 1; i++) { 1163 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL); 1164 } 1165 CHECK(secp256k1_gej_is_infinity(&sum)); 1166 free(gej_shuffled); 1167 } 1168 1169 /* Test batch gej -> ge conversion with and without known z ratios. */ 1170 { 1171 secp256k1_fe *zr = (secp256k1_fe *)malloc((4 * runs + 1) * sizeof(secp256k1_fe)); 1172 secp256k1_ge *ge_set_table = (secp256k1_ge *)malloc((4 * runs + 1) * sizeof(secp256k1_ge)); 1173 secp256k1_ge *ge_set_all = (secp256k1_ge *)malloc((4 * runs + 1) * sizeof(secp256k1_ge)); 1174 for (i = 0; i < 4 * runs + 1; i++) { 1175 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */ 1176 if (i < 4 * runs) { 1177 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z); 1178 } 1179 } 1180 secp256k1_ge_set_table_gej_var(4 * runs + 1, ge_set_table, gej, zr); 1181 secp256k1_ge_set_all_gej_var(4 * runs + 1, ge_set_all, gej, &ctx->error_callback); 1182 for (i = 0; i < 4 * runs + 1; i++) { 1183 secp256k1_fe s; 1184 random_fe_non_zero(&s); 1185 secp256k1_gej_rescale(&gej[i], &s); 1186 ge_equals_gej(&ge_set_table[i], &gej[i]); 1187 ge_equals_gej(&ge_set_all[i], &gej[i]); 1188 } 1189 free(ge_set_table); 1190 free(ge_set_all); 1191 free(zr); 1192 } 1193 1194 free(ge); 1195 free(gej); 1196 free(zinv); 1197 } 1198 1199 void test_add_neg_y_diff_x(void) { 1200 /* The point of this test is to check that we can add two points 1201 * whose y-coordinates are negatives of each other but whose x 1202 * coordinates differ. If the x-coordinates were the same, these 1203 * points would be negatives of each other and their sum is 1204 * infinity. This is cool because it "covers up" any degeneracy 1205 * in the addition algorithm that would cause the xy coordinates 1206 * of the sum to be wrong (since infinity has no xy coordinates). 1207 * HOWEVER, if the x-coordinates are different, infinity is the 1208 * wrong answer, and such degeneracies are exposed. This is the 1209 * root of https://github.com/bitcoin/secp256k1/issues/257 which 1210 * this test is a regression test for. 1211 * 1212 * These points were generated in sage as 1213 * # secp256k1 params 1214 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) 1215 * C = EllipticCurve ([F (0), F (7)]) 1216 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798) 1217 * N = FiniteField(G.order()) 1218 * 1219 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F) 1220 * x = polygen(N) 1221 * lam = (1 - x^3).roots()[1][0] 1222 * 1223 * # random "bad pair" 1224 * P = C.random_element() 1225 * Q = -int(lam) * P 1226 * print " P: %x %x" % P.xy() 1227 * print " Q: %x %x" % Q.xy() 1228 * print "P + Q: %x %x" % (P + Q).xy() 1229 */ 1230 secp256k1_gej aj = SECP256K1_GEJ_CONST( 1231 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30, 1232 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb, 1233 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8, 1234 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d 1235 ); 1236 secp256k1_gej bj = SECP256K1_GEJ_CONST( 1237 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86, 1238 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7, 1239 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57, 1240 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2 1241 ); 1242 secp256k1_gej sumj = SECP256K1_GEJ_CONST( 1243 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027, 1244 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a, 1245 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08, 1246 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe 1247 ); 1248 secp256k1_ge b; 1249 secp256k1_gej resj; 1250 secp256k1_ge res; 1251 secp256k1_ge_set_gej(&b, &bj); 1252 1253 secp256k1_gej_add_var(&resj, &aj, &bj, NULL); 1254 secp256k1_ge_set_gej(&res, &resj); 1255 ge_equals_gej(&res, &sumj); 1256 1257 secp256k1_gej_add_ge(&resj, &aj, &b); 1258 secp256k1_ge_set_gej(&res, &resj); 1259 ge_equals_gej(&res, &sumj); 1260 1261 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL); 1262 secp256k1_ge_set_gej(&res, &resj); 1263 ge_equals_gej(&res, &sumj); 1264 } 1265 1266 void run_ge(void) { 1267 int i; 1268 for (i = 0; i < count * 32; i++) { 1269 test_ge(); 1270 } 1271 test_add_neg_y_diff_x(); 1272 } 1273 1274 void test_ec_combine(void) { 1275 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); 1276 secp256k1_pubkey data[6]; 1277 const secp256k1_pubkey* d[6]; 1278 secp256k1_pubkey sd; 1279 secp256k1_pubkey sd2; 1280 secp256k1_gej Qj; 1281 secp256k1_ge Q; 1282 int i; 1283 for (i = 1; i <= 6; i++) { 1284 secp256k1_scalar s; 1285 random_scalar_order_test(&s); 1286 secp256k1_scalar_add(&sum, &sum, &s); 1287 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s); 1288 secp256k1_ge_set_gej(&Q, &Qj); 1289 secp256k1_pubkey_save(&data[i - 1], &Q); 1290 d[i - 1] = &data[i - 1]; 1291 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum); 1292 secp256k1_ge_set_gej(&Q, &Qj); 1293 secp256k1_pubkey_save(&sd, &Q); 1294 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1); 1295 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0); 1296 } 1297 } 1298 1299 void run_ec_combine(void) { 1300 int i; 1301 for (i = 0; i < count * 8; i++) { 1302 test_ec_combine(); 1303 } 1304 } 1305 1306 /***** ECMULT TESTS *****/ 1307 1308 void run_ecmult_chain(void) { 1309 /* random starting point A (on the curve) */ 1310 secp256k1_gej a = SECP256K1_GEJ_CONST( 1311 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3, 1312 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004, 1313 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f, 1314 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f 1315 ); 1316 /* two random initial factors xn and gn */ 1317 secp256k1_scalar xn = SECP256K1_SCALAR_CONST( 1318 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c, 1319 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407 1320 ); 1321 secp256k1_scalar gn = SECP256K1_SCALAR_CONST( 1322 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9, 1323 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de 1324 ); 1325 /* two small multipliers to be applied to xn and gn in every iteration: */ 1326 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337); 1327 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113); 1328 /* accumulators with the resulting coefficients to A and G */ 1329 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); 1330 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); 1331 /* actual points */ 1332 secp256k1_gej x; 1333 secp256k1_gej x2; 1334 int i; 1335 1336 /* the point being computed */ 1337 x = a; 1338 for (i = 0; i < 200*count; i++) { 1339 /* in each iteration, compute X = xn*X + gn*G; */ 1340 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn); 1341 /* also compute ae and ge: the actual accumulated factors for A and G */ 1342 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */ 1343 secp256k1_scalar_mul(&ae, &ae, &xn); 1344 secp256k1_scalar_mul(&ge, &ge, &xn); 1345 secp256k1_scalar_add(&ge, &ge, &gn); 1346 /* modify xn and gn */ 1347 secp256k1_scalar_mul(&xn, &xn, &xf); 1348 secp256k1_scalar_mul(&gn, &gn, &gf); 1349 1350 /* verify */ 1351 if (i == 19999) { 1352 /* expected result after 19999 iterations */ 1353 secp256k1_gej rp = SECP256K1_GEJ_CONST( 1354 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE, 1355 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830, 1356 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D, 1357 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88 1358 ); 1359 1360 secp256k1_gej_neg(&rp, &rp); 1361 secp256k1_gej_add_var(&rp, &rp, &x, NULL); 1362 CHECK(secp256k1_gej_is_infinity(&rp)); 1363 } 1364 } 1365 /* redo the computation, but directly with the resulting ae and ge coefficients: */ 1366 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge); 1367 secp256k1_gej_neg(&x2, &x2); 1368 secp256k1_gej_add_var(&x2, &x2, &x, NULL); 1369 CHECK(secp256k1_gej_is_infinity(&x2)); 1370 } 1371 1372 void test_point_times_order(const secp256k1_gej *point) { 1373 /* X * (point + G) + (order-X) * (pointer + G) = 0 */ 1374 secp256k1_scalar x; 1375 secp256k1_scalar nx; 1376 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); 1377 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); 1378 secp256k1_gej res1, res2; 1379 secp256k1_ge res3; 1380 unsigned char pub[65]; 1381 size_t psize = 65; 1382 random_scalar_order_test(&x); 1383 secp256k1_scalar_negate(&nx, &x); 1384 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */ 1385 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */ 1386 secp256k1_gej_add_var(&res1, &res1, &res2, NULL); 1387 CHECK(secp256k1_gej_is_infinity(&res1)); 1388 CHECK(secp256k1_gej_is_valid_var(&res1) == 0); 1389 secp256k1_ge_set_gej(&res3, &res1); 1390 CHECK(secp256k1_ge_is_infinity(&res3)); 1391 CHECK(secp256k1_ge_is_valid_var(&res3) == 0); 1392 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0); 1393 psize = 65; 1394 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0); 1395 /* check zero/one edge cases */ 1396 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero); 1397 secp256k1_ge_set_gej(&res3, &res1); 1398 CHECK(secp256k1_ge_is_infinity(&res3)); 1399 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero); 1400 secp256k1_ge_set_gej(&res3, &res1); 1401 ge_equals_gej(&res3, point); 1402 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one); 1403 secp256k1_ge_set_gej(&res3, &res1); 1404 ge_equals_ge(&res3, &secp256k1_ge_const_g); 1405 } 1406 1407 void run_point_times_order(void) { 1408 int i; 1409 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2); 1410 static const secp256k1_fe xr = SECP256K1_FE_CONST( 1411 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C, 1412 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45 1413 ); 1414 for (i = 0; i < 500; i++) { 1415 secp256k1_ge p; 1416 if (secp256k1_ge_set_xo_var(&p, &x, 1)) { 1417 secp256k1_gej j; 1418 CHECK(secp256k1_ge_is_valid_var(&p)); 1419 secp256k1_gej_set_ge(&j, &p); 1420 CHECK(secp256k1_gej_is_valid_var(&j)); 1421 test_point_times_order(&j); 1422 } 1423 secp256k1_fe_sqr(&x, &x); 1424 } 1425 secp256k1_fe_normalize_var(&x); 1426 CHECK(secp256k1_fe_equal_var(&x, &xr)); 1427 } 1428 1429 void ecmult_const_random_mult(void) { 1430 /* random starting point A (on the curve) */ 1431 secp256k1_ge a = SECP256K1_GE_CONST( 1432 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b, 1433 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a, 1434 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c, 1435 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d 1436 ); 1437 /* random initial factor xn */ 1438 secp256k1_scalar xn = SECP256K1_SCALAR_CONST( 1439 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327, 1440 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b 1441 ); 1442 /* expected xn * A (from sage) */ 1443 secp256k1_ge expected_b = SECP256K1_GE_CONST( 1444 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd, 1445 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786, 1446 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f, 1447 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956 1448 ); 1449 secp256k1_gej b; 1450 secp256k1_ecmult_const(&b, &a, &xn); 1451 1452 CHECK(secp256k1_ge_is_valid_var(&a)); 1453 ge_equals_gej(&expected_b, &b); 1454 } 1455 1456 void ecmult_const_commutativity(void) { 1457 secp256k1_scalar a; 1458 secp256k1_scalar b; 1459 secp256k1_gej res1; 1460 secp256k1_gej res2; 1461 secp256k1_ge mid1; 1462 secp256k1_ge mid2; 1463 random_scalar_order_test(&a); 1464 random_scalar_order_test(&b); 1465 1466 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a); 1467 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b); 1468 secp256k1_ge_set_gej(&mid1, &res1); 1469 secp256k1_ge_set_gej(&mid2, &res2); 1470 secp256k1_ecmult_const(&res1, &mid1, &b); 1471 secp256k1_ecmult_const(&res2, &mid2, &a); 1472 secp256k1_ge_set_gej(&mid1, &res1); 1473 secp256k1_ge_set_gej(&mid2, &res2); 1474 ge_equals_ge(&mid1, &mid2); 1475 } 1476 1477 void ecmult_const_mult_zero_one(void) { 1478 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); 1479 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); 1480 secp256k1_scalar negone; 1481 secp256k1_gej res1; 1482 secp256k1_ge res2; 1483 secp256k1_ge point; 1484 secp256k1_scalar_negate(&negone, &one); 1485 1486 random_group_element_test(&point); 1487 secp256k1_ecmult_const(&res1, &point, &zero); 1488 secp256k1_ge_set_gej(&res2, &res1); 1489 CHECK(secp256k1_ge_is_infinity(&res2)); 1490 secp256k1_ecmult_const(&res1, &point, &one); 1491 secp256k1_ge_set_gej(&res2, &res1); 1492 ge_equals_ge(&res2, &point); 1493 secp256k1_ecmult_const(&res1, &point, &negone); 1494 secp256k1_gej_neg(&res1, &res1); 1495 secp256k1_ge_set_gej(&res2, &res1); 1496 ge_equals_ge(&res2, &point); 1497 } 1498 1499 void ecmult_const_chain_multiply(void) { 1500 /* Check known result (randomly generated test problem from sage) */ 1501 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST( 1502 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d, 1503 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b 1504 ); 1505 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST( 1506 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd, 1507 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f, 1508 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196, 1509 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435 1510 ); 1511 secp256k1_gej point; 1512 secp256k1_ge res; 1513 int i; 1514 1515 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g); 1516 for (i = 0; i < 100; ++i) { 1517 secp256k1_ge tmp; 1518 secp256k1_ge_set_gej(&tmp, &point); 1519 secp256k1_ecmult_const(&point, &tmp, &scalar); 1520 } 1521 secp256k1_ge_set_gej(&res, &point); 1522 ge_equals_gej(&res, &expected_point); 1523 } 1524 1525 void run_ecmult_const_tests(void) { 1526 ecmult_const_mult_zero_one(); 1527 ecmult_const_random_mult(); 1528 ecmult_const_commutativity(); 1529 ecmult_const_chain_multiply(); 1530 } 1531 1532 void test_wnaf(const secp256k1_scalar *number, int w) { 1533 secp256k1_scalar x, two, t; 1534 int wnaf[256]; 1535 int zeroes = -1; 1536 int i; 1537 int bits; 1538 secp256k1_scalar_set_int(&x, 0); 1539 secp256k1_scalar_set_int(&two, 2); 1540 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w); 1541 CHECK(bits <= 256); 1542 for (i = bits-1; i >= 0; i--) { 1543 int v = wnaf[i]; 1544 secp256k1_scalar_mul(&x, &x, &two); 1545 if (v) { 1546 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */ 1547 zeroes=0; 1548 CHECK((v & 1) == 1); /* check non-zero elements are odd */ 1549 CHECK(v <= (1 << (w-1)) - 1); /* check range below */ 1550 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */ 1551 } else { 1552 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */ 1553 zeroes++; 1554 } 1555 if (v >= 0) { 1556 secp256k1_scalar_set_int(&t, v); 1557 } else { 1558 secp256k1_scalar_set_int(&t, -v); 1559 secp256k1_scalar_negate(&t, &t); 1560 } 1561 secp256k1_scalar_add(&x, &x, &t); 1562 } 1563 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */ 1564 } 1565 1566 void test_constant_wnaf_negate(const secp256k1_scalar *number) { 1567 secp256k1_scalar neg1 = *number; 1568 secp256k1_scalar neg2 = *number; 1569 int sign1 = 1; 1570 int sign2 = 1; 1571 1572 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) { 1573 secp256k1_scalar_negate(&neg1, &neg1); 1574 sign1 = -1; 1575 } 1576 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2)); 1577 CHECK(sign1 == sign2); 1578 CHECK(secp256k1_scalar_eq(&neg1, &neg2)); 1579 } 1580 1581 void test_constant_wnaf(const secp256k1_scalar *number, int w) { 1582 secp256k1_scalar x, shift; 1583 int wnaf[256] = {0}; 1584 int i; 1585 #ifdef USE_ENDOMORPHISM 1586 int skew; 1587 #endif 1588 secp256k1_scalar num = *number; 1589 1590 secp256k1_scalar_set_int(&x, 0); 1591 secp256k1_scalar_set_int(&shift, 1 << w); 1592 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */ 1593 #ifdef USE_ENDOMORPHISM 1594 for (i = 0; i < 16; ++i) { 1595 secp256k1_scalar_shr_int(&num, 8); 1596 } 1597 skew = secp256k1_wnaf_const(wnaf, num, w); 1598 #else 1599 secp256k1_wnaf_const(wnaf, num, w); 1600 #endif 1601 1602 for (i = WNAF_SIZE(w); i >= 0; --i) { 1603 secp256k1_scalar t; 1604 int v = wnaf[i]; 1605 CHECK(v != 0); /* check nonzero */ 1606 CHECK(v & 1); /* check parity */ 1607 CHECK(v > -(1 << w)); /* check range above */ 1608 CHECK(v < (1 << w)); /* check range below */ 1609 1610 secp256k1_scalar_mul(&x, &x, &shift); 1611 if (v >= 0) { 1612 secp256k1_scalar_set_int(&t, v); 1613 } else { 1614 secp256k1_scalar_set_int(&t, -v); 1615 secp256k1_scalar_negate(&t, &t); 1616 } 1617 secp256k1_scalar_add(&x, &x, &t); 1618 } 1619 #ifdef USE_ENDOMORPHISM 1620 /* Skew num because when encoding 128-bit numbers as odd we use an offset */ 1621 secp256k1_scalar_cadd_bit(&num, skew == 2, 1); 1622 #endif 1623 CHECK(secp256k1_scalar_eq(&x, &num)); 1624 } 1625 1626 void run_wnaf(void) { 1627 int i; 1628 secp256k1_scalar n = {{0}}; 1629 1630 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should 1631 * have easier-to-diagnose failure modes */ 1632 n.d[0] = 1; 1633 test_constant_wnaf(&n, 4); 1634 n.d[0] = 2; 1635 test_constant_wnaf(&n, 4); 1636 /* Random tests */ 1637 for (i = 0; i < count; i++) { 1638 random_scalar_order(&n); 1639 test_wnaf(&n, 4+(i%10)); 1640 test_constant_wnaf_negate(&n); 1641 test_constant_wnaf(&n, 4 + (i % 10)); 1642 } 1643 } 1644 1645 void test_ecmult_constants(void) { 1646 /* Test ecmult_gen() for [0..36) and [order-36..0). */ 1647 secp256k1_scalar x; 1648 secp256k1_gej r; 1649 secp256k1_ge ng; 1650 int i; 1651 int j; 1652 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g); 1653 for (i = 0; i < 36; i++ ) { 1654 secp256k1_scalar_set_int(&x, i); 1655 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x); 1656 for (j = 0; j < i; j++) { 1657 if (j == i - 1) { 1658 ge_equals_gej(&secp256k1_ge_const_g, &r); 1659 } 1660 secp256k1_gej_add_ge(&r, &r, &ng); 1661 } 1662 CHECK(secp256k1_gej_is_infinity(&r)); 1663 } 1664 for (i = 1; i <= 36; i++ ) { 1665 secp256k1_scalar_set_int(&x, i); 1666 secp256k1_scalar_negate(&x, &x); 1667 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x); 1668 for (j = 0; j < i; j++) { 1669 if (j == i - 1) { 1670 ge_equals_gej(&ng, &r); 1671 } 1672 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g); 1673 } 1674 CHECK(secp256k1_gej_is_infinity(&r)); 1675 } 1676 } 1677 1678 void run_ecmult_constants(void) { 1679 test_ecmult_constants(); 1680 } 1681 1682 void test_ecmult_gen_blind(void) { 1683 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affline points match, and the z's don't match. */ 1684 secp256k1_scalar key; 1685 secp256k1_scalar b; 1686 unsigned char seed32[32]; 1687 secp256k1_gej pgej; 1688 secp256k1_gej pgej2; 1689 secp256k1_gej i; 1690 secp256k1_ge pge; 1691 random_scalar_order_test(&key); 1692 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key); 1693 secp256k1_rand256(seed32); 1694 b = ctx->ecmult_gen_ctx.blind; 1695 i = ctx->ecmult_gen_ctx.initial; 1696 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); 1697 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind)); 1698 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key); 1699 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2)); 1700 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial)); 1701 secp256k1_ge_set_gej(&pge, &pgej); 1702 ge_equals_gej(&pge, &pgej2); 1703 } 1704 1705 void test_ecmult_gen_blind_reset(void) { 1706 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */ 1707 secp256k1_scalar b; 1708 secp256k1_gej initial; 1709 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0); 1710 b = ctx->ecmult_gen_ctx.blind; 1711 initial = ctx->ecmult_gen_ctx.initial; 1712 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0); 1713 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind)); 1714 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial)); 1715 } 1716 1717 void run_ecmult_gen_blind(void) { 1718 int i; 1719 test_ecmult_gen_blind_reset(); 1720 for (i = 0; i < 10; i++) { 1721 test_ecmult_gen_blind(); 1722 } 1723 } 1724 1725 #ifdef USE_ENDOMORPHISM 1726 /***** ENDOMORPHISH TESTS *****/ 1727 void test_scalar_split(void) { 1728 secp256k1_scalar full; 1729 secp256k1_scalar s1, slam; 1730 const unsigned char zero[32] = {0}; 1731 unsigned char tmp[32]; 1732 1733 random_scalar_order_test(&full); 1734 secp256k1_scalar_split_lambda(&s1, &slam, &full); 1735 1736 /* check that both are <= 128 bits in size */ 1737 if (secp256k1_scalar_is_high(&s1)) { 1738 secp256k1_scalar_negate(&s1, &s1); 1739 } 1740 if (secp256k1_scalar_is_high(&slam)) { 1741 secp256k1_scalar_negate(&slam, &slam); 1742 } 1743 1744 secp256k1_scalar_get_b32(tmp, &s1); 1745 CHECK(memcmp(zero, tmp, 16) == 0); 1746 secp256k1_scalar_get_b32(tmp, &slam); 1747 CHECK(memcmp(zero, tmp, 16) == 0); 1748 } 1749 1750 void run_endomorphism_tests(void) { 1751 test_scalar_split(); 1752 } 1753 #endif 1754 1755 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) { 1756 secp256k1_scalar nonce; 1757 do { 1758 random_scalar_order_test(&nonce); 1759 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid)); 1760 } 1761 1762 void test_ecdsa_sign_verify(void) { 1763 secp256k1_gej pubj; 1764 secp256k1_ge pub; 1765 secp256k1_scalar one; 1766 secp256k1_scalar msg, key; 1767 secp256k1_scalar sigr, sigs; 1768 int recid; 1769 int getrec; 1770 random_scalar_order_test(&msg); 1771 random_scalar_order_test(&key); 1772 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key); 1773 secp256k1_ge_set_gej(&pub, &pubj); 1774 getrec = secp256k1_rand32()&1; 1775 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL); 1776 if (getrec) { 1777 CHECK(recid >= 0 && recid < 4); 1778 } 1779 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg)); 1780 secp256k1_scalar_set_int(&one, 1); 1781 secp256k1_scalar_add(&msg, &msg, &one); 1782 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg)); 1783 } 1784 1785 void run_ecdsa_sign_verify(void) { 1786 int i; 1787 for (i = 0; i < 10*count; i++) { 1788 test_ecdsa_sign_verify(); 1789 } 1790 } 1791 1792 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */ 1793 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 1794 (void)msg32; 1795 (void)key32; 1796 (void)algo16; 1797 memcpy(nonce32, data, 32); 1798 return (counter == 0); 1799 } 1800 1801 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 1802 /* Dummy nonce generator that has a fatal error on the first counter value. */ 1803 if (counter == 0) { 1804 return 0; 1805 } 1806 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1); 1807 } 1808 1809 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 1810 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */ 1811 if (counter < 3) { 1812 memset(nonce32, counter==0 ? 0 : 255, 32); 1813 if (counter == 2) { 1814 nonce32[31]--; 1815 } 1816 return 1; 1817 } 1818 if (counter < 5) { 1819 static const unsigned char order[] = { 1820 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 1821 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE, 1822 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B, 1823 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41 1824 }; 1825 memcpy(nonce32, order, 32); 1826 if (counter == 4) { 1827 nonce32[31]++; 1828 } 1829 return 1; 1830 } 1831 /* Retry rate of 6979 is negligible esp. as we only call this in determinstic tests. */ 1832 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */ 1833 if (counter > 5) { 1834 return 0; 1835 } 1836 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5); 1837 } 1838 1839 int is_empty_signature(const secp256k1_ecdsa_signature *sig) { 1840 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0}; 1841 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0; 1842 } 1843 1844 void test_ecdsa_end_to_end(void) { 1845 unsigned char extra[32] = {0x00}; 1846 unsigned char privkey[32]; 1847 unsigned char message[32]; 1848 unsigned char privkey2[32]; 1849 secp256k1_ecdsa_signature signature[5]; 1850 unsigned char sig[74]; 1851 size_t siglen = 74; 1852 unsigned char pubkeyc[65]; 1853 size_t pubkeyclen = 65; 1854 secp256k1_pubkey pubkey; 1855 unsigned char seckey[300]; 1856 size_t seckeylen = 300; 1857 1858 /* Generate a random key and message. */ 1859 { 1860 secp256k1_scalar msg, key; 1861 random_scalar_order_test(&msg); 1862 random_scalar_order_test(&key); 1863 secp256k1_scalar_get_b32(privkey, &key); 1864 secp256k1_scalar_get_b32(message, &msg); 1865 } 1866 1867 /* Construct and verify corresponding public key. */ 1868 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1); 1869 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1); 1870 1871 /* Verify exporting and importing public key. */ 1872 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand32() % 2) == 1); 1873 memset(&pubkey, 0, sizeof(pubkey)); 1874 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1); 1875 1876 /* Verify private key import and export. */ 1877 CHECK(secp256k1_ec_privkey_export(ctx, seckey, &seckeylen, privkey, (secp256k1_rand32() % 2) == 1) ? SECP256K1_EC_COMPRESSED : 0); 1878 CHECK(secp256k1_ec_privkey_import(ctx, privkey2, seckey, seckeylen) == 1); 1879 CHECK(memcmp(privkey, privkey2, 32) == 0); 1880 1881 /* Optionally tweak the keys using addition. */ 1882 if (secp256k1_rand32() % 3 == 0) { 1883 int ret1; 1884 int ret2; 1885 unsigned char rnd[32]; 1886 secp256k1_pubkey pubkey2; 1887 secp256k1_rand256_test(rnd); 1888 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd); 1889 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd); 1890 CHECK(ret1 == ret2); 1891 if (ret1 == 0) { 1892 return; 1893 } 1894 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1); 1895 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 1896 } 1897 1898 /* Optionally tweak the keys using multiplication. */ 1899 if (secp256k1_rand32() % 3 == 0) { 1900 int ret1; 1901 int ret2; 1902 unsigned char rnd[32]; 1903 secp256k1_pubkey pubkey2; 1904 secp256k1_rand256_test(rnd); 1905 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd); 1906 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd); 1907 CHECK(ret1 == ret2); 1908 if (ret1 == 0) { 1909 return; 1910 } 1911 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1); 1912 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 1913 } 1914 1915 /* Sign. */ 1916 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1); 1917 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1); 1918 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1); 1919 extra[31] = 1; 1920 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1); 1921 extra[31] = 0; 1922 extra[0] = 1; 1923 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1); 1924 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0); 1925 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0); 1926 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0); 1927 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0); 1928 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0); 1929 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0); 1930 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0); 1931 /* Verify. */ 1932 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1); 1933 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1); 1934 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1); 1935 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1); 1936 1937 /* Serialize/parse DER and verify again */ 1938 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1); 1939 memset(&signature[0], 0, sizeof(signature[0])); 1940 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1); 1941 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1); 1942 /* Serialize/destroy/parse DER and verify again. */ 1943 siglen = 74; 1944 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1); 1945 sig[secp256k1_rand32() % siglen] += 1 + (secp256k1_rand32() % 255); 1946 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 || 1947 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0); 1948 } 1949 1950 void test_random_pubkeys(void) { 1951 secp256k1_ge elem; 1952 secp256k1_ge elem2; 1953 unsigned char in[65]; 1954 /* Generate some randomly sized pubkeys. */ 1955 uint32_t r = secp256k1_rand32(); 1956 size_t len = (r & 3) == 0 ? 65 : 33; 1957 r>>=2; 1958 if ((r & 3) == 0) { 1959 len = (r & 252) >> 3; 1960 } 1961 r>>=8; 1962 if (len == 65) { 1963 in[0] = (r & 2) ? 4 : ((r & 1)? 6 : 7); 1964 } else { 1965 in[0] = (r & 1) ? 2 : 3; 1966 } 1967 r>>=2; 1968 if ((r & 7) == 0) { 1969 in[0] = (r & 2040) >> 3; 1970 } 1971 r>>=11; 1972 if (len > 1) { 1973 secp256k1_rand256(&in[1]); 1974 } 1975 if (len > 33) { 1976 secp256k1_rand256(&in[33]); 1977 } 1978 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) { 1979 unsigned char out[65]; 1980 unsigned char firstb; 1981 int res; 1982 size_t size = len; 1983 firstb = in[0]; 1984 /* If the pubkey can be parsed, it should round-trip... */ 1985 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, (len == 33) ? SECP256K1_EC_COMPRESSED : 0)); 1986 CHECK(size == len); 1987 CHECK(memcmp(&in[1], &out[1], len-1) == 0); 1988 /* ... except for the type of hybrid inputs. */ 1989 if ((in[0] != 6) && (in[0] != 7)) { 1990 CHECK(in[0] == out[0]); 1991 } 1992 size = 65; 1993 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0)); 1994 CHECK(size == 65); 1995 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size)); 1996 ge_equals_ge(&elem,&elem2); 1997 /* Check that the X9.62 hybrid type is checked. */ 1998 in[0] = (r & 1) ? 6 : 7; 1999 res = secp256k1_eckey_pubkey_parse(&elem2, in, size); 2000 if (firstb == 2 || firstb == 3) { 2001 if (in[0] == firstb + 4) { 2002 CHECK(res); 2003 } else { 2004 CHECK(!res); 2005 } 2006 } 2007 if (res) { 2008 ge_equals_ge(&elem,&elem2); 2009 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0)); 2010 CHECK(memcmp(&in[1], &out[1], 64) == 0); 2011 } 2012 } 2013 } 2014 2015 void run_random_pubkeys(void) { 2016 int i; 2017 for (i = 0; i < 10*count; i++) { 2018 test_random_pubkeys(); 2019 } 2020 } 2021 2022 void run_ecdsa_end_to_end(void) { 2023 int i; 2024 for (i = 0; i < 64*count; i++) { 2025 test_ecdsa_end_to_end(); 2026 } 2027 } 2028 2029 /* Tests several edge cases. */ 2030 void test_ecdsa_edge_cases(void) { 2031 int t; 2032 secp256k1_ecdsa_signature sig; 2033 2034 /* Test the case where ECDSA recomputes a point that is infinity. */ 2035 { 2036 secp256k1_gej keyj; 2037 secp256k1_ge key; 2038 secp256k1_scalar msg; 2039 secp256k1_scalar sr, ss; 2040 secp256k1_scalar_set_int(&ss, 1); 2041 secp256k1_scalar_negate(&ss, &ss); 2042 secp256k1_scalar_inverse(&ss, &ss); 2043 secp256k1_scalar_set_int(&sr, 1); 2044 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr); 2045 secp256k1_ge_set_gej(&key, &keyj); 2046 msg = ss; 2047 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); 2048 } 2049 2050 /*Signature where s would be zero.*/ 2051 { 2052 unsigned char signature[72]; 2053 size_t siglen; 2054 const unsigned char nonce[32] = { 2055 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2056 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2057 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2058 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 2059 }; 2060 static const unsigned char nonce2[32] = { 2061 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 2062 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE, 2063 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B, 2064 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40 2065 }; 2066 const unsigned char key[32] = { 2067 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2068 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2069 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2070 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 2071 }; 2072 unsigned char msg[32] = { 2073 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53, 2074 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7, 2075 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62, 2076 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9, 2077 }; 2078 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0); 2079 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0); 2080 msg[31] = 0xaa; 2081 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1); 2082 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1); 2083 siglen = 72; 2084 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1); 2085 siglen = 10; 2086 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0); 2087 } 2088 2089 /* Nonce function corner cases. */ 2090 for (t = 0; t < 2; t++) { 2091 static const unsigned char zero[32] = {0x00}; 2092 int i; 2093 unsigned char key[32]; 2094 unsigned char msg[32]; 2095 secp256k1_ecdsa_signature sig2; 2096 secp256k1_scalar sr[512], ss; 2097 const unsigned char *extra; 2098 extra = t == 0 ? NULL : zero; 2099 memset(msg, 0, 32); 2100 msg[31] = 1; 2101 /* High key results in signature failure. */ 2102 memset(key, 0xFF, 32); 2103 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0); 2104 CHECK(is_empty_signature(&sig)); 2105 /* Zero key results in signature failure. */ 2106 memset(key, 0, 32); 2107 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0); 2108 CHECK(is_empty_signature(&sig)); 2109 /* Nonce function failure results in signature failure. */ 2110 key[31] = 1; 2111 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0); 2112 CHECK(is_empty_signature(&sig)); 2113 /* The retry loop successfully makes its way to the first good value. */ 2114 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1); 2115 CHECK(!is_empty_signature(&sig)); 2116 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1); 2117 CHECK(!is_empty_signature(&sig2)); 2118 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0); 2119 /* The default nonce function is determinstic. */ 2120 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); 2121 CHECK(!is_empty_signature(&sig2)); 2122 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0); 2123 /* The default nonce function changes output with different messages. */ 2124 for(i = 0; i < 256; i++) { 2125 int j; 2126 msg[0] = i; 2127 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); 2128 CHECK(!is_empty_signature(&sig2)); 2129 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2); 2130 for (j = 0; j < i; j++) { 2131 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j])); 2132 } 2133 } 2134 msg[0] = 0; 2135 msg[31] = 2; 2136 /* The default nonce function changes output with different keys. */ 2137 for(i = 256; i < 512; i++) { 2138 int j; 2139 key[0] = i - 256; 2140 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); 2141 CHECK(!is_empty_signature(&sig2)); 2142 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2); 2143 for (j = 0; j < i; j++) { 2144 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j])); 2145 } 2146 } 2147 key[0] = 0; 2148 } 2149 2150 /* Privkey export where pubkey is the point at infinity. */ 2151 { 2152 unsigned char privkey[300]; 2153 unsigned char seckey[32] = { 2154 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2155 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 2156 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 2157 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41, 2158 }; 2159 size_t outlen = 300; 2160 CHECK(!secp256k1_ec_privkey_export(ctx, privkey, &outlen, seckey, 0)); 2161 outlen = 300; 2162 CHECK(!secp256k1_ec_privkey_export(ctx, privkey, &outlen, seckey, SECP256K1_EC_COMPRESSED)); 2163 } 2164 } 2165 2166 void run_ecdsa_edge_cases(void) { 2167 test_ecdsa_edge_cases(); 2168 } 2169 2170 #ifdef ENABLE_OPENSSL_TESTS 2171 EC_KEY *get_openssl_key(const secp256k1_scalar *key) { 2172 unsigned char privkey[300]; 2173 size_t privkeylen; 2174 const unsigned char* pbegin = privkey; 2175 int compr = secp256k1_rand32() & 1; 2176 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1); 2177 CHECK(secp256k1_eckey_privkey_serialize(&ctx->ecmult_gen_ctx, privkey, &privkeylen, key, compr ? SECP256K1_EC_COMPRESSED : 0)); 2178 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen)); 2179 CHECK(EC_KEY_check_key(ec_key)); 2180 return ec_key; 2181 } 2182 2183 void test_ecdsa_openssl(void) { 2184 secp256k1_gej qj; 2185 secp256k1_ge q; 2186 secp256k1_scalar sigr, sigs; 2187 secp256k1_scalar one; 2188 secp256k1_scalar msg2; 2189 secp256k1_scalar key, msg; 2190 EC_KEY *ec_key; 2191 unsigned int sigsize = 80; 2192 size_t secp_sigsize = 80; 2193 unsigned char message[32]; 2194 unsigned char signature[80]; 2195 secp256k1_rand256_test(message); 2196 secp256k1_scalar_set_b32(&msg, message, NULL); 2197 random_scalar_order_test(&key); 2198 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key); 2199 secp256k1_ge_set_gej(&q, &qj); 2200 ec_key = get_openssl_key(&key); 2201 CHECK(ec_key != NULL); 2202 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key)); 2203 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize)); 2204 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg)); 2205 secp256k1_scalar_set_int(&one, 1); 2206 secp256k1_scalar_add(&msg2, &msg, &one); 2207 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2)); 2208 2209 random_sign(&sigr, &sigs, &key, &msg, NULL); 2210 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs)); 2211 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1); 2212 2213 EC_KEY_free(ec_key); 2214 } 2215 2216 void run_ecdsa_openssl(void) { 2217 int i; 2218 for (i = 0; i < 10*count; i++) { 2219 test_ecdsa_openssl(); 2220 } 2221 } 2222 #endif 2223 2224 #ifdef ENABLE_MODULE_ECDH 2225 # include "modules/ecdh/tests_impl.h" 2226 #endif 2227 2228 #ifdef ENABLE_MODULE_SCHNORR 2229 # include "modules/schnorr/tests_impl.h" 2230 #endif 2231 2232 #ifdef ENABLE_MODULE_RECOVERY 2233 # include "modules/recovery/tests_impl.h" 2234 #endif 2235 2236 int main(int argc, char **argv) { 2237 unsigned char seed16[16] = {0}; 2238 unsigned char run32[32] = {0}; 2239 /* find iteration count */ 2240 if (argc > 1) { 2241 count = strtol(argv[1], NULL, 0); 2242 } 2243 2244 /* find random seed */ 2245 if (argc > 2) { 2246 int pos = 0; 2247 const char* ch = argv[2]; 2248 while (pos < 16 && ch[0] != 0 && ch[1] != 0) { 2249 unsigned short sh; 2250 if (sscanf(ch, "%2hx", &sh)) { 2251 seed16[pos] = sh; 2252 } else { 2253 break; 2254 } 2255 ch += 2; 2256 pos++; 2257 } 2258 } else { 2259 FILE *frand = fopen("/dev/urandom", "r"); 2260 if ((frand == NULL) || !fread(&seed16, sizeof(seed16), 1, frand)) { 2261 uint64_t t = time(NULL) * (uint64_t)1337; 2262 seed16[0] ^= t; 2263 seed16[1] ^= t >> 8; 2264 seed16[2] ^= t >> 16; 2265 seed16[3] ^= t >> 24; 2266 seed16[4] ^= t >> 32; 2267 seed16[5] ^= t >> 40; 2268 seed16[6] ^= t >> 48; 2269 seed16[7] ^= t >> 56; 2270 } 2271 fclose(frand); 2272 } 2273 secp256k1_rand_seed(seed16); 2274 2275 printf("test count = %i\n", count); 2276 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]); 2277 2278 /* initialize */ 2279 run_context_tests(); 2280 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); 2281 2282 if (secp256k1_rand32() & 1) { 2283 secp256k1_rand256(run32); 2284 CHECK(secp256k1_context_randomize(ctx, (secp256k1_rand32() & 1) ? run32 : NULL)); 2285 } 2286 2287 run_sha256_tests(); 2288 run_hmac_sha256_tests(); 2289 run_rfc6979_hmac_sha256_tests(); 2290 2291 #ifndef USE_NUM_NONE 2292 /* num tests */ 2293 run_num_smalltests(); 2294 #endif 2295 2296 /* scalar tests */ 2297 run_scalar_tests(); 2298 2299 /* field tests */ 2300 run_field_inv(); 2301 run_field_inv_var(); 2302 run_field_inv_all_var(); 2303 run_field_misc(); 2304 run_field_convert(); 2305 run_sqr(); 2306 run_sqrt(); 2307 2308 /* group tests */ 2309 run_ge(); 2310 2311 /* ecmult tests */ 2312 run_wnaf(); 2313 run_point_times_order(); 2314 run_ecmult_chain(); 2315 run_ecmult_constants(); 2316 run_ecmult_gen_blind(); 2317 run_ecmult_const_tests(); 2318 run_ec_combine(); 2319 2320 /* endomorphism tests */ 2321 #ifdef USE_ENDOMORPHISM 2322 run_endomorphism_tests(); 2323 #endif 2324 2325 #ifdef ENABLE_MODULE_ECDH 2326 /* ecdh tests */ 2327 run_ecdh_tests(); 2328 #endif 2329 2330 /* ecdsa tests */ 2331 run_random_pubkeys(); 2332 run_ecdsa_sign_verify(); 2333 run_ecdsa_end_to_end(); 2334 run_ecdsa_edge_cases(); 2335 #ifdef ENABLE_OPENSSL_TESTS 2336 run_ecdsa_openssl(); 2337 #endif 2338 2339 #ifdef ENABLE_MODULE_SCHNORR 2340 /* Schnorr tests */ 2341 run_schnorr_tests(); 2342 #endif 2343 2344 #ifdef ENABLE_MODULE_RECOVERY 2345 /* ECDSA pubkey recovery tests */ 2346 run_recovery_tests(); 2347 #endif 2348 2349 secp256k1_rand256(run32); 2350 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]); 2351 2352 /* shutdown */ 2353 secp256k1_context_destroy(ctx); 2354 2355 printf("no problems found\n"); 2356 return 0; 2357 }