github.com/luckypickle/go-ethereum-vet@v1.14.2/crypto/secp256k1/libsecp256k1/src/tests.c (about)

     1  /**********************************************************************
     2   * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell      *
     3   * Distributed under the MIT software license, see the accompanying   *
     4   * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
     5   **********************************************************************/
     6  
     7  #if defined HAVE_CONFIG_H
     8  #include "libsecp256k1-config.h"
     9  #endif
    10  
    11  #include <stdio.h>
    12  #include <stdlib.h>
    13  
    14  #include <time.h>
    15  
    16  #include "secp256k1.c"
    17  #include "include/secp256k1.h"
    18  #include "testrand_impl.h"
    19  
    20  #ifdef ENABLE_OPENSSL_TESTS
    21  #include "openssl/bn.h"
    22  #include "openssl/ec.h"
    23  #include "openssl/ecdsa.h"
    24  #include "openssl/obj_mac.h"
    25  #endif
    26  
    27  #include "contrib/lax_der_parsing.c"
    28  #include "contrib/lax_der_privatekey_parsing.c"
    29  
    30  #if !defined(VG_CHECK)
    31  # if defined(VALGRIND)
    32  #  include <valgrind/memcheck.h>
    33  #  define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
    34  #  define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
    35  # else
    36  #  define VG_UNDEF(x,y)
    37  #  define VG_CHECK(x,y)
    38  # endif
    39  #endif
    40  
    41  static int count = 64;
    42  static vet_secp256k1_context *ctx = NULL;
    43  
    44  static void counting_illegal_callback_fn(const char* str, void* data) {
    45      /* Dummy callback function that just counts. */
    46      int32_t *p;
    47      (void)str;
    48      p = data;
    49      (*p)++;
    50  }
    51  
    52  static void uncounting_illegal_callback_fn(const char* str, void* data) {
    53      /* Dummy callback function that just counts (backwards). */
    54      int32_t *p;
    55      (void)str;
    56      p = data;
    57      (*p)--;
    58  }
    59  
    60  void random_field_element_test(vet_secp256k1_fe *fe) {
    61      do {
    62          unsigned char b32[32];
    63          vet_secp256k1_rand256_test(b32);
    64          if (vet_secp256k1_fe_set_b32(fe, b32)) {
    65              break;
    66          }
    67      } while(1);
    68  }
    69  
    70  void random_field_element_magnitude(vet_secp256k1_fe *fe) {
    71      vet_secp256k1_fe zero;
    72      int n = vet_secp256k1_rand_int(9);
    73      vet_secp256k1_fe_normalize(fe);
    74      if (n == 0) {
    75          return;
    76      }
    77      vet_secp256k1_fe_clear(&zero);
    78      vet_secp256k1_fe_negate(&zero, &zero, 0);
    79      vet_secp256k1_fe_mul_int(&zero, n - 1);
    80      vet_secp256k1_fe_add(fe, &zero);
    81      VERIFY_CHECK(fe->magnitude == n);
    82  }
    83  
    84  void random_group_element_test(vet_secp256k1_ge *ge) {
    85      vet_secp256k1_fe fe;
    86      do {
    87          random_field_element_test(&fe);
    88          if (vet_secp256k1_ge_set_xo_var(ge, &fe, vet_secp256k1_rand_bits(1))) {
    89              vet_secp256k1_fe_normalize(&ge->y);
    90              break;
    91          }
    92      } while(1);
    93  }
    94  
    95  void random_group_element_jacobian_test(vet_secp256k1_gej *gej, const vet_secp256k1_ge *ge) {
    96      vet_secp256k1_fe z2, z3;
    97      do {
    98          random_field_element_test(&gej->z);
    99          if (!vet_secp256k1_fe_is_zero(&gej->z)) {
   100              break;
   101          }
   102      } while(1);
   103      vet_secp256k1_fe_sqr(&z2, &gej->z);
   104      vet_secp256k1_fe_mul(&z3, &z2, &gej->z);
   105      vet_secp256k1_fe_mul(&gej->x, &ge->x, &z2);
   106      vet_secp256k1_fe_mul(&gej->y, &ge->y, &z3);
   107      gej->infinity = ge->infinity;
   108  }
   109  
   110  void random_scalar_order_test(vet_secp256k1_scalar *num) {
   111      do {
   112          unsigned char b32[32];
   113          int overflow = 0;
   114          vet_secp256k1_rand256_test(b32);
   115          vet_secp256k1_scalar_set_b32(num, b32, &overflow);
   116          if (overflow || vet_secp256k1_scalar_is_zero(num)) {
   117              continue;
   118          }
   119          break;
   120      } while(1);
   121  }
   122  
   123  void random_scalar_order(vet_secp256k1_scalar *num) {
   124      do {
   125          unsigned char b32[32];
   126          int overflow = 0;
   127          vet_secp256k1_rand256(b32);
   128          vet_secp256k1_scalar_set_b32(num, b32, &overflow);
   129          if (overflow || vet_secp256k1_scalar_is_zero(num)) {
   130              continue;
   131          }
   132          break;
   133      } while(1);
   134  }
   135  
   136  void run_context_tests(void) {
   137      vet_secp256k1_pubkey pubkey;
   138      vet_secp256k1_ecdsa_signature sig;
   139      unsigned char ctmp[32];
   140      int32_t ecount;
   141      int32_t ecount2;
   142      vet_secp256k1_context *none = vet_secp256k1_context_create(SECP256K1_CONTEXT_NONE);
   143      vet_secp256k1_context *sign = vet_secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
   144      vet_secp256k1_context *vrfy = vet_secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
   145      vet_secp256k1_context *both = vet_secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
   146  
   147      vet_secp256k1_gej pubj;
   148      vet_secp256k1_ge pub;
   149      vet_secp256k1_scalar msg, key, nonce;
   150      vet_secp256k1_scalar sigr, sigs;
   151  
   152      ecount = 0;
   153      ecount2 = 10;
   154      vet_secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
   155      vet_secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
   156      vet_secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
   157      CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
   158  
   159      /*** clone and destroy all of them to make sure cloning was complete ***/
   160      {
   161          vet_secp256k1_context *ctx_tmp;
   162  
   163          ctx_tmp = none; none = vet_secp256k1_context_clone(none); vet_secp256k1_context_destroy(ctx_tmp);
   164          ctx_tmp = sign; sign = vet_secp256k1_context_clone(sign); vet_secp256k1_context_destroy(ctx_tmp);
   165          ctx_tmp = vrfy; vrfy = vet_secp256k1_context_clone(vrfy); vet_secp256k1_context_destroy(ctx_tmp);
   166          ctx_tmp = both; both = vet_secp256k1_context_clone(both); vet_secp256k1_context_destroy(ctx_tmp);
   167      }
   168  
   169      /* Verify that the error callback makes it across the clone. */
   170      CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
   171      /* And that it resets back to default. */
   172      vet_secp256k1_context_set_error_callback(sign, NULL, NULL);
   173      CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
   174  
   175      /*** attempt to use them ***/
   176      random_scalar_order_test(&msg);
   177      random_scalar_order_test(&key);
   178      vet_secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
   179      vet_secp256k1_ge_set_gej(&pub, &pubj);
   180  
   181      /* Verify context-type checking illegal-argument errors. */
   182      memset(ctmp, 1, 32);
   183      CHECK(vet_secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
   184      CHECK(ecount == 1);
   185      VG_UNDEF(&pubkey, sizeof(pubkey));
   186      CHECK(vet_secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
   187      VG_CHECK(&pubkey, sizeof(pubkey));
   188      CHECK(vet_secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
   189      CHECK(ecount == 2);
   190      VG_UNDEF(&sig, sizeof(sig));
   191      CHECK(vet_secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
   192      VG_CHECK(&sig, sizeof(sig));
   193      CHECK(ecount2 == 10);
   194      CHECK(vet_secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
   195      CHECK(ecount2 == 11);
   196      CHECK(vet_secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
   197      CHECK(ecount == 2);
   198      CHECK(vet_secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
   199      CHECK(ecount2 == 12);
   200      CHECK(vet_secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
   201      CHECK(ecount == 2);
   202      CHECK(vet_secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
   203      CHECK(ecount2 == 13);
   204      CHECK(vet_secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
   205      CHECK(ecount == 2);
   206      CHECK(vet_secp256k1_context_randomize(vrfy, ctmp) == 0);
   207      CHECK(ecount == 3);
   208      CHECK(vet_secp256k1_context_randomize(sign, NULL) == 1);
   209      CHECK(ecount2 == 13);
   210      vet_secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
   211      vet_secp256k1_context_set_illegal_callback(sign, NULL, NULL);
   212  
   213      /* This shouldn't leak memory, due to already-set tests. */
   214      vet_secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
   215      vet_secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
   216  
   217      /* obtain a working nonce */
   218      do {
   219          random_scalar_order_test(&nonce);
   220      } while(!vet_secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
   221  
   222      /* try signing */
   223      CHECK(vet_secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
   224      CHECK(vet_secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
   225  
   226      /* try verifying */
   227      CHECK(vet_secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
   228      CHECK(vet_secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
   229  
   230      /* cleanup */
   231      vet_secp256k1_context_destroy(none);
   232      vet_secp256k1_context_destroy(sign);
   233      vet_secp256k1_context_destroy(vrfy);
   234      vet_secp256k1_context_destroy(both);
   235      /* Defined as no-op. */
   236      vet_secp256k1_context_destroy(NULL);
   237  }
   238  
   239  /***** HASH TESTS *****/
   240  
   241  void run_sha256_tests(void) {
   242      static const char *inputs[8] = {
   243          "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
   244          "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
   245          "For this sample, this 63-byte string will be used as input data",
   246          "This is exactly 64 bytes long, not counting the terminating byte"
   247      };
   248      static const unsigned char outputs[8][32] = {
   249          {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
   250          {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
   251          {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
   252          {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
   253          {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
   254          {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
   255          {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
   256          {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
   257      };
   258      int i;
   259      for (i = 0; i < 8; i++) {
   260          unsigned char out[32];
   261          vet_secp256k1_sha256_t hasher;
   262          vet_secp256k1_sha256_initialize(&hasher);
   263          vet_secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
   264          vet_secp256k1_sha256_finalize(&hasher, out);
   265          CHECK(memcmp(out, outputs[i], 32) == 0);
   266          if (strlen(inputs[i]) > 0) {
   267              int split = vet_secp256k1_rand_int(strlen(inputs[i]));
   268              vet_secp256k1_sha256_initialize(&hasher);
   269              vet_secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
   270              vet_secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
   271              vet_secp256k1_sha256_finalize(&hasher, out);
   272              CHECK(memcmp(out, outputs[i], 32) == 0);
   273          }
   274      }
   275  }
   276  
   277  void run_hmac_sha256_tests(void) {
   278      static const char *keys[6] = {
   279          "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
   280          "\x4a\x65\x66\x65",
   281          "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
   282          "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
   283          "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
   284          "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
   285      };
   286      static const char *inputs[6] = {
   287          "\x48\x69\x20\x54\x68\x65\x72\x65",
   288          "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
   289          "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
   290          "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
   291          "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
   292          "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
   293      };
   294      static const unsigned char outputs[6][32] = {
   295          {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
   296          {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
   297          {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
   298          {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
   299          {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
   300          {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
   301      };
   302      int i;
   303      for (i = 0; i < 6; i++) {
   304          vet_secp256k1_hmac_sha256_t hasher;
   305          unsigned char out[32];
   306          vet_secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
   307          vet_secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
   308          vet_secp256k1_hmac_sha256_finalize(&hasher, out);
   309          CHECK(memcmp(out, outputs[i], 32) == 0);
   310          if (strlen(inputs[i]) > 0) {
   311              int split = vet_secp256k1_rand_int(strlen(inputs[i]));
   312              vet_secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
   313              vet_secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
   314              vet_secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
   315              vet_secp256k1_hmac_sha256_finalize(&hasher, out);
   316              CHECK(memcmp(out, outputs[i], 32) == 0);
   317          }
   318      }
   319  }
   320  
   321  void run_rfc6979_hmac_sha256_tests(void) {
   322      static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
   323      static const unsigned char out1[3][32] = {
   324          {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
   325          {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
   326          {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
   327      };
   328  
   329      static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
   330      static const unsigned char out2[3][32] = {
   331          {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
   332          {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
   333          {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
   334      };
   335  
   336      vet_secp256k1_rfc6979_hmac_sha256_t rng;
   337      unsigned char out[32];
   338      int i;
   339  
   340      vet_secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
   341      for (i = 0; i < 3; i++) {
   342          vet_secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
   343          CHECK(memcmp(out, out1[i], 32) == 0);
   344      }
   345      vet_secp256k1_rfc6979_hmac_sha256_finalize(&rng);
   346  
   347      vet_secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
   348      for (i = 0; i < 3; i++) {
   349          vet_secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
   350          CHECK(memcmp(out, out1[i], 32) != 0);
   351      }
   352      vet_secp256k1_rfc6979_hmac_sha256_finalize(&rng);
   353  
   354      vet_secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
   355      for (i = 0; i < 3; i++) {
   356          vet_secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
   357          CHECK(memcmp(out, out2[i], 32) == 0);
   358      }
   359      vet_secp256k1_rfc6979_hmac_sha256_finalize(&rng);
   360  }
   361  
   362  /***** RANDOM TESTS *****/
   363  
   364  void test_rand_bits(int rand32, int bits) {
   365      /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
   366       * get a false negative chance below once in a billion */
   367      static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
   368      /* We try multiplying the results with various odd numbers, which shouldn't
   369       * influence the uniform distribution modulo a power of 2. */
   370      static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
   371      /* We only select up to 6 bits from the output to analyse */
   372      unsigned int usebits = bits > 6 ? 6 : bits;
   373      unsigned int maxshift = bits - usebits;
   374      /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
   375         number, track all observed outcomes, one per bit in a uint64_t. */
   376      uint64_t x[6][27] = {{0}};
   377      unsigned int i, shift, m;
   378      /* Multiply the output of all rand calls with the odd number m, which
   379         should not change the uniformity of its distribution. */
   380      for (i = 0; i < rounds[usebits]; i++) {
   381          uint32_t r = (rand32 ? vet_secp256k1_rand32() : vet_secp256k1_rand_bits(bits));
   382          CHECK((((uint64_t)r) >> bits) == 0);
   383          for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
   384              uint32_t rm = r * mults[m];
   385              for (shift = 0; shift <= maxshift; shift++) {
   386                  x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
   387              }
   388          }
   389      }
   390      for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
   391          for (shift = 0; shift <= maxshift; shift++) {
   392              /* Test that the lower usebits bits of x[shift] are 1 */
   393              CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
   394          }
   395      }
   396  }
   397  
   398  /* Subrange must be a whole divisor of range, and at most 64 */
   399  void test_rand_int(uint32_t range, uint32_t subrange) {
   400      /* (1-1/subrange)^rounds < 1/10^9 */
   401      int rounds = (subrange * 2073) / 100;
   402      int i;
   403      uint64_t x = 0;
   404      CHECK((range % subrange) == 0);
   405      for (i = 0; i < rounds; i++) {
   406          uint32_t r = vet_secp256k1_rand_int(range);
   407          CHECK(r < range);
   408          r = r % subrange;
   409          x |= (((uint64_t)1) << r);
   410      }
   411      /* Test that the lower subrange bits of x are 1. */
   412      CHECK(((~x) << (64 - subrange)) == 0);
   413  }
   414  
   415  void run_rand_bits(void) {
   416      size_t b;
   417      test_rand_bits(1, 32);
   418      for (b = 1; b <= 32; b++) {
   419          test_rand_bits(0, b);
   420      }
   421  }
   422  
   423  void run_rand_int(void) {
   424      static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
   425      static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
   426      unsigned int m, s;
   427      for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
   428          for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
   429              test_rand_int(ms[m] * ss[s], ss[s]);
   430          }
   431      }
   432  }
   433  
   434  /***** NUM TESTS *****/
   435  
   436  #ifndef USE_NUM_NONE
   437  void random_num_negate(vet_secp256k1_num *num) {
   438      if (vet_secp256k1_rand_bits(1)) {
   439          vet_secp256k1_num_negate(num);
   440      }
   441  }
   442  
   443  void random_num_order_test(vet_secp256k1_num *num) {
   444      vet_secp256k1_scalar sc;
   445      random_scalar_order_test(&sc);
   446      vet_secp256k1_scalar_get_num(num, &sc);
   447  }
   448  
   449  void random_num_order(vet_secp256k1_num *num) {
   450      vet_secp256k1_scalar sc;
   451      random_scalar_order(&sc);
   452      vet_secp256k1_scalar_get_num(num, &sc);
   453  }
   454  
   455  void test_num_negate(void) {
   456      vet_secp256k1_num n1;
   457      vet_secp256k1_num n2;
   458      random_num_order_test(&n1); /* n1 = R */
   459      random_num_negate(&n1);
   460      vet_secp256k1_num_copy(&n2, &n1); /* n2 = R */
   461      vet_secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
   462      CHECK(vet_secp256k1_num_is_zero(&n1));
   463      vet_secp256k1_num_copy(&n1, &n2); /* n1 = R */
   464      vet_secp256k1_num_negate(&n1); /* n1 = -R */
   465      CHECK(!vet_secp256k1_num_is_zero(&n1));
   466      vet_secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
   467      CHECK(vet_secp256k1_num_is_zero(&n1));
   468      vet_secp256k1_num_copy(&n1, &n2); /* n1 = R */
   469      vet_secp256k1_num_negate(&n1); /* n1 = -R */
   470      CHECK(vet_secp256k1_num_is_neg(&n1) != vet_secp256k1_num_is_neg(&n2));
   471      vet_secp256k1_num_negate(&n1); /* n1 = R */
   472      CHECK(vet_secp256k1_num_eq(&n1, &n2));
   473  }
   474  
   475  void test_num_add_sub(void) {
   476      int i;
   477      vet_secp256k1_scalar s;
   478      vet_secp256k1_num n1;
   479      vet_secp256k1_num n2;
   480      vet_secp256k1_num n1p2, n2p1, n1m2, n2m1;
   481      random_num_order_test(&n1); /* n1 = R1 */
   482      if (vet_secp256k1_rand_bits(1)) {
   483          random_num_negate(&n1);
   484      }
   485      random_num_order_test(&n2); /* n2 = R2 */
   486      if (vet_secp256k1_rand_bits(1)) {
   487          random_num_negate(&n2);
   488      }
   489      vet_secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
   490      vet_secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
   491      vet_secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
   492      vet_secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
   493      CHECK(vet_secp256k1_num_eq(&n1p2, &n2p1));
   494      CHECK(!vet_secp256k1_num_eq(&n1p2, &n1m2));
   495      vet_secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
   496      CHECK(vet_secp256k1_num_eq(&n2m1, &n1m2));
   497      CHECK(!vet_secp256k1_num_eq(&n2m1, &n1));
   498      vet_secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
   499      CHECK(vet_secp256k1_num_eq(&n2m1, &n1));
   500      CHECK(!vet_secp256k1_num_eq(&n2p1, &n1));
   501      vet_secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
   502      CHECK(vet_secp256k1_num_eq(&n2p1, &n1));
   503  
   504      /* check is_one */
   505      vet_secp256k1_scalar_set_int(&s, 1);
   506      vet_secp256k1_scalar_get_num(&n1, &s);
   507      CHECK(vet_secp256k1_num_is_one(&n1));
   508      /* check that 2^n + 1 is never 1 */
   509      vet_secp256k1_scalar_get_num(&n2, &s);
   510      for (i = 0; i < 250; ++i) {
   511          vet_secp256k1_num_add(&n1, &n1, &n1);    /* n1 *= 2 */
   512          vet_secp256k1_num_add(&n1p2, &n1, &n2);  /* n1p2 = n1 + 1 */
   513          CHECK(!vet_secp256k1_num_is_one(&n1p2));
   514      }
   515  }
   516  
   517  void test_num_mod(void) {
   518      int i;
   519      vet_secp256k1_scalar s;
   520      vet_secp256k1_num order, n;
   521  
   522      /* check that 0 mod anything is 0 */
   523      random_scalar_order_test(&s);
   524      vet_secp256k1_scalar_get_num(&order, &s);
   525      vet_secp256k1_scalar_set_int(&s, 0);
   526      vet_secp256k1_scalar_get_num(&n, &s);
   527      vet_secp256k1_num_mod(&n, &order);
   528      CHECK(vet_secp256k1_num_is_zero(&n));
   529  
   530      /* check that anything mod 1 is 0 */
   531      vet_secp256k1_scalar_set_int(&s, 1);
   532      vet_secp256k1_scalar_get_num(&order, &s);
   533      vet_secp256k1_scalar_get_num(&n, &s);
   534      vet_secp256k1_num_mod(&n, &order);
   535      CHECK(vet_secp256k1_num_is_zero(&n));
   536  
   537      /* check that increasing the number past 2^256 does not break this */
   538      random_scalar_order_test(&s);
   539      vet_secp256k1_scalar_get_num(&n, &s);
   540      /* multiply by 2^8, which'll test this case with high probability */
   541      for (i = 0; i < 8; ++i) {
   542          vet_secp256k1_num_add(&n, &n, &n);
   543      }
   544      vet_secp256k1_num_mod(&n, &order);
   545      CHECK(vet_secp256k1_num_is_zero(&n));
   546  }
   547  
   548  void test_num_jacobi(void) {
   549      vet_secp256k1_scalar sqr;
   550      vet_secp256k1_scalar small;
   551      vet_secp256k1_scalar five;  /* five is not a quadratic residue */
   552      vet_secp256k1_num order, n;
   553      int i;
   554      /* squares mod 5 are 1, 4 */
   555      const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
   556  
   557      /* check some small values with 5 as the order */
   558      vet_secp256k1_scalar_set_int(&five, 5);
   559      vet_secp256k1_scalar_get_num(&order, &five);
   560      for (i = 0; i < 10; ++i) {
   561          vet_secp256k1_scalar_set_int(&small, i);
   562          vet_secp256k1_scalar_get_num(&n, &small);
   563          CHECK(vet_secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
   564      }
   565  
   566      /** test large values with 5 as group order */
   567      vet_secp256k1_scalar_get_num(&order, &five);
   568      /* we first need a scalar which is not a multiple of 5 */
   569      do {
   570          vet_secp256k1_num fiven;
   571          random_scalar_order_test(&sqr);
   572          vet_secp256k1_scalar_get_num(&fiven, &five);
   573          vet_secp256k1_scalar_get_num(&n, &sqr);
   574          vet_secp256k1_num_mod(&n, &fiven);
   575      } while (vet_secp256k1_num_is_zero(&n));
   576      /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
   577       * just multiply by two, i.e. add the number to itself */
   578      if (vet_secp256k1_num_jacobi(&n, &order) == -1) {
   579          vet_secp256k1_num_add(&n, &n, &n);
   580      }
   581  
   582      /* test residue */
   583      CHECK(vet_secp256k1_num_jacobi(&n, &order) == 1);
   584      /* test nonresidue */
   585      vet_secp256k1_num_add(&n, &n, &n);
   586      CHECK(vet_secp256k1_num_jacobi(&n, &order) == -1);
   587  
   588      /** test with secp group order as order */
   589      vet_secp256k1_scalar_order_get_num(&order);
   590      random_scalar_order_test(&sqr);
   591      vet_secp256k1_scalar_sqr(&sqr, &sqr);
   592      /* test residue */
   593      vet_secp256k1_scalar_get_num(&n, &sqr);
   594      CHECK(vet_secp256k1_num_jacobi(&n, &order) == 1);
   595      /* test nonresidue */
   596      vet_secp256k1_scalar_mul(&sqr, &sqr, &five);
   597      vet_secp256k1_scalar_get_num(&n, &sqr);
   598      CHECK(vet_secp256k1_num_jacobi(&n, &order) == -1);
   599      /* test multiple of the order*/
   600      CHECK(vet_secp256k1_num_jacobi(&order, &order) == 0);
   601  
   602      /* check one less than the order */
   603      vet_secp256k1_scalar_set_int(&small, 1);
   604      vet_secp256k1_scalar_get_num(&n, &small);
   605      vet_secp256k1_num_sub(&n, &order, &n);
   606      CHECK(vet_secp256k1_num_jacobi(&n, &order) == 1);  /* sage confirms this is 1 */
   607  }
   608  
   609  void run_num_smalltests(void) {
   610      int i;
   611      for (i = 0; i < 100*count; i++) {
   612          test_num_negate();
   613          test_num_add_sub();
   614          test_num_mod();
   615          test_num_jacobi();
   616      }
   617  }
   618  #endif
   619  
   620  /***** SCALAR TESTS *****/
   621  
   622  void scalar_test(void) {
   623      vet_secp256k1_scalar s;
   624      vet_secp256k1_scalar s1;
   625      vet_secp256k1_scalar s2;
   626  #ifndef USE_NUM_NONE
   627      vet_secp256k1_num snum, s1num, s2num;
   628      vet_secp256k1_num order, half_order;
   629  #endif
   630      unsigned char c[32];
   631  
   632      /* Set 's' to a random scalar, with value 'snum'. */
   633      random_scalar_order_test(&s);
   634  
   635      /* Set 's1' to a random scalar, with value 's1num'. */
   636      random_scalar_order_test(&s1);
   637  
   638      /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
   639      random_scalar_order_test(&s2);
   640      vet_secp256k1_scalar_get_b32(c, &s2);
   641  
   642  #ifndef USE_NUM_NONE
   643      vet_secp256k1_scalar_get_num(&snum, &s);
   644      vet_secp256k1_scalar_get_num(&s1num, &s1);
   645      vet_secp256k1_scalar_get_num(&s2num, &s2);
   646  
   647      vet_secp256k1_scalar_order_get_num(&order);
   648      half_order = order;
   649      vet_secp256k1_num_shift(&half_order, 1);
   650  #endif
   651  
   652      {
   653          int i;
   654          /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
   655          vet_secp256k1_scalar n;
   656          vet_secp256k1_scalar_set_int(&n, 0);
   657          for (i = 0; i < 256; i += 4) {
   658              vet_secp256k1_scalar t;
   659              int j;
   660              vet_secp256k1_scalar_set_int(&t, vet_secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
   661              for (j = 0; j < 4; j++) {
   662                  vet_secp256k1_scalar_add(&n, &n, &n);
   663              }
   664              vet_secp256k1_scalar_add(&n, &n, &t);
   665          }
   666          CHECK(vet_secp256k1_scalar_eq(&n, &s));
   667      }
   668  
   669      {
   670          /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
   671          vet_secp256k1_scalar n;
   672          int i = 0;
   673          vet_secp256k1_scalar_set_int(&n, 0);
   674          while (i < 256) {
   675              vet_secp256k1_scalar t;
   676              int j;
   677              int now = vet_secp256k1_rand_int(15) + 1;
   678              if (now + i > 256) {
   679                  now = 256 - i;
   680              }
   681              vet_secp256k1_scalar_set_int(&t, vet_secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
   682              for (j = 0; j < now; j++) {
   683                  vet_secp256k1_scalar_add(&n, &n, &n);
   684              }
   685              vet_secp256k1_scalar_add(&n, &n, &t);
   686              i += now;
   687          }
   688          CHECK(vet_secp256k1_scalar_eq(&n, &s));
   689      }
   690  
   691  #ifndef USE_NUM_NONE
   692      {
   693          /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
   694          vet_secp256k1_num rnum;
   695          vet_secp256k1_num r2num;
   696          vet_secp256k1_scalar r;
   697          vet_secp256k1_num_add(&rnum, &snum, &s2num);
   698          vet_secp256k1_num_mod(&rnum, &order);
   699          vet_secp256k1_scalar_add(&r, &s, &s2);
   700          vet_secp256k1_scalar_get_num(&r2num, &r);
   701          CHECK(vet_secp256k1_num_eq(&rnum, &r2num));
   702      }
   703  
   704      {
   705          /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
   706          vet_secp256k1_scalar r;
   707          vet_secp256k1_num r2num;
   708          vet_secp256k1_num rnum;
   709          vet_secp256k1_num_mul(&rnum, &snum, &s2num);
   710          vet_secp256k1_num_mod(&rnum, &order);
   711          vet_secp256k1_scalar_mul(&r, &s, &s2);
   712          vet_secp256k1_scalar_get_num(&r2num, &r);
   713          CHECK(vet_secp256k1_num_eq(&rnum, &r2num));
   714          /* The result can only be zero if at least one of the factors was zero. */
   715          CHECK(vet_secp256k1_scalar_is_zero(&r) == (vet_secp256k1_scalar_is_zero(&s) || vet_secp256k1_scalar_is_zero(&s2)));
   716          /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
   717          CHECK(vet_secp256k1_num_eq(&rnum, &snum) == (vet_secp256k1_scalar_is_zero(&s) || vet_secp256k1_scalar_is_one(&s2)));
   718          CHECK(vet_secp256k1_num_eq(&rnum, &s2num) == (vet_secp256k1_scalar_is_zero(&s2) || vet_secp256k1_scalar_is_one(&s)));
   719      }
   720  
   721      {
   722          vet_secp256k1_scalar neg;
   723          vet_secp256k1_num negnum;
   724          vet_secp256k1_num negnum2;
   725          /* Check that comparison with zero matches comparison with zero on the number. */
   726          CHECK(vet_secp256k1_num_is_zero(&snum) == vet_secp256k1_scalar_is_zero(&s));
   727          /* Check that comparison with the half order is equal to testing for high scalar. */
   728          CHECK(vet_secp256k1_scalar_is_high(&s) == (vet_secp256k1_num_cmp(&snum, &half_order) > 0));
   729          vet_secp256k1_scalar_negate(&neg, &s);
   730          vet_secp256k1_num_sub(&negnum, &order, &snum);
   731          vet_secp256k1_num_mod(&negnum, &order);
   732          /* Check that comparison with the half order is equal to testing for high scalar after negation. */
   733          CHECK(vet_secp256k1_scalar_is_high(&neg) == (vet_secp256k1_num_cmp(&negnum, &half_order) > 0));
   734          /* Negating should change the high property, unless the value was already zero. */
   735          CHECK((vet_secp256k1_scalar_is_high(&s) == vet_secp256k1_scalar_is_high(&neg)) == vet_secp256k1_scalar_is_zero(&s));
   736          vet_secp256k1_scalar_get_num(&negnum2, &neg);
   737          /* Negating a scalar should be equal to (order - n) mod order on the number. */
   738          CHECK(vet_secp256k1_num_eq(&negnum, &negnum2));
   739          vet_secp256k1_scalar_add(&neg, &neg, &s);
   740          /* Adding a number to its negation should result in zero. */
   741          CHECK(vet_secp256k1_scalar_is_zero(&neg));
   742          vet_secp256k1_scalar_negate(&neg, &neg);
   743          /* Negating zero should still result in zero. */
   744          CHECK(vet_secp256k1_scalar_is_zero(&neg));
   745      }
   746  
   747      {
   748          /* Test secp256k1_scalar_mul_shift_var. */
   749          vet_secp256k1_scalar r;
   750          vet_secp256k1_num one;
   751          vet_secp256k1_num rnum;
   752          vet_secp256k1_num rnum2;
   753          unsigned char cone[1] = {0x01};
   754          unsigned int shift = 256 + vet_secp256k1_rand_int(257);
   755          vet_secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
   756          vet_secp256k1_num_mul(&rnum, &s1num, &s2num);
   757          vet_secp256k1_num_shift(&rnum, shift - 1);
   758          vet_secp256k1_num_set_bin(&one, cone, 1);
   759          vet_secp256k1_num_add(&rnum, &rnum, &one);
   760          vet_secp256k1_num_shift(&rnum, 1);
   761          vet_secp256k1_scalar_get_num(&rnum2, &r);
   762          CHECK(vet_secp256k1_num_eq(&rnum, &rnum2));
   763      }
   764  
   765      {
   766          /* test secp256k1_scalar_shr_int */
   767          vet_secp256k1_scalar r;
   768          int i;
   769          random_scalar_order_test(&r);
   770          for (i = 0; i < 100; ++i) {
   771              int low;
   772              int shift = 1 + vet_secp256k1_rand_int(15);
   773              int expected = r.d[0] % (1 << shift);
   774              low = vet_secp256k1_scalar_shr_int(&r, shift);
   775              CHECK(expected == low);
   776          }
   777      }
   778  #endif
   779  
   780      {
   781          /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
   782          if (!vet_secp256k1_scalar_is_zero(&s)) {
   783              vet_secp256k1_scalar inv;
   784  #ifndef USE_NUM_NONE
   785              vet_secp256k1_num invnum;
   786              vet_secp256k1_num invnum2;
   787  #endif
   788              vet_secp256k1_scalar_inverse(&inv, &s);
   789  #ifndef USE_NUM_NONE
   790              vet_secp256k1_num_mod_inverse(&invnum, &snum, &order);
   791              vet_secp256k1_scalar_get_num(&invnum2, &inv);
   792              CHECK(vet_secp256k1_num_eq(&invnum, &invnum2));
   793  #endif
   794              vet_secp256k1_scalar_mul(&inv, &inv, &s);
   795              /* Multiplying a scalar with its inverse must result in one. */
   796              CHECK(vet_secp256k1_scalar_is_one(&inv));
   797              vet_secp256k1_scalar_inverse(&inv, &inv);
   798              /* Inverting one must result in one. */
   799              CHECK(vet_secp256k1_scalar_is_one(&inv));
   800  #ifndef USE_NUM_NONE
   801              vet_secp256k1_scalar_get_num(&invnum, &inv);
   802              CHECK(vet_secp256k1_num_is_one(&invnum));
   803  #endif
   804          }
   805      }
   806  
   807      {
   808          /* Test commutativity of add. */
   809          vet_secp256k1_scalar r1, r2;
   810          vet_secp256k1_scalar_add(&r1, &s1, &s2);
   811          vet_secp256k1_scalar_add(&r2, &s2, &s1);
   812          CHECK(vet_secp256k1_scalar_eq(&r1, &r2));
   813      }
   814  
   815      {
   816          vet_secp256k1_scalar r1, r2;
   817          vet_secp256k1_scalar b;
   818          int i;
   819          /* Test add_bit. */
   820          int bit = vet_secp256k1_rand_bits(8);
   821          vet_secp256k1_scalar_set_int(&b, 1);
   822          CHECK(vet_secp256k1_scalar_is_one(&b));
   823          for (i = 0; i < bit; i++) {
   824              vet_secp256k1_scalar_add(&b, &b, &b);
   825          }
   826          r1 = s1;
   827          r2 = s1;
   828          if (!vet_secp256k1_scalar_add(&r1, &r1, &b)) {
   829              /* No overflow happened. */
   830              vet_secp256k1_scalar_cadd_bit(&r2, bit, 1);
   831              CHECK(vet_secp256k1_scalar_eq(&r1, &r2));
   832              /* cadd is a noop when flag is zero */
   833              vet_secp256k1_scalar_cadd_bit(&r2, bit, 0);
   834              CHECK(vet_secp256k1_scalar_eq(&r1, &r2));
   835          }
   836      }
   837  
   838      {
   839          /* Test commutativity of mul. */
   840          vet_secp256k1_scalar r1, r2;
   841          vet_secp256k1_scalar_mul(&r1, &s1, &s2);
   842          vet_secp256k1_scalar_mul(&r2, &s2, &s1);
   843          CHECK(vet_secp256k1_scalar_eq(&r1, &r2));
   844      }
   845  
   846      {
   847          /* Test associativity of add. */
   848          vet_secp256k1_scalar r1, r2;
   849          vet_secp256k1_scalar_add(&r1, &s1, &s2);
   850          vet_secp256k1_scalar_add(&r1, &r1, &s);
   851          vet_secp256k1_scalar_add(&r2, &s2, &s);
   852          vet_secp256k1_scalar_add(&r2, &s1, &r2);
   853          CHECK(vet_secp256k1_scalar_eq(&r1, &r2));
   854      }
   855  
   856      {
   857          /* Test associativity of mul. */
   858          vet_secp256k1_scalar r1, r2;
   859          vet_secp256k1_scalar_mul(&r1, &s1, &s2);
   860          vet_secp256k1_scalar_mul(&r1, &r1, &s);
   861          vet_secp256k1_scalar_mul(&r2, &s2, &s);
   862          vet_secp256k1_scalar_mul(&r2, &s1, &r2);
   863          CHECK(vet_secp256k1_scalar_eq(&r1, &r2));
   864      }
   865  
   866      {
   867          /* Test distributitivity of mul over add. */
   868          vet_secp256k1_scalar r1, r2, t;
   869          vet_secp256k1_scalar_add(&r1, &s1, &s2);
   870          vet_secp256k1_scalar_mul(&r1, &r1, &s);
   871          vet_secp256k1_scalar_mul(&r2, &s1, &s);
   872          vet_secp256k1_scalar_mul(&t, &s2, &s);
   873          vet_secp256k1_scalar_add(&r2, &r2, &t);
   874          CHECK(vet_secp256k1_scalar_eq(&r1, &r2));
   875      }
   876  
   877      {
   878          /* Test square. */
   879          vet_secp256k1_scalar r1, r2;
   880          vet_secp256k1_scalar_sqr(&r1, &s1);
   881          vet_secp256k1_scalar_mul(&r2, &s1, &s1);
   882          CHECK(vet_secp256k1_scalar_eq(&r1, &r2));
   883      }
   884  
   885      {
   886          /* Test multiplicative identity. */
   887          vet_secp256k1_scalar r1, v1;
   888          vet_secp256k1_scalar_set_int(&v1,1);
   889          vet_secp256k1_scalar_mul(&r1, &s1, &v1);
   890          CHECK(vet_secp256k1_scalar_eq(&r1, &s1));
   891      }
   892  
   893      {
   894          /* Test additive identity. */
   895          vet_secp256k1_scalar r1, v0;
   896          vet_secp256k1_scalar_set_int(&v0,0);
   897          vet_secp256k1_scalar_add(&r1, &s1, &v0);
   898          CHECK(vet_secp256k1_scalar_eq(&r1, &s1));
   899      }
   900  
   901      {
   902          /* Test zero product property. */
   903          vet_secp256k1_scalar r1, v0;
   904          vet_secp256k1_scalar_set_int(&v0,0);
   905          vet_secp256k1_scalar_mul(&r1, &s1, &v0);
   906          CHECK(vet_secp256k1_scalar_eq(&r1, &v0));
   907      }
   908  
   909  }
   910  
   911  void run_scalar_tests(void) {
   912      int i;
   913      for (i = 0; i < 128 * count; i++) {
   914          scalar_test();
   915      }
   916  
   917      {
   918          /* (-1)+1 should be zero. */
   919          vet_secp256k1_scalar s, o;
   920          vet_secp256k1_scalar_set_int(&s, 1);
   921          CHECK(vet_secp256k1_scalar_is_one(&s));
   922          vet_secp256k1_scalar_negate(&o, &s);
   923          vet_secp256k1_scalar_add(&o, &o, &s);
   924          CHECK(vet_secp256k1_scalar_is_zero(&o));
   925          vet_secp256k1_scalar_negate(&o, &o);
   926          CHECK(vet_secp256k1_scalar_is_zero(&o));
   927      }
   928  
   929  #ifndef USE_NUM_NONE
   930      {
   931          /* A scalar with value of the curve order should be 0. */
   932          vet_secp256k1_num order;
   933          vet_secp256k1_scalar zero;
   934          unsigned char bin[32];
   935          int overflow = 0;
   936          vet_secp256k1_scalar_order_get_num(&order);
   937          vet_secp256k1_num_get_bin(bin, 32, &order);
   938          vet_secp256k1_scalar_set_b32(&zero, bin, &overflow);
   939          CHECK(overflow == 1);
   940          CHECK(vet_secp256k1_scalar_is_zero(&zero));
   941      }
   942  #endif
   943  
   944      {
   945          /* Does check_overflow check catch all ones? */
   946          static const vet_secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
   947              0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
   948              0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
   949          );
   950          CHECK(vet_secp256k1_scalar_check_overflow(&overflowed));
   951      }
   952  
   953      {
   954          /* Static test vectors.
   955           * These were reduced from ~10^12 random vectors based on comparison-decision
   956           *  and edge-case coverage on 32-bit and 64-bit implementations.
   957           * The responses were generated with Sage 5.9.
   958           */
   959          vet_secp256k1_scalar x;
   960          vet_secp256k1_scalar y;
   961          vet_secp256k1_scalar z;
   962          vet_secp256k1_scalar zz;
   963          vet_secp256k1_scalar one;
   964          vet_secp256k1_scalar r1;
   965          vet_secp256k1_scalar r2;
   966  #if defined(USE_SCALAR_INV_NUM)
   967          vet_secp256k1_scalar zzv;
   968  #endif
   969          int overflow;
   970          unsigned char chal[33][2][32] = {
   971              {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
   972                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
   973                0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
   974                0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
   975               {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
   976                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
   977                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
   978                0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
   979              {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
   980                0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
   981                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   982                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
   983               {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
   984                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
   985                0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
   986                0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
   987              {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
   988                0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
   989                0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
   990                0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
   991               {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
   992                0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
   993                0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
   994                0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
   995              {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
   996                0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
   997                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
   998                0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
   999               {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
  1000                0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
  1001                0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
  1002                0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
  1003              {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
  1004                0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
  1005                0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
  1006                0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
  1007               {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
  1008                0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1009                0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
  1010                0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
  1011              {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
  1012                0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
  1013                0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
  1014                0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
  1015               {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
  1016                0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
  1017                0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
  1018                0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
  1019              {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
  1020                0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
  1021                0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
  1022                0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
  1023               {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
  1024                0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
  1025                0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
  1026                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
  1027              {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
  1028                0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
  1029                0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
  1030                0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
  1031               {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
  1032                0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
  1033                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1034                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
  1035              {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1036                0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
  1037                0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
  1038                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
  1039               {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1040                0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1041                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1042                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
  1043              {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
  1044                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1045                0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
  1046                0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
  1047               {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
  1048                0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
  1049                0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
  1050                0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
  1051              {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
  1052                0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
  1053                0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
  1054                0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
  1055               {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
  1056                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1057                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
  1058                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
  1059              {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
  1060                0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1061                0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1062                0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
  1063               {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1064                0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
  1065                0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
  1066                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
  1067              {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1068                0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1069                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1070                0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
  1071               {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
  1072                0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
  1073                0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
  1074                0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
  1075              {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
  1076                0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
  1077                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1078                0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
  1079               {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
  1080                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1081                0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
  1082                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
  1083              {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
  1084                0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
  1085                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1086                0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
  1087               {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
  1088                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1089                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1090                0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
  1091              {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
  1092                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1093                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1094                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
  1095               {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1096                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
  1097                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
  1098                0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
  1099              {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
  1100                0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1101                0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
  1102                0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
  1103               {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1104                0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
  1105                0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
  1106                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
  1107              {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1108                0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
  1109                0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
  1110                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
  1111               {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
  1112                0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
  1113                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
  1114                0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
  1115              {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
  1116                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
  1117                0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
  1118                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
  1119               {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1120                0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
  1121                0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
  1122                0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
  1123              {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
  1124                0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
  1125                0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1126                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
  1127               {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
  1128                0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
  1129                0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
  1130                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
  1131              {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1132                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1133                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1134                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
  1135               {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1136                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
  1137                0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
  1138                0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
  1139              {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1140                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1141                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1142                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
  1143               {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1144                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1145                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1146                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
  1147              {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1148                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1149                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1150                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
  1151               {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1152                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1153                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1154                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
  1155              {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
  1156                0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1157                0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
  1158                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
  1159               {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
  1160                0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
  1161                0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
  1162                0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
  1163              {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1164                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1165                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1166                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
  1167               {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1168                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1169                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1170                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
  1171              {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1172                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
  1173                0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
  1174                0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
  1175               {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1176                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1177                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1178                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
  1179              {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1180                0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
  1181                0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
  1182                0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
  1183               {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
  1184                0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
  1185                0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
  1186                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
  1187              {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
  1188                0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
  1189                0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
  1190                0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
  1191               {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
  1192                0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
  1193                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1194                0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
  1195              {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
  1196                0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
  1197                0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
  1198                0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
  1199               {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
  1200                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
  1201                0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
  1202                0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
  1203              {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
  1204                0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
  1205                0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
  1206                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
  1207               {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
  1208                0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
  1209                0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
  1210                0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
  1211              {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
  1212                0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1213                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
  1214                0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
  1215               {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1216                0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
  1217                0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
  1218                0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
  1219              {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
  1220                0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
  1221                0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
  1222                0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
  1223               {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
  1224                0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
  1225                0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
  1226                0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
  1227              {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
  1228                0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
  1229                0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
  1230                0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
  1231               {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
  1232                0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
  1233                0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
  1234                0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
  1235          };
  1236          unsigned char res[33][2][32] = {
  1237              {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
  1238                0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
  1239                0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
  1240                0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
  1241               {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
  1242                0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
  1243                0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
  1244                0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
  1245              {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
  1246                0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
  1247                0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
  1248                0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
  1249               {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
  1250                0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
  1251                0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
  1252                0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
  1253              {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
  1254                0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
  1255                0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
  1256                0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
  1257               {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
  1258                0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
  1259                0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
  1260                0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
  1261              {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
  1262                0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
  1263                0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
  1264                0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
  1265               {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
  1266                0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
  1267                0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
  1268                0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
  1269              {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
  1270                0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
  1271                0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
  1272                0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
  1273               {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
  1274                0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
  1275                0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
  1276                0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
  1277              {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
  1278                0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
  1279                0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
  1280                0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
  1281               {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
  1282                0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
  1283                0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
  1284                0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
  1285              {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
  1286                0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
  1287                0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
  1288                0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
  1289               {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
  1290                0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
  1291                0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
  1292                0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
  1293              {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
  1294                0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
  1295                0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
  1296                0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
  1297               {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
  1298                0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
  1299                0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
  1300                0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
  1301              {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
  1302                0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
  1303                0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
  1304                0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
  1305               {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
  1306                0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
  1307                0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
  1308                0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
  1309              {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
  1310                0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
  1311                0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
  1312                0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
  1313               {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
  1314                0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
  1315                0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
  1316                0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
  1317              {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
  1318                0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
  1319                0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
  1320                0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
  1321               {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
  1322                0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
  1323                0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
  1324                0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
  1325              {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
  1326                0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
  1327                0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
  1328                0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
  1329               {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
  1330                0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
  1331                0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
  1332                0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
  1333              {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
  1334                0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
  1335                0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
  1336                0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
  1337               {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
  1338                0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
  1339                0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
  1340                0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
  1341              {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
  1342                0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
  1343                0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
  1344                0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
  1345               {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
  1346                0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
  1347                0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
  1348                0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
  1349              {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
  1350                0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
  1351                0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
  1352                0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
  1353               {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
  1354                0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
  1355                0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
  1356                0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
  1357              {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
  1358                0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
  1359                0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
  1360                0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
  1361               {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
  1362                0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
  1363                0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
  1364                0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
  1365              {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
  1366                0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
  1367                0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
  1368                0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
  1369               {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
  1370                0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
  1371                0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
  1372                0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
  1373              {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
  1374                0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
  1375                0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
  1376                0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
  1377               {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
  1378                0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
  1379                0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
  1380                0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
  1381              {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
  1382                0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
  1383                0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
  1384                0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
  1385               {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
  1386                0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
  1387                0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
  1388                0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
  1389              {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
  1390                0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
  1391                0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
  1392                0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
  1393               {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
  1394                0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
  1395                0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
  1396                0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
  1397              {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1398                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1399                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1400                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
  1401               {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1402                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1403                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1404                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
  1405              {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1406                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1407                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1408                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
  1409               {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1410                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1411                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1412                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
  1413              {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
  1414                0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
  1415                0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
  1416                0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
  1417               {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
  1418                0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
  1419                0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
  1420                0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
  1421              {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
  1422                0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
  1423                0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
  1424                0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
  1425               {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
  1426                0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
  1427                0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
  1428                0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
  1429              {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1430                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
  1431                0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
  1432                0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
  1433               {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
  1434                0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
  1435                0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
  1436                0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
  1437              {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  1438                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
  1439                0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
  1440                0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
  1441               {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1442                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1443                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  1444                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
  1445              {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
  1446                0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
  1447                0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
  1448                0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
  1449               {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
  1450                0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
  1451                0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
  1452                0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
  1453              {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
  1454                0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
  1455                0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
  1456                0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
  1457               {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
  1458                0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
  1459                0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
  1460                0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
  1461              {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
  1462                0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
  1463                0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
  1464                0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
  1465               {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
  1466                0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
  1467                0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
  1468                0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
  1469              {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
  1470                0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
  1471                0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
  1472                0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
  1473               {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
  1474                0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
  1475                0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
  1476                0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
  1477              {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
  1478                0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
  1479                0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
  1480                0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
  1481               {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
  1482                0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
  1483                0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
  1484                0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
  1485              {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
  1486                0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
  1487                0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
  1488                0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
  1489               {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
  1490                0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
  1491                0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
  1492                0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
  1493              {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
  1494                0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
  1495                0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
  1496                0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
  1497               {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
  1498                0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
  1499                0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
  1500                0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
  1501          };
  1502          vet_secp256k1_scalar_set_int(&one, 1);
  1503          for (i = 0; i < 33; i++) {
  1504              vet_secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
  1505              CHECK(!overflow);
  1506              vet_secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
  1507              CHECK(!overflow);
  1508              vet_secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
  1509              CHECK(!overflow);
  1510              vet_secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
  1511              CHECK(!overflow);
  1512              vet_secp256k1_scalar_mul(&z, &x, &y);
  1513              CHECK(!vet_secp256k1_scalar_check_overflow(&z));
  1514              CHECK(vet_secp256k1_scalar_eq(&r1, &z));
  1515              if (!vet_secp256k1_scalar_is_zero(&y)) {
  1516                  vet_secp256k1_scalar_inverse(&zz, &y);
  1517                  CHECK(!vet_secp256k1_scalar_check_overflow(&zz));
  1518  #if defined(USE_SCALAR_INV_NUM)
  1519                  vet_secp256k1_scalar_inverse_var(&zzv, &y);
  1520                  CHECK(vet_secp256k1_scalar_eq(&zzv, &zz));
  1521  #endif
  1522                  vet_secp256k1_scalar_mul(&z, &z, &zz);
  1523                  CHECK(!vet_secp256k1_scalar_check_overflow(&z));
  1524                  CHECK(vet_secp256k1_scalar_eq(&x, &z));
  1525                  vet_secp256k1_scalar_mul(&zz, &zz, &y);
  1526                  CHECK(!vet_secp256k1_scalar_check_overflow(&zz));
  1527                  CHECK(vet_secp256k1_scalar_eq(&one, &zz));
  1528              }
  1529              vet_secp256k1_scalar_mul(&z, &x, &x);
  1530              CHECK(!vet_secp256k1_scalar_check_overflow(&z));
  1531              vet_secp256k1_scalar_sqr(&zz, &x);
  1532              CHECK(!vet_secp256k1_scalar_check_overflow(&zz));
  1533              CHECK(vet_secp256k1_scalar_eq(&zz, &z));
  1534              CHECK(vet_secp256k1_scalar_eq(&r2, &zz));
  1535          }
  1536      }
  1537  }
  1538  
  1539  /***** FIELD TESTS *****/
  1540  
  1541  void random_fe(vet_secp256k1_fe *x) {
  1542      unsigned char bin[32];
  1543      do {
  1544          vet_secp256k1_rand256(bin);
  1545          if (vet_secp256k1_fe_set_b32(x, bin)) {
  1546              return;
  1547          }
  1548      } while(1);
  1549  }
  1550  
  1551  void random_fe_test(vet_secp256k1_fe *x) {
  1552      unsigned char bin[32];
  1553      do {
  1554          vet_secp256k1_rand256_test(bin);
  1555          if (vet_secp256k1_fe_set_b32(x, bin)) {
  1556              return;
  1557          }
  1558      } while(1);
  1559  }
  1560  
  1561  void random_fe_non_zero(vet_secp256k1_fe *nz) {
  1562      int tries = 10;
  1563      while (--tries >= 0) {
  1564          random_fe(nz);
  1565          vet_secp256k1_fe_normalize(nz);
  1566          if (!vet_secp256k1_fe_is_zero(nz)) {
  1567              break;
  1568          }
  1569      }
  1570      /* Infinitesimal probability of spurious failure here */
  1571      CHECK(tries >= 0);
  1572  }
  1573  
  1574  void random_fe_non_square(vet_secp256k1_fe *ns) {
  1575      vet_secp256k1_fe r;
  1576      random_fe_non_zero(ns);
  1577      if (vet_secp256k1_fe_sqrt(&r, ns)) {
  1578          vet_secp256k1_fe_negate(ns, ns, 1);
  1579      }
  1580  }
  1581  
  1582  int check_fe_equal(const vet_secp256k1_fe *a, const vet_secp256k1_fe *b) {
  1583      vet_secp256k1_fe an = *a;
  1584      vet_secp256k1_fe bn = *b;
  1585      vet_secp256k1_fe_normalize_weak(&an);
  1586      vet_secp256k1_fe_normalize_var(&bn);
  1587      return vet_secp256k1_fe_equal_var(&an, &bn);
  1588  }
  1589  
  1590  int check_fe_inverse(const vet_secp256k1_fe *a, const vet_secp256k1_fe *ai) {
  1591      vet_secp256k1_fe x;
  1592      vet_secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
  1593      vet_secp256k1_fe_mul(&x, a, ai);
  1594      return check_fe_equal(&x, &one);
  1595  }
  1596  
  1597  void run_field_convert(void) {
  1598      static const unsigned char b32[32] = {
  1599          0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  1600          0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
  1601          0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
  1602          0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
  1603      };
  1604      static const vet_secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
  1605          0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
  1606          0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
  1607      );
  1608      static const vet_secp256k1_fe fe = SECP256K1_FE_CONST(
  1609          0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
  1610          0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
  1611      );
  1612      vet_secp256k1_fe fe2;
  1613      unsigned char b322[32];
  1614      vet_secp256k1_fe_storage fes2;
  1615      /* Check conversions to fe. */
  1616      CHECK(vet_secp256k1_fe_set_b32(&fe2, b32));
  1617      CHECK(vet_secp256k1_fe_equal_var(&fe, &fe2));
  1618      vet_secp256k1_fe_from_storage(&fe2, &fes);
  1619      CHECK(vet_secp256k1_fe_equal_var(&fe, &fe2));
  1620      /* Check conversion from fe. */
  1621      vet_secp256k1_fe_get_b32(b322, &fe);
  1622      CHECK(memcmp(b322, b32, 32) == 0);
  1623      vet_secp256k1_fe_to_storage(&fes2, &fe);
  1624      CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
  1625  }
  1626  
  1627  int fe_memcmp(const vet_secp256k1_fe *a, const vet_secp256k1_fe *b) {
  1628      vet_secp256k1_fe t = *b;
  1629  #ifdef VERIFY
  1630      t.magnitude = a->magnitude;
  1631      t.normalized = a->normalized;
  1632  #endif
  1633      return memcmp(a, &t, sizeof(vet_secp256k1_fe));
  1634  }
  1635  
  1636  void run_field_misc(void) {
  1637      vet_secp256k1_fe x;
  1638      vet_secp256k1_fe y;
  1639      vet_secp256k1_fe z;
  1640      vet_secp256k1_fe q;
  1641      vet_secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
  1642      int i, j;
  1643      for (i = 0; i < 5*count; i++) {
  1644          vet_secp256k1_fe_storage xs, ys, zs;
  1645          random_fe(&x);
  1646          random_fe_non_zero(&y);
  1647          /* Test the fe equality and comparison operations. */
  1648          CHECK(vet_secp256k1_fe_cmp_var(&x, &x) == 0);
  1649          CHECK(vet_secp256k1_fe_equal_var(&x, &x));
  1650          z = x;
  1651          vet_secp256k1_fe_add(&z,&y);
  1652          /* Test fe conditional move; z is not normalized here. */
  1653          q = x;
  1654          vet_secp256k1_fe_cmov(&x, &z, 0);
  1655          VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
  1656          vet_secp256k1_fe_cmov(&x, &x, 1);
  1657          CHECK(fe_memcmp(&x, &z) != 0);
  1658          CHECK(fe_memcmp(&x, &q) == 0);
  1659          vet_secp256k1_fe_cmov(&q, &z, 1);
  1660          VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
  1661          CHECK(fe_memcmp(&q, &z) == 0);
  1662          vet_secp256k1_fe_normalize_var(&x);
  1663          vet_secp256k1_fe_normalize_var(&z);
  1664          CHECK(!vet_secp256k1_fe_equal_var(&x, &z));
  1665          vet_secp256k1_fe_normalize_var(&q);
  1666          vet_secp256k1_fe_cmov(&q, &z, (i&1));
  1667          VERIFY_CHECK(q.normalized && q.magnitude == 1);
  1668          for (j = 0; j < 6; j++) {
  1669              vet_secp256k1_fe_negate(&z, &z, j+1);
  1670              vet_secp256k1_fe_normalize_var(&q);
  1671              vet_secp256k1_fe_cmov(&q, &z, (j&1));
  1672              VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
  1673          }
  1674          vet_secp256k1_fe_normalize_var(&z);
  1675          /* Test storage conversion and conditional moves. */
  1676          vet_secp256k1_fe_to_storage(&xs, &x);
  1677          vet_secp256k1_fe_to_storage(&ys, &y);
  1678          vet_secp256k1_fe_to_storage(&zs, &z);
  1679          vet_secp256k1_fe_storage_cmov(&zs, &xs, 0);
  1680          vet_secp256k1_fe_storage_cmov(&zs, &zs, 1);
  1681          CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
  1682          vet_secp256k1_fe_storage_cmov(&ys, &xs, 1);
  1683          CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
  1684          vet_secp256k1_fe_from_storage(&x, &xs);
  1685          vet_secp256k1_fe_from_storage(&y, &ys);
  1686          vet_secp256k1_fe_from_storage(&z, &zs);
  1687          /* Test that mul_int, mul, and add agree. */
  1688          vet_secp256k1_fe_add(&y, &x);
  1689          vet_secp256k1_fe_add(&y, &x);
  1690          z = x;
  1691          vet_secp256k1_fe_mul_int(&z, 3);
  1692          CHECK(check_fe_equal(&y, &z));
  1693          vet_secp256k1_fe_add(&y, &x);
  1694          vet_secp256k1_fe_add(&z, &x);
  1695          CHECK(check_fe_equal(&z, &y));
  1696          z = x;
  1697          vet_secp256k1_fe_mul_int(&z, 5);
  1698          vet_secp256k1_fe_mul(&q, &x, &fe5);
  1699          CHECK(check_fe_equal(&z, &q));
  1700          vet_secp256k1_fe_negate(&x, &x, 1);
  1701          vet_secp256k1_fe_add(&z, &x);
  1702          vet_secp256k1_fe_add(&q, &x);
  1703          CHECK(check_fe_equal(&y, &z));
  1704          CHECK(check_fe_equal(&q, &y));
  1705      }
  1706  }
  1707  
  1708  void run_field_inv(void) {
  1709      vet_secp256k1_fe x, xi, xii;
  1710      int i;
  1711      for (i = 0; i < 10*count; i++) {
  1712          random_fe_non_zero(&x);
  1713          vet_secp256k1_fe_inv(&xi, &x);
  1714          CHECK(check_fe_inverse(&x, &xi));
  1715          vet_secp256k1_fe_inv(&xii, &xi);
  1716          CHECK(check_fe_equal(&x, &xii));
  1717      }
  1718  }
  1719  
  1720  void run_field_inv_var(void) {
  1721      vet_secp256k1_fe x, xi, xii;
  1722      int i;
  1723      for (i = 0; i < 10*count; i++) {
  1724          random_fe_non_zero(&x);
  1725          vet_secp256k1_fe_inv_var(&xi, &x);
  1726          CHECK(check_fe_inverse(&x, &xi));
  1727          vet_secp256k1_fe_inv_var(&xii, &xi);
  1728          CHECK(check_fe_equal(&x, &xii));
  1729      }
  1730  }
  1731  
  1732  void run_field_inv_all_var(void) {
  1733      vet_secp256k1_fe x[16], xi[16], xii[16];
  1734      int i;
  1735      /* Check it's safe to call for 0 elements */
  1736      vet_secp256k1_fe_inv_all_var(xi, x, 0);
  1737      for (i = 0; i < count; i++) {
  1738          size_t j;
  1739          size_t len = vet_secp256k1_rand_int(15) + 1;
  1740          for (j = 0; j < len; j++) {
  1741              random_fe_non_zero(&x[j]);
  1742          }
  1743          vet_secp256k1_fe_inv_all_var(xi, x, len);
  1744          for (j = 0; j < len; j++) {
  1745              CHECK(check_fe_inverse(&x[j], &xi[j]));
  1746          }
  1747          vet_secp256k1_fe_inv_all_var(xii, xi, len);
  1748          for (j = 0; j < len; j++) {
  1749              CHECK(check_fe_equal(&x[j], &xii[j]));
  1750          }
  1751      }
  1752  }
  1753  
  1754  void run_sqr(void) {
  1755      vet_secp256k1_fe x, s;
  1756  
  1757      {
  1758          int i;
  1759          vet_secp256k1_fe_set_int(&x, 1);
  1760          vet_secp256k1_fe_negate(&x, &x, 1);
  1761  
  1762          for (i = 1; i <= 512; ++i) {
  1763              vet_secp256k1_fe_mul_int(&x, 2);
  1764              vet_secp256k1_fe_normalize(&x);
  1765              vet_secp256k1_fe_sqr(&s, &x);
  1766          }
  1767      }
  1768  }
  1769  
  1770  void test_sqrt(const vet_secp256k1_fe *a, const vet_secp256k1_fe *k) {
  1771      vet_secp256k1_fe r1, r2;
  1772      int v = vet_secp256k1_fe_sqrt(&r1, a);
  1773      CHECK((v == 0) == (k == NULL));
  1774  
  1775      if (k != NULL) {
  1776          /* Check that the returned root is +/- the given known answer */
  1777          vet_secp256k1_fe_negate(&r2, &r1, 1);
  1778          vet_secp256k1_fe_add(&r1, k); vet_secp256k1_fe_add(&r2, k);
  1779          vet_secp256k1_fe_normalize(&r1); vet_secp256k1_fe_normalize(&r2);
  1780          CHECK(vet_secp256k1_fe_is_zero(&r1) || vet_secp256k1_fe_is_zero(&r2));
  1781      }
  1782  }
  1783  
  1784  void run_sqrt(void) {
  1785      vet_secp256k1_fe ns, x, s, t;
  1786      int i;
  1787  
  1788      /* Check sqrt(0) is 0 */
  1789      vet_secp256k1_fe_set_int(&x, 0);
  1790      vet_secp256k1_fe_sqr(&s, &x);
  1791      test_sqrt(&s, &x);
  1792  
  1793      /* Check sqrt of small squares (and their negatives) */
  1794      for (i = 1; i <= 100; i++) {
  1795          vet_secp256k1_fe_set_int(&x, i);
  1796          vet_secp256k1_fe_sqr(&s, &x);
  1797          test_sqrt(&s, &x);
  1798          vet_secp256k1_fe_negate(&t, &s, 1);
  1799          test_sqrt(&t, NULL);
  1800      }
  1801  
  1802      /* Consistency checks for large random values */
  1803      for (i = 0; i < 10; i++) {
  1804          int j;
  1805          random_fe_non_square(&ns);
  1806          for (j = 0; j < count; j++) {
  1807              random_fe(&x);
  1808              vet_secp256k1_fe_sqr(&s, &x);
  1809              test_sqrt(&s, &x);
  1810              vet_secp256k1_fe_negate(&t, &s, 1);
  1811              test_sqrt(&t, NULL);
  1812              vet_secp256k1_fe_mul(&t, &s, &ns);
  1813              test_sqrt(&t, NULL);
  1814          }
  1815      }
  1816  }
  1817  
  1818  /***** GROUP TESTS *****/
  1819  
  1820  void ge_equals_ge(const vet_secp256k1_ge *a, const vet_secp256k1_ge *b) {
  1821      CHECK(a->infinity == b->infinity);
  1822      if (a->infinity) {
  1823          return;
  1824      }
  1825      CHECK(vet_secp256k1_fe_equal_var(&a->x, &b->x));
  1826      CHECK(vet_secp256k1_fe_equal_var(&a->y, &b->y));
  1827  }
  1828  
  1829  /* This compares jacobian points including their Z, not just their geometric meaning. */
  1830  int gej_xyz_equals_gej(const vet_secp256k1_gej *a, const vet_secp256k1_gej *b) {
  1831      vet_secp256k1_gej a2;
  1832      vet_secp256k1_gej b2;
  1833      int ret = 1;
  1834      ret &= a->infinity == b->infinity;
  1835      if (ret && !a->infinity) {
  1836          a2 = *a;
  1837          b2 = *b;
  1838          vet_secp256k1_fe_normalize(&a2.x);
  1839          vet_secp256k1_fe_normalize(&a2.y);
  1840          vet_secp256k1_fe_normalize(&a2.z);
  1841          vet_secp256k1_fe_normalize(&b2.x);
  1842          vet_secp256k1_fe_normalize(&b2.y);
  1843          vet_secp256k1_fe_normalize(&b2.z);
  1844          ret &= vet_secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
  1845          ret &= vet_secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
  1846          ret &= vet_secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
  1847      }
  1848      return ret;
  1849  }
  1850  
  1851  void ge_equals_gej(const vet_secp256k1_ge *a, const vet_secp256k1_gej *b) {
  1852      vet_secp256k1_fe z2s;
  1853      vet_secp256k1_fe u1, u2, s1, s2;
  1854      CHECK(a->infinity == b->infinity);
  1855      if (a->infinity) {
  1856          return;
  1857      }
  1858      /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
  1859      vet_secp256k1_fe_sqr(&z2s, &b->z);
  1860      vet_secp256k1_fe_mul(&u1, &a->x, &z2s);
  1861      u2 = b->x; vet_secp256k1_fe_normalize_weak(&u2);
  1862      vet_secp256k1_fe_mul(&s1, &a->y, &z2s); vet_secp256k1_fe_mul(&s1, &s1, &b->z);
  1863      s2 = b->y; vet_secp256k1_fe_normalize_weak(&s2);
  1864      CHECK(vet_secp256k1_fe_equal_var(&u1, &u2));
  1865      CHECK(vet_secp256k1_fe_equal_var(&s1, &s2));
  1866  }
  1867  
  1868  void test_ge(void) {
  1869      int i, i1;
  1870  #ifdef USE_ENDOMORPHISM
  1871      int runs = 6;
  1872  #else
  1873      int runs = 4;
  1874  #endif
  1875      /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
  1876       * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
  1877       * All magnitudes are randomized.
  1878       * All 17*17 combinations of points are added to each other, using all applicable methods.
  1879       *
  1880       * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
  1881       */
  1882      vet_secp256k1_ge *ge = (vet_secp256k1_ge *)malloc(sizeof(vet_secp256k1_ge) * (1 + 4 * runs));
  1883      vet_secp256k1_gej *gej = (vet_secp256k1_gej *)malloc(sizeof(vet_secp256k1_gej) * (1 + 4 * runs));
  1884      vet_secp256k1_fe *zinv = (vet_secp256k1_fe *)malloc(sizeof(vet_secp256k1_fe) * (1 + 4 * runs));
  1885      vet_secp256k1_fe zf;
  1886      vet_secp256k1_fe zfi2, zfi3;
  1887  
  1888      vet_secp256k1_gej_set_infinity(&gej[0]);
  1889      vet_secp256k1_ge_clear(&ge[0]);
  1890      vet_secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
  1891      for (i = 0; i < runs; i++) {
  1892          int j;
  1893          vet_secp256k1_ge g;
  1894          random_group_element_test(&g);
  1895  #ifdef USE_ENDOMORPHISM
  1896          if (i >= runs - 2) {
  1897              vet_secp256k1_ge_mul_lambda(&g, &ge[1]);
  1898          }
  1899          if (i >= runs - 1) {
  1900              vet_secp256k1_ge_mul_lambda(&g, &g);
  1901          }
  1902  #endif
  1903          ge[1 + 4 * i] = g;
  1904          ge[2 + 4 * i] = g;
  1905          vet_secp256k1_ge_neg(&ge[3 + 4 * i], &g);
  1906          vet_secp256k1_ge_neg(&ge[4 + 4 * i], &g);
  1907          vet_secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
  1908          random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
  1909          vet_secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
  1910          random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
  1911          for (j = 0; j < 4; j++) {
  1912              random_field_element_magnitude(&ge[1 + j + 4 * i].x);
  1913              random_field_element_magnitude(&ge[1 + j + 4 * i].y);
  1914              random_field_element_magnitude(&gej[1 + j + 4 * i].x);
  1915              random_field_element_magnitude(&gej[1 + j + 4 * i].y);
  1916              random_field_element_magnitude(&gej[1 + j + 4 * i].z);
  1917          }
  1918      }
  1919  
  1920      /* Compute z inverses. */
  1921      {
  1922          vet_secp256k1_fe *zs = malloc(sizeof(vet_secp256k1_fe) * (1 + 4 * runs));
  1923          for (i = 0; i < 4 * runs + 1; i++) {
  1924              if (i == 0) {
  1925                  /* The point at infinity does not have a meaningful z inverse. Any should do. */
  1926                  do {
  1927                      random_field_element_test(&zs[i]);
  1928                  } while(vet_secp256k1_fe_is_zero(&zs[i]));
  1929              } else {
  1930                  zs[i] = gej[i].z;
  1931              }
  1932          }
  1933          vet_secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
  1934          free(zs);
  1935      }
  1936  
  1937      /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
  1938      do {
  1939          random_field_element_test(&zf);
  1940      } while(vet_secp256k1_fe_is_zero(&zf));
  1941      random_field_element_magnitude(&zf);
  1942      vet_secp256k1_fe_inv_var(&zfi3, &zf);
  1943      vet_secp256k1_fe_sqr(&zfi2, &zfi3);
  1944      vet_secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
  1945  
  1946      for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
  1947          int i2;
  1948          for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
  1949              /* Compute reference result using gej + gej (var). */
  1950              vet_secp256k1_gej refj, resj;
  1951              vet_secp256k1_ge ref;
  1952              vet_secp256k1_fe zr;
  1953              vet_secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], vet_secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
  1954              /* Check Z ratio. */
  1955              if (!vet_secp256k1_gej_is_infinity(&gej[i1]) && !vet_secp256k1_gej_is_infinity(&refj)) {
  1956                  vet_secp256k1_fe zrz; vet_secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
  1957                  CHECK(vet_secp256k1_fe_equal_var(&zrz, &refj.z));
  1958              }
  1959              vet_secp256k1_ge_set_gej_var(&ref, &refj);
  1960  
  1961              /* Test gej + ge with Z ratio result (var). */
  1962              vet_secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], vet_secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
  1963              ge_equals_gej(&ref, &resj);
  1964              if (!vet_secp256k1_gej_is_infinity(&gej[i1]) && !vet_secp256k1_gej_is_infinity(&resj)) {
  1965                  vet_secp256k1_fe zrz; vet_secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
  1966                  CHECK(vet_secp256k1_fe_equal_var(&zrz, &resj.z));
  1967              }
  1968  
  1969              /* Test gej + ge (var, with additional Z factor). */
  1970              {
  1971                  vet_secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
  1972                  vet_secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
  1973                  vet_secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
  1974                  random_field_element_magnitude(&ge2_zfi.x);
  1975                  random_field_element_magnitude(&ge2_zfi.y);
  1976                  vet_secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
  1977                  ge_equals_gej(&ref, &resj);
  1978              }
  1979  
  1980              /* Test gej + ge (const). */
  1981              if (i2 != 0) {
  1982                  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
  1983                  vet_secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
  1984                  ge_equals_gej(&ref, &resj);
  1985              }
  1986  
  1987              /* Test doubling (var). */
  1988              if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
  1989                  vet_secp256k1_fe zr2;
  1990                  /* Normal doubling with Z ratio result. */
  1991                  vet_secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
  1992                  ge_equals_gej(&ref, &resj);
  1993                  /* Check Z ratio. */
  1994                  vet_secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
  1995                  CHECK(vet_secp256k1_fe_equal_var(&zr2, &resj.z));
  1996                  /* Normal doubling. */
  1997                  vet_secp256k1_gej_double_var(&resj, &gej[i2], NULL);
  1998                  ge_equals_gej(&ref, &resj);
  1999              }
  2000  
  2001              /* Test adding opposites. */
  2002              if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
  2003                  CHECK(vet_secp256k1_ge_is_infinity(&ref));
  2004              }
  2005  
  2006              /* Test adding infinity. */
  2007              if (i1 == 0) {
  2008                  CHECK(vet_secp256k1_ge_is_infinity(&ge[i1]));
  2009                  CHECK(vet_secp256k1_gej_is_infinity(&gej[i1]));
  2010                  ge_equals_gej(&ref, &gej[i2]);
  2011              }
  2012              if (i2 == 0) {
  2013                  CHECK(vet_secp256k1_ge_is_infinity(&ge[i2]));
  2014                  CHECK(vet_secp256k1_gej_is_infinity(&gej[i2]));
  2015                  ge_equals_gej(&ref, &gej[i1]);
  2016              }
  2017          }
  2018      }
  2019  
  2020      /* Test adding all points together in random order equals infinity. */
  2021      {
  2022          vet_secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
  2023          vet_secp256k1_gej *gej_shuffled = (vet_secp256k1_gej *)malloc((4 * runs + 1) * sizeof(vet_secp256k1_gej));
  2024          for (i = 0; i < 4 * runs + 1; i++) {
  2025              gej_shuffled[i] = gej[i];
  2026          }
  2027          for (i = 0; i < 4 * runs + 1; i++) {
  2028              int swap = i + vet_secp256k1_rand_int(4 * runs + 1 - i);
  2029              if (swap != i) {
  2030                  vet_secp256k1_gej t = gej_shuffled[i];
  2031                  gej_shuffled[i] = gej_shuffled[swap];
  2032                  gej_shuffled[swap] = t;
  2033              }
  2034          }
  2035          for (i = 0; i < 4 * runs + 1; i++) {
  2036              vet_secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
  2037          }
  2038          CHECK(vet_secp256k1_gej_is_infinity(&sum));
  2039          free(gej_shuffled);
  2040      }
  2041  
  2042      /* Test batch gej -> ge conversion with and without known z ratios. */
  2043      {
  2044          vet_secp256k1_fe *zr = (vet_secp256k1_fe *)malloc((4 * runs + 1) * sizeof(vet_secp256k1_fe));
  2045          vet_secp256k1_ge *ge_set_table = (vet_secp256k1_ge *)malloc((4 * runs + 1) * sizeof(vet_secp256k1_ge));
  2046          vet_secp256k1_ge *ge_set_all = (vet_secp256k1_ge *)malloc((4 * runs + 1) * sizeof(vet_secp256k1_ge));
  2047          for (i = 0; i < 4 * runs + 1; i++) {
  2048              /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
  2049              if (i < 4 * runs) {
  2050                  vet_secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
  2051              }
  2052          }
  2053          vet_secp256k1_ge_set_table_gej_var(ge_set_table, gej, zr, 4 * runs + 1);
  2054          vet_secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1, &ctx->error_callback);
  2055          for (i = 0; i < 4 * runs + 1; i++) {
  2056              vet_secp256k1_fe s;
  2057              random_fe_non_zero(&s);
  2058              vet_secp256k1_gej_rescale(&gej[i], &s);
  2059              ge_equals_gej(&ge_set_table[i], &gej[i]);
  2060              ge_equals_gej(&ge_set_all[i], &gej[i]);
  2061          }
  2062          free(ge_set_table);
  2063          free(ge_set_all);
  2064          free(zr);
  2065      }
  2066  
  2067      free(ge);
  2068      free(gej);
  2069      free(zinv);
  2070  }
  2071  
  2072  void test_add_neg_y_diff_x(void) {
  2073      /* The point of this test is to check that we can add two points
  2074       * whose y-coordinates are negatives of each other but whose x
  2075       * coordinates differ. If the x-coordinates were the same, these
  2076       * points would be negatives of each other and their sum is
  2077       * infinity. This is cool because it "covers up" any degeneracy
  2078       * in the addition algorithm that would cause the xy coordinates
  2079       * of the sum to be wrong (since infinity has no xy coordinates).
  2080       * HOWEVER, if the x-coordinates are different, infinity is the
  2081       * wrong answer, and such degeneracies are exposed. This is the
  2082       * root of https://github.com/bitcoin-core/secp256k1/issues/257
  2083       * which this test is a regression test for.
  2084       *
  2085       * These points were generated in sage as
  2086       * # secp256k1 params
  2087       * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
  2088       * C = EllipticCurve ([F (0), F (7)])
  2089       * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
  2090       * N = FiniteField(G.order())
  2091       *
  2092       * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
  2093       * x = polygen(N)
  2094       * lam  = (1 - x^3).roots()[1][0]
  2095       *
  2096       * # random "bad pair"
  2097       * P = C.random_element()
  2098       * Q = -int(lam) * P
  2099       * print "    P: %x %x" % P.xy()
  2100       * print "    Q: %x %x" % Q.xy()
  2101       * print "P + Q: %x %x" % (P + Q).xy()
  2102       */
  2103      vet_secp256k1_gej aj = SECP256K1_GEJ_CONST(
  2104          0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
  2105          0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
  2106          0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
  2107          0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
  2108      );
  2109      vet_secp256k1_gej bj = SECP256K1_GEJ_CONST(
  2110          0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
  2111          0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
  2112          0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
  2113          0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
  2114      );
  2115      vet_secp256k1_gej sumj = SECP256K1_GEJ_CONST(
  2116          0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
  2117          0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
  2118          0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
  2119          0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
  2120      );
  2121      vet_secp256k1_ge b;
  2122      vet_secp256k1_gej resj;
  2123      vet_secp256k1_ge res;
  2124      vet_secp256k1_ge_set_gej(&b, &bj);
  2125  
  2126      vet_secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
  2127      vet_secp256k1_ge_set_gej(&res, &resj);
  2128      ge_equals_gej(&res, &sumj);
  2129  
  2130      vet_secp256k1_gej_add_ge(&resj, &aj, &b);
  2131      vet_secp256k1_ge_set_gej(&res, &resj);
  2132      ge_equals_gej(&res, &sumj);
  2133  
  2134      vet_secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
  2135      vet_secp256k1_ge_set_gej(&res, &resj);
  2136      ge_equals_gej(&res, &sumj);
  2137  }
  2138  
  2139  void run_ge(void) {
  2140      int i;
  2141      for (i = 0; i < count * 32; i++) {
  2142          test_ge();
  2143      }
  2144      test_add_neg_y_diff_x();
  2145  }
  2146  
  2147  void test_ec_combine(void) {
  2148      vet_secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
  2149      vet_secp256k1_pubkey data[6];
  2150      const vet_secp256k1_pubkey* d[6];
  2151      vet_secp256k1_pubkey sd;
  2152      vet_secp256k1_pubkey sd2;
  2153      vet_secp256k1_gej Qj;
  2154      vet_secp256k1_ge Q;
  2155      int i;
  2156      for (i = 1; i <= 6; i++) {
  2157          vet_secp256k1_scalar s;
  2158          random_scalar_order_test(&s);
  2159          vet_secp256k1_scalar_add(&sum, &sum, &s);
  2160          vet_secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
  2161          vet_secp256k1_ge_set_gej(&Q, &Qj);
  2162          vet_secp256k1_pubkey_save(&data[i - 1], &Q);
  2163          d[i - 1] = &data[i - 1];
  2164          vet_secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
  2165          vet_secp256k1_ge_set_gej(&Q, &Qj);
  2166          vet_secp256k1_pubkey_save(&sd, &Q);
  2167          CHECK(vet_secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
  2168          CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
  2169      }
  2170  }
  2171  
  2172  void run_ec_combine(void) {
  2173      int i;
  2174      for (i = 0; i < count * 8; i++) {
  2175           test_ec_combine();
  2176      }
  2177  }
  2178  
  2179  void test_group_decompress(const vet_secp256k1_fe* x) {
  2180      /* The input itself, normalized. */
  2181      vet_secp256k1_fe fex = *x;
  2182      vet_secp256k1_fe fez;
  2183      /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
  2184      vet_secp256k1_ge ge_quad, ge_even, ge_odd;
  2185      vet_secp256k1_gej gej_quad;
  2186      /* Return values of the above calls. */
  2187      int res_quad, res_even, res_odd;
  2188  
  2189      vet_secp256k1_fe_normalize_var(&fex);
  2190  
  2191      res_quad = vet_secp256k1_ge_set_xquad(&ge_quad, &fex);
  2192      res_even = vet_secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
  2193      res_odd = vet_secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
  2194  
  2195      CHECK(res_quad == res_even);
  2196      CHECK(res_quad == res_odd);
  2197  
  2198      if (res_quad) {
  2199          vet_secp256k1_fe_normalize_var(&ge_quad.x);
  2200          vet_secp256k1_fe_normalize_var(&ge_odd.x);
  2201          vet_secp256k1_fe_normalize_var(&ge_even.x);
  2202          vet_secp256k1_fe_normalize_var(&ge_quad.y);
  2203          vet_secp256k1_fe_normalize_var(&ge_odd.y);
  2204          vet_secp256k1_fe_normalize_var(&ge_even.y);
  2205  
  2206          /* No infinity allowed. */
  2207          CHECK(!ge_quad.infinity);
  2208          CHECK(!ge_even.infinity);
  2209          CHECK(!ge_odd.infinity);
  2210  
  2211          /* Check that the x coordinates check out. */
  2212          CHECK(vet_secp256k1_fe_equal_var(&ge_quad.x, x));
  2213          CHECK(vet_secp256k1_fe_equal_var(&ge_even.x, x));
  2214          CHECK(vet_secp256k1_fe_equal_var(&ge_odd.x, x));
  2215  
  2216          /* Check that the Y coordinate result in ge_quad is a square. */
  2217          CHECK(vet_secp256k1_fe_is_quad_var(&ge_quad.y));
  2218  
  2219          /* Check odd/even Y in ge_odd, ge_even. */
  2220          CHECK(vet_secp256k1_fe_is_odd(&ge_odd.y));
  2221          CHECK(!vet_secp256k1_fe_is_odd(&ge_even.y));
  2222  
  2223          /* Check secp256k1_gej_has_quad_y_var. */
  2224          vet_secp256k1_gej_set_ge(&gej_quad, &ge_quad);
  2225          CHECK(vet_secp256k1_gej_has_quad_y_var(&gej_quad));
  2226          do {
  2227              random_fe_test(&fez);
  2228          } while (vet_secp256k1_fe_is_zero(&fez));
  2229          vet_secp256k1_gej_rescale(&gej_quad, &fez);
  2230          CHECK(vet_secp256k1_gej_has_quad_y_var(&gej_quad));
  2231          vet_secp256k1_gej_neg(&gej_quad, &gej_quad);
  2232          CHECK(!vet_secp256k1_gej_has_quad_y_var(&gej_quad));
  2233          do {
  2234              random_fe_test(&fez);
  2235          } while (vet_secp256k1_fe_is_zero(&fez));
  2236          vet_secp256k1_gej_rescale(&gej_quad, &fez);
  2237          CHECK(!vet_secp256k1_gej_has_quad_y_var(&gej_quad));
  2238          vet_secp256k1_gej_neg(&gej_quad, &gej_quad);
  2239          CHECK(vet_secp256k1_gej_has_quad_y_var(&gej_quad));
  2240      }
  2241  }
  2242  
  2243  void run_group_decompress(void) {
  2244      int i;
  2245      for (i = 0; i < count * 4; i++) {
  2246          vet_secp256k1_fe fe;
  2247          random_fe_test(&fe);
  2248          test_group_decompress(&fe);
  2249      }
  2250  }
  2251  
  2252  /***** ECMULT TESTS *****/
  2253  
  2254  void run_ecmult_chain(void) {
  2255      /* random starting point A (on the curve) */
  2256      vet_secp256k1_gej a = SECP256K1_GEJ_CONST(
  2257          0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
  2258          0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
  2259          0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
  2260          0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
  2261      );
  2262      /* two random initial factors xn and gn */
  2263      vet_secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
  2264          0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
  2265          0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
  2266      );
  2267      vet_secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
  2268          0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
  2269          0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
  2270      );
  2271      /* two small multipliers to be applied to xn and gn in every iteration: */
  2272      static const vet_secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
  2273      static const vet_secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
  2274      /* accumulators with the resulting coefficients to A and G */
  2275      vet_secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
  2276      vet_secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
  2277      /* actual points */
  2278      vet_secp256k1_gej x;
  2279      vet_secp256k1_gej x2;
  2280      int i;
  2281  
  2282      /* the point being computed */
  2283      x = a;
  2284      for (i = 0; i < 200*count; i++) {
  2285          /* in each iteration, compute X = xn*X + gn*G; */
  2286          vet_secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
  2287          /* also compute ae and ge: the actual accumulated factors for A and G */
  2288          /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
  2289          vet_secp256k1_scalar_mul(&ae, &ae, &xn);
  2290          vet_secp256k1_scalar_mul(&ge, &ge, &xn);
  2291          vet_secp256k1_scalar_add(&ge, &ge, &gn);
  2292          /* modify xn and gn */
  2293          vet_secp256k1_scalar_mul(&xn, &xn, &xf);
  2294          vet_secp256k1_scalar_mul(&gn, &gn, &gf);
  2295  
  2296          /* verify */
  2297          if (i == 19999) {
  2298              /* expected result after 19999 iterations */
  2299              vet_secp256k1_gej rp = SECP256K1_GEJ_CONST(
  2300                  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
  2301                  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
  2302                  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
  2303                  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
  2304              );
  2305  
  2306              vet_secp256k1_gej_neg(&rp, &rp);
  2307              vet_secp256k1_gej_add_var(&rp, &rp, &x, NULL);
  2308              CHECK(vet_secp256k1_gej_is_infinity(&rp));
  2309          }
  2310      }
  2311      /* redo the computation, but directly with the resulting ae and ge coefficients: */
  2312      vet_secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
  2313      vet_secp256k1_gej_neg(&x2, &x2);
  2314      vet_secp256k1_gej_add_var(&x2, &x2, &x, NULL);
  2315      CHECK(vet_secp256k1_gej_is_infinity(&x2));
  2316  }
  2317  
  2318  void test_point_times_order(const vet_secp256k1_gej *point) {
  2319      /* X * (point + G) + (order-X) * (pointer + G) = 0 */
  2320      vet_secp256k1_scalar x;
  2321      vet_secp256k1_scalar nx;
  2322      vet_secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
  2323      vet_secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
  2324      vet_secp256k1_gej res1, res2;
  2325      vet_secp256k1_ge res3;
  2326      unsigned char pub[65];
  2327      size_t psize = 65;
  2328      random_scalar_order_test(&x);
  2329      vet_secp256k1_scalar_negate(&nx, &x);
  2330      vet_secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
  2331      vet_secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
  2332      vet_secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
  2333      CHECK(vet_secp256k1_gej_is_infinity(&res1));
  2334      CHECK(vet_secp256k1_gej_is_valid_var(&res1) == 0);
  2335      vet_secp256k1_ge_set_gej(&res3, &res1);
  2336      CHECK(vet_secp256k1_ge_is_infinity(&res3));
  2337      CHECK(vet_secp256k1_ge_is_valid_var(&res3) == 0);
  2338      CHECK(vet_secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
  2339      psize = 65;
  2340      CHECK(vet_secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
  2341      /* check zero/one edge cases */
  2342      vet_secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
  2343      vet_secp256k1_ge_set_gej(&res3, &res1);
  2344      CHECK(vet_secp256k1_ge_is_infinity(&res3));
  2345      vet_secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
  2346      vet_secp256k1_ge_set_gej(&res3, &res1);
  2347      ge_equals_gej(&res3, point);
  2348      vet_secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
  2349      vet_secp256k1_ge_set_gej(&res3, &res1);
  2350      ge_equals_ge(&res3, &vet_secp256k1_ge_const_g);
  2351  }
  2352  
  2353  void run_point_times_order(void) {
  2354      int i;
  2355      vet_secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
  2356      static const vet_secp256k1_fe xr = SECP256K1_FE_CONST(
  2357          0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
  2358          0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
  2359      );
  2360      for (i = 0; i < 500; i++) {
  2361          vet_secp256k1_ge p;
  2362          if (vet_secp256k1_ge_set_xo_var(&p, &x, 1)) {
  2363              vet_secp256k1_gej j;
  2364              CHECK(vet_secp256k1_ge_is_valid_var(&p));
  2365              vet_secp256k1_gej_set_ge(&j, &p);
  2366              CHECK(vet_secp256k1_gej_is_valid_var(&j));
  2367              test_point_times_order(&j);
  2368          }
  2369          vet_secp256k1_fe_sqr(&x, &x);
  2370      }
  2371      vet_secp256k1_fe_normalize_var(&x);
  2372      CHECK(vet_secp256k1_fe_equal_var(&x, &xr));
  2373  }
  2374  
  2375  void ecmult_const_random_mult(void) {
  2376      /* random starting point A (on the curve) */
  2377      vet_secp256k1_ge a = SECP256K1_GE_CONST(
  2378          0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
  2379          0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
  2380          0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
  2381          0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
  2382      );
  2383      /* random initial factor xn */
  2384      vet_secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
  2385          0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
  2386          0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
  2387      );
  2388      /* expected xn * A (from sage) */
  2389      vet_secp256k1_ge expected_b = SECP256K1_GE_CONST(
  2390          0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
  2391          0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
  2392          0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
  2393          0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
  2394      );
  2395      vet_secp256k1_gej b;
  2396      vet_secp256k1_ecmult_const(&b, &a, &xn);
  2397  
  2398      CHECK(vet_secp256k1_ge_is_valid_var(&a));
  2399      ge_equals_gej(&expected_b, &b);
  2400  }
  2401  
  2402  void ecmult_const_commutativity(void) {
  2403      vet_secp256k1_scalar a;
  2404      vet_secp256k1_scalar b;
  2405      vet_secp256k1_gej res1;
  2406      vet_secp256k1_gej res2;
  2407      vet_secp256k1_ge mid1;
  2408      vet_secp256k1_ge mid2;
  2409      random_scalar_order_test(&a);
  2410      random_scalar_order_test(&b);
  2411  
  2412      vet_secp256k1_ecmult_const(&res1, &vet_secp256k1_ge_const_g, &a);
  2413      vet_secp256k1_ecmult_const(&res2, &vet_secp256k1_ge_const_g, &b);
  2414      vet_secp256k1_ge_set_gej(&mid1, &res1);
  2415      vet_secp256k1_ge_set_gej(&mid2, &res2);
  2416      vet_secp256k1_ecmult_const(&res1, &mid1, &b);
  2417      vet_secp256k1_ecmult_const(&res2, &mid2, &a);
  2418      vet_secp256k1_ge_set_gej(&mid1, &res1);
  2419      vet_secp256k1_ge_set_gej(&mid2, &res2);
  2420      ge_equals_ge(&mid1, &mid2);
  2421  }
  2422  
  2423  void ecmult_const_mult_zero_one(void) {
  2424      vet_secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
  2425      vet_secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
  2426      vet_secp256k1_scalar negone;
  2427      vet_secp256k1_gej res1;
  2428      vet_secp256k1_ge res2;
  2429      vet_secp256k1_ge point;
  2430      vet_secp256k1_scalar_negate(&negone, &one);
  2431  
  2432      random_group_element_test(&point);
  2433      vet_secp256k1_ecmult_const(&res1, &point, &zero);
  2434      vet_secp256k1_ge_set_gej(&res2, &res1);
  2435      CHECK(vet_secp256k1_ge_is_infinity(&res2));
  2436      vet_secp256k1_ecmult_const(&res1, &point, &one);
  2437      vet_secp256k1_ge_set_gej(&res2, &res1);
  2438      ge_equals_ge(&res2, &point);
  2439      vet_secp256k1_ecmult_const(&res1, &point, &negone);
  2440      vet_secp256k1_gej_neg(&res1, &res1);
  2441      vet_secp256k1_ge_set_gej(&res2, &res1);
  2442      ge_equals_ge(&res2, &point);
  2443  }
  2444  
  2445  void ecmult_const_chain_multiply(void) {
  2446      /* Check known result (randomly generated test problem from sage) */
  2447      const vet_secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
  2448          0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
  2449          0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
  2450      );
  2451      const vet_secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
  2452          0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
  2453          0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
  2454          0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
  2455          0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
  2456      );
  2457      vet_secp256k1_gej point;
  2458      vet_secp256k1_ge res;
  2459      int i;
  2460  
  2461      vet_secp256k1_gej_set_ge(&point, &vet_secp256k1_ge_const_g);
  2462      for (i = 0; i < 100; ++i) {
  2463          vet_secp256k1_ge tmp;
  2464          vet_secp256k1_ge_set_gej(&tmp, &point);
  2465          vet_secp256k1_ecmult_const(&point, &tmp, &scalar);
  2466      }
  2467      vet_secp256k1_ge_set_gej(&res, &point);
  2468      ge_equals_gej(&res, &expected_point);
  2469  }
  2470  
  2471  void run_ecmult_const_tests(void) {
  2472      ecmult_const_mult_zero_one();
  2473      ecmult_const_random_mult();
  2474      ecmult_const_commutativity();
  2475      ecmult_const_chain_multiply();
  2476  }
  2477  
  2478  void test_wnaf(const vet_secp256k1_scalar *number, int w) {
  2479      vet_secp256k1_scalar x, two, t;
  2480      int wnaf[256];
  2481      int zeroes = -1;
  2482      int i;
  2483      int bits;
  2484      vet_secp256k1_scalar_set_int(&x, 0);
  2485      vet_secp256k1_scalar_set_int(&two, 2);
  2486      bits = vet_secp256k1_ecmult_wnaf(wnaf, 256, number, w);
  2487      CHECK(bits <= 256);
  2488      for (i = bits-1; i >= 0; i--) {
  2489          int v = wnaf[i];
  2490          vet_secp256k1_scalar_mul(&x, &x, &two);
  2491          if (v) {
  2492              CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
  2493              zeroes=0;
  2494              CHECK((v & 1) == 1); /* check non-zero elements are odd */
  2495              CHECK(v <= (1 << (w-1)) - 1); /* check range below */
  2496              CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
  2497          } else {
  2498              CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
  2499              zeroes++;
  2500          }
  2501          if (v >= 0) {
  2502              vet_secp256k1_scalar_set_int(&t, v);
  2503          } else {
  2504              vet_secp256k1_scalar_set_int(&t, -v);
  2505              vet_secp256k1_scalar_negate(&t, &t);
  2506          }
  2507          vet_secp256k1_scalar_add(&x, &x, &t);
  2508      }
  2509      CHECK(vet_secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
  2510  }
  2511  
  2512  void test_constant_wnaf_negate(const vet_secp256k1_scalar *number) {
  2513      vet_secp256k1_scalar neg1 = *number;
  2514      vet_secp256k1_scalar neg2 = *number;
  2515      int sign1 = 1;
  2516      int sign2 = 1;
  2517  
  2518      if (!vet_secp256k1_scalar_get_bits(&neg1, 0, 1)) {
  2519          vet_secp256k1_scalar_negate(&neg1, &neg1);
  2520          sign1 = -1;
  2521      }
  2522      sign2 = vet_secp256k1_scalar_cond_negate(&neg2, vet_secp256k1_scalar_is_even(&neg2));
  2523      CHECK(sign1 == sign2);
  2524      CHECK(vet_secp256k1_scalar_eq(&neg1, &neg2));
  2525  }
  2526  
  2527  void test_constant_wnaf(const vet_secp256k1_scalar *number, int w) {
  2528      vet_secp256k1_scalar x, shift;
  2529      int wnaf[256] = {0};
  2530      int i;
  2531      int skew;
  2532      vet_secp256k1_scalar num = *number;
  2533  
  2534      vet_secp256k1_scalar_set_int(&x, 0);
  2535      vet_secp256k1_scalar_set_int(&shift, 1 << w);
  2536      /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
  2537  #ifdef USE_ENDOMORPHISM
  2538      for (i = 0; i < 16; ++i) {
  2539          vet_secp256k1_scalar_shr_int(&num, 8);
  2540      }
  2541  #endif
  2542      skew = vet_secp256k1_wnaf_const(wnaf, num, w);
  2543  
  2544      for (i = WNAF_SIZE(w); i >= 0; --i) {
  2545          vet_secp256k1_scalar t;
  2546          int v = wnaf[i];
  2547          CHECK(v != 0); /* check nonzero */
  2548          CHECK(v & 1);  /* check parity */
  2549          CHECK(v > -(1 << w)); /* check range above */
  2550          CHECK(v < (1 << w));  /* check range below */
  2551  
  2552          vet_secp256k1_scalar_mul(&x, &x, &shift);
  2553          if (v >= 0) {
  2554              vet_secp256k1_scalar_set_int(&t, v);
  2555          } else {
  2556              vet_secp256k1_scalar_set_int(&t, -v);
  2557              vet_secp256k1_scalar_negate(&t, &t);
  2558          }
  2559          vet_secp256k1_scalar_add(&x, &x, &t);
  2560      }
  2561      /* Skew num because when encoding numbers as odd we use an offset */
  2562      vet_secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
  2563      CHECK(vet_secp256k1_scalar_eq(&x, &num));
  2564  }
  2565  
  2566  void run_wnaf(void) {
  2567      int i;
  2568      vet_secp256k1_scalar n = {{0}};
  2569  
  2570      /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
  2571       *               have easier-to-diagnose failure modes  */
  2572      n.d[0] = 1;
  2573      test_constant_wnaf(&n, 4);
  2574      n.d[0] = 2;
  2575      test_constant_wnaf(&n, 4);
  2576      /* Random tests */
  2577      for (i = 0; i < count; i++) {
  2578          random_scalar_order(&n);
  2579          test_wnaf(&n, 4+(i%10));
  2580          test_constant_wnaf_negate(&n);
  2581          test_constant_wnaf(&n, 4 + (i % 10));
  2582      }
  2583      vet_secp256k1_scalar_set_int(&n, 0);
  2584      CHECK(vet_secp256k1_scalar_cond_negate(&n, 1) == -1);
  2585      CHECK(vet_secp256k1_scalar_is_zero(&n));
  2586      CHECK(vet_secp256k1_scalar_cond_negate(&n, 0) == 1);
  2587      CHECK(vet_secp256k1_scalar_is_zero(&n));
  2588  }
  2589  
  2590  void test_ecmult_constants(void) {
  2591      /* Test ecmult_gen() for [0..36) and [order-36..0). */
  2592      vet_secp256k1_scalar x;
  2593      vet_secp256k1_gej r;
  2594      vet_secp256k1_ge ng;
  2595      int i;
  2596      int j;
  2597      vet_secp256k1_ge_neg(&ng, &vet_secp256k1_ge_const_g);
  2598      for (i = 0; i < 36; i++ ) {
  2599          vet_secp256k1_scalar_set_int(&x, i);
  2600          vet_secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
  2601          for (j = 0; j < i; j++) {
  2602              if (j == i - 1) {
  2603                  ge_equals_gej(&vet_secp256k1_ge_const_g, &r);
  2604              }
  2605              vet_secp256k1_gej_add_ge(&r, &r, &ng);
  2606          }
  2607          CHECK(vet_secp256k1_gej_is_infinity(&r));
  2608      }
  2609      for (i = 1; i <= 36; i++ ) {
  2610          vet_secp256k1_scalar_set_int(&x, i);
  2611          vet_secp256k1_scalar_negate(&x, &x);
  2612          vet_secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
  2613          for (j = 0; j < i; j++) {
  2614              if (j == i - 1) {
  2615                  ge_equals_gej(&ng, &r);
  2616              }
  2617              vet_secp256k1_gej_add_ge(&r, &r, &vet_secp256k1_ge_const_g);
  2618          }
  2619          CHECK(vet_secp256k1_gej_is_infinity(&r));
  2620      }
  2621  }
  2622  
  2623  void run_ecmult_constants(void) {
  2624      test_ecmult_constants();
  2625  }
  2626  
  2627  void test_ecmult_gen_blind(void) {
  2628      /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
  2629      vet_secp256k1_scalar key;
  2630      vet_secp256k1_scalar b;
  2631      unsigned char seed32[32];
  2632      vet_secp256k1_gej pgej;
  2633      vet_secp256k1_gej pgej2;
  2634      vet_secp256k1_gej i;
  2635      vet_secp256k1_ge pge;
  2636      random_scalar_order_test(&key);
  2637      vet_secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
  2638      vet_secp256k1_rand256(seed32);
  2639      b = ctx->ecmult_gen_ctx.blind;
  2640      i = ctx->ecmult_gen_ctx.initial;
  2641      vet_secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
  2642      CHECK(!vet_secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
  2643      vet_secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
  2644      CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
  2645      CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
  2646      vet_secp256k1_ge_set_gej(&pge, &pgej);
  2647      ge_equals_gej(&pge, &pgej2);
  2648  }
  2649  
  2650  void test_ecmult_gen_blind_reset(void) {
  2651      /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
  2652      vet_secp256k1_scalar b;
  2653      vet_secp256k1_gej initial;
  2654      vet_secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
  2655      b = ctx->ecmult_gen_ctx.blind;
  2656      initial = ctx->ecmult_gen_ctx.initial;
  2657      vet_secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
  2658      CHECK(vet_secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
  2659      CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
  2660  }
  2661  
  2662  void run_ecmult_gen_blind(void) {
  2663      int i;
  2664      test_ecmult_gen_blind_reset();
  2665      for (i = 0; i < 10; i++) {
  2666          test_ecmult_gen_blind();
  2667      }
  2668  }
  2669  
  2670  #ifdef USE_ENDOMORPHISM
  2671  /***** ENDOMORPHISH TESTS *****/
  2672  void test_scalar_split(void) {
  2673      vet_secp256k1_scalar full;
  2674      vet_secp256k1_scalar s1, slam;
  2675      const unsigned char zero[32] = {0};
  2676      unsigned char tmp[32];
  2677  
  2678      random_scalar_order_test(&full);
  2679      vet_secp256k1_scalar_split_lambda(&s1, &slam, &full);
  2680  
  2681      /* check that both are <= 128 bits in size */
  2682      if (vet_secp256k1_scalar_is_high(&s1)) {
  2683          vet_secp256k1_scalar_negate(&s1, &s1);
  2684      }
  2685      if (vet_secp256k1_scalar_is_high(&slam)) {
  2686          vet_secp256k1_scalar_negate(&slam, &slam);
  2687      }
  2688  
  2689      vet_secp256k1_scalar_get_b32(tmp, &s1);
  2690      CHECK(memcmp(zero, tmp, 16) == 0);
  2691      vet_secp256k1_scalar_get_b32(tmp, &slam);
  2692      CHECK(memcmp(zero, tmp, 16) == 0);
  2693  }
  2694  
  2695  void run_endomorphism_tests(void) {
  2696      test_scalar_split();
  2697  }
  2698  #endif
  2699  
  2700  void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
  2701      unsigned char pubkeyc[65];
  2702      vet_secp256k1_pubkey pubkey;
  2703      vet_secp256k1_ge ge;
  2704      size_t pubkeyclen;
  2705      int32_t ecount;
  2706      ecount = 0;
  2707      vet_secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
  2708      for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
  2709          /* Smaller sizes are tested exhaustively elsewhere. */
  2710          int32_t i;
  2711          memcpy(&pubkeyc[1], input, 64);
  2712          VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
  2713          for (i = 0; i < 256; i++) {
  2714              /* Try all type bytes. */
  2715              int xpass;
  2716              int ypass;
  2717              int ysign;
  2718              pubkeyc[0] = i;
  2719              /* What sign does this point have? */
  2720              ysign = (input[63] & 1) + 2;
  2721              /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
  2722              xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
  2723              /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
  2724              ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
  2725                  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
  2726              if (xpass || ypass) {
  2727                  /* These cases must parse. */
  2728                  unsigned char pubkeyo[65];
  2729                  size_t outl;
  2730                  memset(&pubkey, 0, sizeof(pubkey));
  2731                  VG_UNDEF(&pubkey, sizeof(pubkey));
  2732                  ecount = 0;
  2733                  CHECK(vet_secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
  2734                  VG_CHECK(&pubkey, sizeof(pubkey));
  2735                  outl = 65;
  2736                  VG_UNDEF(pubkeyo, 65);
  2737                  CHECK(vet_secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
  2738                  VG_CHECK(pubkeyo, outl);
  2739                  CHECK(outl == 33);
  2740                  CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
  2741                  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
  2742                  if (ypass) {
  2743                      /* This test isn't always done because we decode with alternative signs, so the y won't match. */
  2744                      CHECK(pubkeyo[0] == ysign);
  2745                      CHECK(vet_secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
  2746                      memset(&pubkey, 0, sizeof(pubkey));
  2747                      VG_UNDEF(&pubkey, sizeof(pubkey));
  2748                      vet_secp256k1_pubkey_save(&pubkey, &ge);
  2749                      VG_CHECK(&pubkey, sizeof(pubkey));
  2750                      outl = 65;
  2751                      VG_UNDEF(pubkeyo, 65);
  2752                      CHECK(vet_secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
  2753                      VG_CHECK(pubkeyo, outl);
  2754                      CHECK(outl == 65);
  2755                      CHECK(pubkeyo[0] == 4);
  2756                      CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
  2757                  }
  2758                  CHECK(ecount == 0);
  2759              } else {
  2760                  /* These cases must fail to parse. */
  2761                  memset(&pubkey, 0xfe, sizeof(pubkey));
  2762                  ecount = 0;
  2763                  VG_UNDEF(&pubkey, sizeof(pubkey));
  2764                  CHECK(vet_secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
  2765                  VG_CHECK(&pubkey, sizeof(pubkey));
  2766                  CHECK(ecount == 0);
  2767                  CHECK(vet_secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
  2768                  CHECK(ecount == 1);
  2769              }
  2770          }
  2771      }
  2772      vet_secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
  2773  }
  2774  
  2775  void run_ec_pubkey_parse_test(void) {
  2776  #define SECP256K1_EC_PARSE_TEST_NVALID (12)
  2777      const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
  2778          {
  2779              /* Point with leading and trailing zeros in x and y serialization. */
  2780              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
  2781              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  2782              0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
  2783              0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
  2784          },
  2785          {
  2786              /* Point with x equal to a 3rd root of unity.*/
  2787              0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
  2788              0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
  2789              0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
  2790              0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
  2791          },
  2792          {
  2793              /* Point with largest x. (1/2) */
  2794              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  2795              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
  2796              0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
  2797              0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
  2798          },
  2799          {
  2800              /* Point with largest x. (2/2) */
  2801              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  2802              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
  2803              0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
  2804              0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
  2805          },
  2806          {
  2807              /* Point with smallest x. (1/2) */
  2808              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  2809              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
  2810              0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
  2811              0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
  2812          },
  2813          {
  2814              /* Point with smallest x. (2/2) */
  2815              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  2816              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
  2817              0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
  2818              0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
  2819          },
  2820          {
  2821              /* Point with largest y. (1/3) */
  2822              0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
  2823              0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
  2824              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  2825              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
  2826          },
  2827          {
  2828              /* Point with largest y. (2/3) */
  2829              0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
  2830              0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
  2831              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  2832              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
  2833          },
  2834          {
  2835              /* Point with largest y. (3/3) */
  2836              0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
  2837              0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
  2838              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  2839              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
  2840          },
  2841          {
  2842              /* Point with smallest y. (1/3) */
  2843              0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
  2844              0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
  2845              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  2846              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
  2847          },
  2848          {
  2849              /* Point with smallest y. (2/3) */
  2850              0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
  2851              0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
  2852              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  2853              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
  2854          },
  2855          {
  2856              /* Point with smallest y. (3/3) */
  2857              0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
  2858              0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
  2859              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  2860              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
  2861          }
  2862      };
  2863  #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
  2864      const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
  2865          {
  2866              /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
  2867              0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
  2868              0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
  2869              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  2870              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
  2871          },
  2872          {
  2873              /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
  2874              0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
  2875              0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
  2876              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  2877              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
  2878          },
  2879          {
  2880              /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
  2881              0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
  2882              0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
  2883              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  2884              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
  2885          },
  2886          {
  2887              /* x on curve, y is from y^2 = x^3 + 8. */
  2888              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  2889              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
  2890              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  2891              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
  2892          }
  2893      };
  2894  #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
  2895      const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
  2896          {
  2897              /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
  2898              0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
  2899              0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
  2900              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  2901              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
  2902          },
  2903          {
  2904              /* Valid if x overflow ignored (x = 1 mod p). */
  2905              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  2906              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
  2907              0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
  2908              0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
  2909          },
  2910          {
  2911              /* Valid if x overflow ignored (x = 1 mod p). */
  2912              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  2913              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
  2914              0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
  2915              0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
  2916          },
  2917          {
  2918              /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
  2919              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  2920              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
  2921              0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
  2922              0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
  2923          },
  2924          {
  2925              /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
  2926              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  2927              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
  2928              0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
  2929              0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
  2930          },
  2931          {
  2932              /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
  2933              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  2934              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  2935              0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
  2936              0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
  2937          },
  2938          {
  2939              /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
  2940              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  2941              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  2942              0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
  2943              0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
  2944          }
  2945      };
  2946      const unsigned char pubkeyc[66] = {
  2947          /* Serialization of G. */
  2948          0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
  2949          0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
  2950          0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
  2951          0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
  2952          0xB8, 0x00
  2953      };
  2954      unsigned char sout[65];
  2955      unsigned char shortkey[2];
  2956      vet_secp256k1_ge ge;
  2957      vet_secp256k1_pubkey pubkey;
  2958      size_t len;
  2959      int32_t i;
  2960      int32_t ecount;
  2961      int32_t ecount2;
  2962      ecount = 0;
  2963      /* Nothing should be reading this far into pubkeyc. */
  2964      VG_UNDEF(&pubkeyc[65], 1);
  2965      vet_secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
  2966      /* Zero length claimed, fail, zeroize, no illegal arg error. */
  2967      memset(&pubkey, 0xfe, sizeof(pubkey));
  2968      ecount = 0;
  2969      VG_UNDEF(shortkey, 2);
  2970      VG_UNDEF(&pubkey, sizeof(pubkey));
  2971      CHECK(vet_secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
  2972      VG_CHECK(&pubkey, sizeof(pubkey));
  2973      CHECK(ecount == 0);
  2974      CHECK(vet_secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
  2975      CHECK(ecount == 1);
  2976      /* Length one claimed, fail, zeroize, no illegal arg error. */
  2977      for (i = 0; i < 256 ; i++) {
  2978          memset(&pubkey, 0xfe, sizeof(pubkey));
  2979          ecount = 0;
  2980          shortkey[0] = i;
  2981          VG_UNDEF(&shortkey[1], 1);
  2982          VG_UNDEF(&pubkey, sizeof(pubkey));
  2983          CHECK(vet_secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
  2984          VG_CHECK(&pubkey, sizeof(pubkey));
  2985          CHECK(ecount == 0);
  2986          CHECK(vet_secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
  2987          CHECK(ecount == 1);
  2988      }
  2989      /* Length two claimed, fail, zeroize, no illegal arg error. */
  2990      for (i = 0; i < 65536 ; i++) {
  2991          memset(&pubkey, 0xfe, sizeof(pubkey));
  2992          ecount = 0;
  2993          shortkey[0] = i & 255;
  2994          shortkey[1] = i >> 8;
  2995          VG_UNDEF(&pubkey, sizeof(pubkey));
  2996          CHECK(vet_secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
  2997          VG_CHECK(&pubkey, sizeof(pubkey));
  2998          CHECK(ecount == 0);
  2999          CHECK(vet_secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
  3000          CHECK(ecount == 1);
  3001      }
  3002      memset(&pubkey, 0xfe, sizeof(pubkey));
  3003      ecount = 0;
  3004      VG_UNDEF(&pubkey, sizeof(pubkey));
  3005      /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
  3006      CHECK(vet_secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
  3007      VG_CHECK(&pubkey, sizeof(pubkey));
  3008      CHECK(ecount == 0);
  3009      CHECK(vet_secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
  3010      CHECK(ecount == 1);
  3011      /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
  3012      CHECK(vet_secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
  3013      CHECK(ecount == 2);
  3014      /* NULL input string. Illegal arg and zeroize output. */
  3015      memset(&pubkey, 0xfe, sizeof(pubkey));
  3016      ecount = 0;
  3017      VG_UNDEF(&pubkey, sizeof(pubkey));
  3018      CHECK(vet_secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
  3019      VG_CHECK(&pubkey, sizeof(pubkey));
  3020      CHECK(ecount == 1);
  3021      CHECK(vet_secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
  3022      CHECK(ecount == 2);
  3023      /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
  3024      memset(&pubkey, 0xfe, sizeof(pubkey));
  3025      ecount = 0;
  3026      VG_UNDEF(&pubkey, sizeof(pubkey));
  3027      CHECK(vet_secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
  3028      VG_CHECK(&pubkey, sizeof(pubkey));
  3029      CHECK(ecount == 0);
  3030      CHECK(vet_secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
  3031      CHECK(ecount == 1);
  3032      /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
  3033      memset(&pubkey, 0xfe, sizeof(pubkey));
  3034      ecount = 0;
  3035      VG_UNDEF(&pubkey, sizeof(pubkey));
  3036      CHECK(vet_secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
  3037      VG_CHECK(&pubkey, sizeof(pubkey));
  3038      CHECK(ecount == 0);
  3039      CHECK(vet_secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
  3040      CHECK(ecount == 1);
  3041      /* Valid parse. */
  3042      memset(&pubkey, 0, sizeof(pubkey));
  3043      ecount = 0;
  3044      VG_UNDEF(&pubkey, sizeof(pubkey));
  3045      CHECK(vet_secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
  3046      VG_CHECK(&pubkey, sizeof(pubkey));
  3047      CHECK(ecount == 0);
  3048      VG_UNDEF(&ge, sizeof(ge));
  3049      CHECK(vet_secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
  3050      VG_CHECK(&ge.x, sizeof(ge.x));
  3051      VG_CHECK(&ge.y, sizeof(ge.y));
  3052      VG_CHECK(&ge.infinity, sizeof(ge.infinity));
  3053      ge_equals_ge(&vet_secp256k1_ge_const_g, &ge);
  3054      CHECK(ecount == 0);
  3055      /* secp256k1_ec_pubkey_serialize illegal args. */
  3056      ecount = 0;
  3057      len = 65;
  3058      CHECK(vet_secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
  3059      CHECK(ecount == 1);
  3060      CHECK(len == 0);
  3061      CHECK(vet_secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
  3062      CHECK(ecount == 2);
  3063      len = 65;
  3064      VG_UNDEF(sout, 65);
  3065      CHECK(vet_secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
  3066      VG_CHECK(sout, 65);
  3067      CHECK(ecount == 3);
  3068      CHECK(len == 0);
  3069      len = 65;
  3070      CHECK(vet_secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
  3071      CHECK(ecount == 4);
  3072      CHECK(len == 0);
  3073      len = 65;
  3074      VG_UNDEF(sout, 65);
  3075      CHECK(vet_secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
  3076      VG_CHECK(sout, 65);
  3077      CHECK(ecount == 4);
  3078      CHECK(len == 65);
  3079      /* Multiple illegal args. Should still set arg error only once. */
  3080      ecount = 0;
  3081      ecount2 = 11;
  3082      CHECK(vet_secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
  3083      CHECK(ecount == 1);
  3084      /* Does the illegal arg callback actually change the behavior? */
  3085      vet_secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
  3086      CHECK(vet_secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
  3087      CHECK(ecount == 1);
  3088      CHECK(ecount2 == 10);
  3089      vet_secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
  3090      /* Try a bunch of prefabbed points with all possible encodings. */
  3091      for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
  3092          ec_pubkey_parse_pointtest(valid[i], 1, 1);
  3093      }
  3094      for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
  3095          ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
  3096      }
  3097      for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
  3098          ec_pubkey_parse_pointtest(invalid[i], 0, 0);
  3099      }
  3100  }
  3101  
  3102  void run_eckey_edge_case_test(void) {
  3103      const unsigned char orderc[32] = {
  3104          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  3105          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
  3106          0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
  3107          0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
  3108      };
  3109      const unsigned char zeros[sizeof(vet_secp256k1_pubkey)] = {0x00};
  3110      unsigned char ctmp[33];
  3111      unsigned char ctmp2[33];
  3112      vet_secp256k1_pubkey pubkey;
  3113      vet_secp256k1_pubkey pubkey2;
  3114      vet_secp256k1_pubkey pubkey_one;
  3115      vet_secp256k1_pubkey pubkey_negone;
  3116      const vet_secp256k1_pubkey *pubkeys[3];
  3117      size_t len;
  3118      int32_t ecount;
  3119      /* Group order is too large, reject. */
  3120      CHECK(vet_secp256k1_ec_seckey_verify(ctx, orderc) == 0);
  3121      VG_UNDEF(&pubkey, sizeof(pubkey));
  3122      CHECK(vet_secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
  3123      VG_CHECK(&pubkey, sizeof(pubkey));
  3124      CHECK(memcmp(&pubkey, zeros, sizeof(vet_secp256k1_pubkey)) == 0);
  3125      /* Maximum value is too large, reject. */
  3126      memset(ctmp, 255, 32);
  3127      CHECK(vet_secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
  3128      memset(&pubkey, 1, sizeof(pubkey));
  3129      VG_UNDEF(&pubkey, sizeof(pubkey));
  3130      CHECK(vet_secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
  3131      VG_CHECK(&pubkey, sizeof(pubkey));
  3132      CHECK(memcmp(&pubkey, zeros, sizeof(vet_secp256k1_pubkey)) == 0);
  3133      /* Zero is too small, reject. */
  3134      memset(ctmp, 0, 32);
  3135      CHECK(vet_secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
  3136      memset(&pubkey, 1, sizeof(pubkey));
  3137      VG_UNDEF(&pubkey, sizeof(pubkey));
  3138      CHECK(vet_secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
  3139      VG_CHECK(&pubkey, sizeof(pubkey));
  3140      CHECK(memcmp(&pubkey, zeros, sizeof(vet_secp256k1_pubkey)) == 0);
  3141      /* One must be accepted. */
  3142      ctmp[31] = 0x01;
  3143      CHECK(vet_secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
  3144      memset(&pubkey, 0, sizeof(pubkey));
  3145      VG_UNDEF(&pubkey, sizeof(pubkey));
  3146      CHECK(vet_secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
  3147      VG_CHECK(&pubkey, sizeof(pubkey));
  3148      CHECK(memcmp(&pubkey, zeros, sizeof(vet_secp256k1_pubkey)) > 0);
  3149      pubkey_one = pubkey;
  3150      /* Group order + 1 is too large, reject. */
  3151      memcpy(ctmp, orderc, 32);
  3152      ctmp[31] = 0x42;
  3153      CHECK(vet_secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
  3154      memset(&pubkey, 1, sizeof(pubkey));
  3155      VG_UNDEF(&pubkey, sizeof(pubkey));
  3156      CHECK(vet_secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
  3157      VG_CHECK(&pubkey, sizeof(pubkey));
  3158      CHECK(memcmp(&pubkey, zeros, sizeof(vet_secp256k1_pubkey)) == 0);
  3159      /* -1 must be accepted. */
  3160      ctmp[31] = 0x40;
  3161      CHECK(vet_secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
  3162      memset(&pubkey, 0, sizeof(pubkey));
  3163      VG_UNDEF(&pubkey, sizeof(pubkey));
  3164      CHECK(vet_secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
  3165      VG_CHECK(&pubkey, sizeof(pubkey));
  3166      CHECK(memcmp(&pubkey, zeros, sizeof(vet_secp256k1_pubkey)) > 0);
  3167      pubkey_negone = pubkey;
  3168      /* Tweak of zero leaves the value changed. */
  3169      memset(ctmp2, 0, 32);
  3170      CHECK(vet_secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
  3171      CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
  3172      memcpy(&pubkey2, &pubkey, sizeof(pubkey));
  3173      CHECK(vet_secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
  3174      CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
  3175      /* Multiply tweak of zero zeroizes the output. */
  3176      CHECK(vet_secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
  3177      CHECK(memcmp(zeros, ctmp, 32) == 0);
  3178      CHECK(vet_secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
  3179      CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
  3180      memcpy(&pubkey, &pubkey2, sizeof(pubkey));
  3181      /* Overflowing key tweak zeroizes. */
  3182      memcpy(ctmp, orderc, 32);
  3183      ctmp[31] = 0x40;
  3184      CHECK(vet_secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
  3185      CHECK(memcmp(zeros, ctmp, 32) == 0);
  3186      memcpy(ctmp, orderc, 32);
  3187      ctmp[31] = 0x40;
  3188      CHECK(vet_secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
  3189      CHECK(memcmp(zeros, ctmp, 32) == 0);
  3190      memcpy(ctmp, orderc, 32);
  3191      ctmp[31] = 0x40;
  3192      CHECK(vet_secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
  3193      CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
  3194      memcpy(&pubkey, &pubkey2, sizeof(pubkey));
  3195      CHECK(vet_secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
  3196      CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
  3197      memcpy(&pubkey, &pubkey2, sizeof(pubkey));
  3198      /* Private key tweaks results in a key of zero. */
  3199      ctmp2[31] = 1;
  3200      CHECK(vet_secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
  3201      CHECK(memcmp(zeros, ctmp2, 32) == 0);
  3202      ctmp2[31] = 1;
  3203      CHECK(vet_secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
  3204      CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
  3205      memcpy(&pubkey, &pubkey2, sizeof(pubkey));
  3206      /* Tweak computation wraps and results in a key of 1. */
  3207      ctmp2[31] = 2;
  3208      CHECK(vet_secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
  3209      CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
  3210      ctmp2[31] = 2;
  3211      CHECK(vet_secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
  3212      ctmp2[31] = 1;
  3213      CHECK(vet_secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
  3214      CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
  3215      /* Tweak mul * 2 = 1+1. */
  3216      CHECK(vet_secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
  3217      ctmp2[31] = 2;
  3218      CHECK(vet_secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
  3219      CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
  3220      /* Test argument errors. */
  3221      ecount = 0;
  3222      vet_secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
  3223      CHECK(ecount == 0);
  3224      /* Zeroize pubkey on parse error. */
  3225      memset(&pubkey, 0, 32);
  3226      CHECK(vet_secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
  3227      CHECK(ecount == 1);
  3228      CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
  3229      memcpy(&pubkey, &pubkey2, sizeof(pubkey));
  3230      memset(&pubkey2, 0, 32);
  3231      CHECK(vet_secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
  3232      CHECK(ecount == 2);
  3233      CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
  3234      /* Plain argument errors. */
  3235      ecount = 0;
  3236      CHECK(vet_secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
  3237      CHECK(ecount == 0);
  3238      CHECK(vet_secp256k1_ec_seckey_verify(ctx, NULL) == 0);
  3239      CHECK(ecount == 1);
  3240      ecount = 0;
  3241      memset(ctmp2, 0, 32);
  3242      ctmp2[31] = 4;
  3243      CHECK(vet_secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
  3244      CHECK(ecount == 1);
  3245      CHECK(vet_secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
  3246      CHECK(ecount == 2);
  3247      ecount = 0;
  3248      memset(ctmp2, 0, 32);
  3249      ctmp2[31] = 4;
  3250      CHECK(vet_secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
  3251      CHECK(ecount == 1);
  3252      CHECK(vet_secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
  3253      CHECK(ecount == 2);
  3254      ecount = 0;
  3255      memset(ctmp2, 0, 32);
  3256      CHECK(vet_secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
  3257      CHECK(ecount == 1);
  3258      CHECK(vet_secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
  3259      CHECK(ecount == 2);
  3260      ecount = 0;
  3261      memset(ctmp2, 0, 32);
  3262      ctmp2[31] = 1;
  3263      CHECK(vet_secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
  3264      CHECK(ecount == 1);
  3265      CHECK(vet_secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
  3266      CHECK(ecount == 2);
  3267      ecount = 0;
  3268      CHECK(vet_secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
  3269      CHECK(ecount == 1);
  3270      memset(&pubkey, 1, sizeof(pubkey));
  3271      CHECK(vet_secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
  3272      CHECK(ecount == 2);
  3273      CHECK(memcmp(&pubkey, zeros, sizeof(vet_secp256k1_pubkey)) == 0);
  3274      /* secp256k1_ec_pubkey_combine tests. */
  3275      ecount = 0;
  3276      pubkeys[0] = &pubkey_one;
  3277      VG_UNDEF(&pubkeys[0], sizeof(vet_secp256k1_pubkey *));
  3278      VG_UNDEF(&pubkeys[1], sizeof(vet_secp256k1_pubkey *));
  3279      VG_UNDEF(&pubkeys[2], sizeof(vet_secp256k1_pubkey *));
  3280      memset(&pubkey, 255, sizeof(vet_secp256k1_pubkey));
  3281      VG_UNDEF(&pubkey, sizeof(vet_secp256k1_pubkey));
  3282      CHECK(vet_secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
  3283      VG_CHECK(&pubkey, sizeof(vet_secp256k1_pubkey));
  3284      CHECK(memcmp(&pubkey, zeros, sizeof(vet_secp256k1_pubkey)) == 0);
  3285      CHECK(ecount == 1);
  3286      CHECK(vet_secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
  3287      CHECK(memcmp(&pubkey, zeros, sizeof(vet_secp256k1_pubkey)) == 0);
  3288      CHECK(ecount == 2);
  3289      memset(&pubkey, 255, sizeof(vet_secp256k1_pubkey));
  3290      VG_UNDEF(&pubkey, sizeof(vet_secp256k1_pubkey));
  3291      CHECK(vet_secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
  3292      VG_CHECK(&pubkey, sizeof(vet_secp256k1_pubkey));
  3293      CHECK(memcmp(&pubkey, zeros, sizeof(vet_secp256k1_pubkey)) == 0);
  3294      CHECK(ecount == 3);
  3295      pubkeys[0] = &pubkey_negone;
  3296      memset(&pubkey, 255, sizeof(vet_secp256k1_pubkey));
  3297      VG_UNDEF(&pubkey, sizeof(vet_secp256k1_pubkey));
  3298      CHECK(vet_secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
  3299      VG_CHECK(&pubkey, sizeof(vet_secp256k1_pubkey));
  3300      CHECK(memcmp(&pubkey, zeros, sizeof(vet_secp256k1_pubkey)) > 0);
  3301      CHECK(ecount == 3);
  3302      len = 33;
  3303      CHECK(vet_secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
  3304      CHECK(vet_secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
  3305      CHECK(memcmp(ctmp, ctmp2, 33) == 0);
  3306      /* Result is infinity. */
  3307      pubkeys[0] = &pubkey_one;
  3308      pubkeys[1] = &pubkey_negone;
  3309      memset(&pubkey, 255, sizeof(vet_secp256k1_pubkey));
  3310      VG_UNDEF(&pubkey, sizeof(vet_secp256k1_pubkey));
  3311      CHECK(vet_secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
  3312      VG_CHECK(&pubkey, sizeof(vet_secp256k1_pubkey));
  3313      CHECK(memcmp(&pubkey, zeros, sizeof(vet_secp256k1_pubkey)) == 0);
  3314      CHECK(ecount == 3);
  3315      /* Passes through infinity but comes out one. */
  3316      pubkeys[2] = &pubkey_one;
  3317      memset(&pubkey, 255, sizeof(vet_secp256k1_pubkey));
  3318      VG_UNDEF(&pubkey, sizeof(vet_secp256k1_pubkey));
  3319      CHECK(vet_secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
  3320      VG_CHECK(&pubkey, sizeof(vet_secp256k1_pubkey));
  3321      CHECK(memcmp(&pubkey, zeros, sizeof(vet_secp256k1_pubkey)) > 0);
  3322      CHECK(ecount == 3);
  3323      len = 33;
  3324      CHECK(vet_secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
  3325      CHECK(vet_secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
  3326      CHECK(memcmp(ctmp, ctmp2, 33) == 0);
  3327      /* Adds to two. */
  3328      pubkeys[1] = &pubkey_one;
  3329      memset(&pubkey, 255, sizeof(vet_secp256k1_pubkey));
  3330      VG_UNDEF(&pubkey, sizeof(vet_secp256k1_pubkey));
  3331      CHECK(vet_secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
  3332      VG_CHECK(&pubkey, sizeof(vet_secp256k1_pubkey));
  3333      CHECK(memcmp(&pubkey, zeros, sizeof(vet_secp256k1_pubkey)) > 0);
  3334      CHECK(ecount == 3);
  3335      vet_secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
  3336  }
  3337  
  3338  void random_sign(vet_secp256k1_scalar *sigr, vet_secp256k1_scalar *sigs, const vet_secp256k1_scalar *key, const vet_secp256k1_scalar *msg, int *recid) {
  3339      vet_secp256k1_scalar nonce;
  3340      do {
  3341          random_scalar_order_test(&nonce);
  3342      } while(!vet_secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
  3343  }
  3344  
  3345  void test_ecdsa_sign_verify(void) {
  3346      vet_secp256k1_gej pubj;
  3347      vet_secp256k1_ge pub;
  3348      vet_secp256k1_scalar one;
  3349      vet_secp256k1_scalar msg, key;
  3350      vet_secp256k1_scalar sigr, sigs;
  3351      int recid;
  3352      int getrec;
  3353      random_scalar_order_test(&msg);
  3354      random_scalar_order_test(&key);
  3355      vet_secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
  3356      vet_secp256k1_ge_set_gej(&pub, &pubj);
  3357      getrec = vet_secp256k1_rand_bits(1);
  3358      random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
  3359      if (getrec) {
  3360          CHECK(recid >= 0 && recid < 4);
  3361      }
  3362      CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
  3363      vet_secp256k1_scalar_set_int(&one, 1);
  3364      vet_secp256k1_scalar_add(&msg, &msg, &one);
  3365      CHECK(!vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
  3366  }
  3367  
  3368  void run_ecdsa_sign_verify(void) {
  3369      int i;
  3370      for (i = 0; i < 10*count; i++) {
  3371          test_ecdsa_sign_verify();
  3372      }
  3373  }
  3374  
  3375  /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
  3376  static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
  3377      (void)msg32;
  3378      (void)key32;
  3379      (void)algo16;
  3380      memcpy(nonce32, data, 32);
  3381      return (counter == 0);
  3382  }
  3383  
  3384  static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
  3385     /* Dummy nonce generator that has a fatal error on the first counter value. */
  3386     if (counter == 0) {
  3387         return 0;
  3388     }
  3389     return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
  3390  }
  3391  
  3392  static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
  3393     /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
  3394     if (counter < 3) {
  3395         memset(nonce32, counter==0 ? 0 : 255, 32);
  3396         if (counter == 2) {
  3397             nonce32[31]--;
  3398         }
  3399         return 1;
  3400     }
  3401     if (counter < 5) {
  3402         static const unsigned char order[] = {
  3403             0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
  3404             0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
  3405             0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
  3406             0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
  3407         };
  3408         memcpy(nonce32, order, 32);
  3409         if (counter == 4) {
  3410             nonce32[31]++;
  3411         }
  3412         return 1;
  3413     }
  3414     /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
  3415     /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
  3416     if (counter > 5) {
  3417         return 0;
  3418     }
  3419     return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
  3420  }
  3421  
  3422  int is_empty_signature(const vet_secp256k1_ecdsa_signature *sig) {
  3423      static const unsigned char res[sizeof(vet_secp256k1_ecdsa_signature)] = {0};
  3424      return memcmp(sig, res, sizeof(vet_secp256k1_ecdsa_signature)) == 0;
  3425  }
  3426  
  3427  void test_ecdsa_end_to_end(void) {
  3428      unsigned char extra[32] = {0x00};
  3429      unsigned char privkey[32];
  3430      unsigned char message[32];
  3431      unsigned char privkey2[32];
  3432      vet_secp256k1_ecdsa_signature signature[6];
  3433      vet_secp256k1_scalar r, s;
  3434      unsigned char sig[74];
  3435      size_t siglen = 74;
  3436      unsigned char pubkeyc[65];
  3437      size_t pubkeyclen = 65;
  3438      vet_secp256k1_pubkey pubkey;
  3439      unsigned char seckey[300];
  3440      size_t seckeylen = 300;
  3441  
  3442      /* Generate a random key and message. */
  3443      {
  3444          vet_secp256k1_scalar msg, key;
  3445          random_scalar_order_test(&msg);
  3446          random_scalar_order_test(&key);
  3447          vet_secp256k1_scalar_get_b32(privkey, &key);
  3448          vet_secp256k1_scalar_get_b32(message, &msg);
  3449      }
  3450  
  3451      /* Construct and verify corresponding public key. */
  3452      CHECK(vet_secp256k1_ec_seckey_verify(ctx, privkey) == 1);
  3453      CHECK(vet_secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
  3454  
  3455      /* Verify exporting and importing public key. */
  3456      CHECK(vet_secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, vet_secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
  3457      memset(&pubkey, 0, sizeof(pubkey));
  3458      CHECK(vet_secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
  3459  
  3460      /* Verify private key import and export. */
  3461      CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, vet_secp256k1_rand_bits(1) == 1));
  3462      CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
  3463      CHECK(memcmp(privkey, privkey2, 32) == 0);
  3464  
  3465      /* Optionally tweak the keys using addition. */
  3466      if (vet_secp256k1_rand_int(3) == 0) {
  3467          int ret1;
  3468          int ret2;
  3469          unsigned char rnd[32];
  3470          vet_secp256k1_pubkey pubkey2;
  3471          vet_secp256k1_rand256_test(rnd);
  3472          ret1 = vet_secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
  3473          ret2 = vet_secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
  3474          CHECK(ret1 == ret2);
  3475          if (ret1 == 0) {
  3476              return;
  3477          }
  3478          CHECK(vet_secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
  3479          CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
  3480      }
  3481  
  3482      /* Optionally tweak the keys using multiplication. */
  3483      if (vet_secp256k1_rand_int(3) == 0) {
  3484          int ret1;
  3485          int ret2;
  3486          unsigned char rnd[32];
  3487          vet_secp256k1_pubkey pubkey2;
  3488          vet_secp256k1_rand256_test(rnd);
  3489          ret1 = vet_secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
  3490          ret2 = vet_secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
  3491          CHECK(ret1 == ret2);
  3492          if (ret1 == 0) {
  3493              return;
  3494          }
  3495          CHECK(vet_secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
  3496          CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
  3497      }
  3498  
  3499      /* Sign. */
  3500      CHECK(vet_secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
  3501      CHECK(vet_secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
  3502      CHECK(vet_secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
  3503      extra[31] = 1;
  3504      CHECK(vet_secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
  3505      extra[31] = 0;
  3506      extra[0] = 1;
  3507      CHECK(vet_secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
  3508      CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
  3509      CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
  3510      CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
  3511      CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
  3512      CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
  3513      CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
  3514      CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
  3515      /* Verify. */
  3516      CHECK(vet_secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
  3517      CHECK(vet_secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
  3518      CHECK(vet_secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
  3519      CHECK(vet_secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
  3520      /* Test lower-S form, malleate, verify and fail, test again, malleate again */
  3521      CHECK(!vet_secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
  3522      vet_secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
  3523      vet_secp256k1_scalar_negate(&s, &s);
  3524      vet_secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
  3525      CHECK(vet_secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
  3526      CHECK(vet_secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
  3527      CHECK(vet_secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
  3528      CHECK(!vet_secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
  3529      CHECK(!vet_secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
  3530      CHECK(vet_secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
  3531      vet_secp256k1_scalar_negate(&s, &s);
  3532      vet_secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
  3533      CHECK(!vet_secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
  3534      CHECK(vet_secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
  3535      CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
  3536  
  3537      /* Serialize/parse DER and verify again */
  3538      CHECK(vet_secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
  3539      memset(&signature[0], 0, sizeof(signature[0]));
  3540      CHECK(vet_secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
  3541      CHECK(vet_secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
  3542      /* Serialize/destroy/parse DER and verify again. */
  3543      siglen = 74;
  3544      CHECK(vet_secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
  3545      sig[vet_secp256k1_rand_int(siglen)] += 1 + vet_secp256k1_rand_int(255);
  3546      CHECK(vet_secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
  3547            vet_secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
  3548  }
  3549  
  3550  void test_random_pubkeys(void) {
  3551      vet_secp256k1_ge elem;
  3552      vet_secp256k1_ge elem2;
  3553      unsigned char in[65];
  3554      /* Generate some randomly sized pubkeys. */
  3555      size_t len = vet_secp256k1_rand_bits(2) == 0 ? 65 : 33;
  3556      if (vet_secp256k1_rand_bits(2) == 0) {
  3557          len = vet_secp256k1_rand_bits(6);
  3558      }
  3559      if (len == 65) {
  3560        in[0] = vet_secp256k1_rand_bits(1) ? 4 : (vet_secp256k1_rand_bits(1) ? 6 : 7);
  3561      } else {
  3562        in[0] = vet_secp256k1_rand_bits(1) ? 2 : 3;
  3563      }
  3564      if (vet_secp256k1_rand_bits(3) == 0) {
  3565          in[0] = vet_secp256k1_rand_bits(8);
  3566      }
  3567      if (len > 1) {
  3568          vet_secp256k1_rand256(&in[1]);
  3569      }
  3570      if (len > 33) {
  3571          vet_secp256k1_rand256(&in[33]);
  3572      }
  3573      if (vet_secp256k1_eckey_pubkey_parse(&elem, in, len)) {
  3574          unsigned char out[65];
  3575          unsigned char firstb;
  3576          int res;
  3577          size_t size = len;
  3578          firstb = in[0];
  3579          /* If the pubkey can be parsed, it should round-trip... */
  3580          CHECK(vet_secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
  3581          CHECK(size == len);
  3582          CHECK(memcmp(&in[1], &out[1], len-1) == 0);
  3583          /* ... except for the type of hybrid inputs. */
  3584          if ((in[0] != 6) && (in[0] != 7)) {
  3585              CHECK(in[0] == out[0]);
  3586          }
  3587          size = 65;
  3588          CHECK(vet_secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
  3589          CHECK(size == 65);
  3590          CHECK(vet_secp256k1_eckey_pubkey_parse(&elem2, in, size));
  3591          ge_equals_ge(&elem,&elem2);
  3592          /* Check that the X9.62 hybrid type is checked. */
  3593          in[0] = vet_secp256k1_rand_bits(1) ? 6 : 7;
  3594          res = vet_secp256k1_eckey_pubkey_parse(&elem2, in, size);
  3595          if (firstb == 2 || firstb == 3) {
  3596              if (in[0] == firstb + 4) {
  3597                CHECK(res);
  3598              } else {
  3599                CHECK(!res);
  3600              }
  3601          }
  3602          if (res) {
  3603              ge_equals_ge(&elem,&elem2);
  3604              CHECK(vet_secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
  3605              CHECK(memcmp(&in[1], &out[1], 64) == 0);
  3606          }
  3607      }
  3608  }
  3609  
  3610  void run_random_pubkeys(void) {
  3611      int i;
  3612      for (i = 0; i < 10*count; i++) {
  3613          test_random_pubkeys();
  3614      }
  3615  }
  3616  
  3617  void run_ecdsa_end_to_end(void) {
  3618      int i;
  3619      for (i = 0; i < 64*count; i++) {
  3620          test_ecdsa_end_to_end();
  3621      }
  3622  }
  3623  
  3624  int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
  3625      static const unsigned char zeroes[32] = {0};
  3626  #ifdef ENABLE_OPENSSL_TESTS
  3627      static const unsigned char max_scalar[32] = {
  3628          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  3629          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
  3630          0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
  3631          0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
  3632      };
  3633  #endif
  3634  
  3635      int ret = 0;
  3636  
  3637      vet_secp256k1_ecdsa_signature sig_der;
  3638      unsigned char roundtrip_der[2048];
  3639      unsigned char compact_der[64];
  3640      size_t len_der = 2048;
  3641      int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
  3642  
  3643      vet_secp256k1_ecdsa_signature sig_der_lax;
  3644      unsigned char roundtrip_der_lax[2048];
  3645      unsigned char compact_der_lax[64];
  3646      size_t len_der_lax = 2048;
  3647      int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
  3648  
  3649  #ifdef ENABLE_OPENSSL_TESTS
  3650      ECDSA_SIG *sig_openssl;
  3651      const unsigned char *sigptr;
  3652      unsigned char roundtrip_openssl[2048];
  3653      int len_openssl = 2048;
  3654      int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
  3655  #endif
  3656  
  3657      parsed_der = vet_secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
  3658      if (parsed_der) {
  3659          ret |= (!vet_secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
  3660          valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
  3661      }
  3662      if (valid_der) {
  3663          ret |= (!vet_secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
  3664          roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
  3665      }
  3666  
  3667      parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
  3668      if (parsed_der_lax) {
  3669          ret |= (!vet_secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
  3670          valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
  3671      }
  3672      if (valid_der_lax) {
  3673          ret |= (!vet_secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
  3674          roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
  3675      }
  3676  
  3677      if (certainly_der) {
  3678          ret |= (!parsed_der) << 2;
  3679      }
  3680      if (certainly_not_der) {
  3681          ret |= (parsed_der) << 17;
  3682      }
  3683      if (valid_der) {
  3684          ret |= (!roundtrips_der) << 3;
  3685      }
  3686  
  3687      if (valid_der) {
  3688          ret |= (!roundtrips_der_lax) << 12;
  3689          ret |= (len_der != len_der_lax) << 13;
  3690          ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
  3691      }
  3692      ret |= (roundtrips_der != roundtrips_der_lax) << 15;
  3693      if (parsed_der) {
  3694          ret |= (!parsed_der_lax) << 16;
  3695      }
  3696  
  3697  #ifdef ENABLE_OPENSSL_TESTS
  3698      sig_openssl = ECDSA_SIG_new();
  3699      sigptr = sig;
  3700      parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
  3701      if (parsed_openssl) {
  3702          valid_openssl = !BN_is_negative(sig_openssl->r) && !BN_is_negative(sig_openssl->s) && BN_num_bits(sig_openssl->r) > 0 && BN_num_bits(sig_openssl->r) <= 256 && BN_num_bits(sig_openssl->s) > 0 && BN_num_bits(sig_openssl->s) <= 256;
  3703          if (valid_openssl) {
  3704              unsigned char tmp[32] = {0};
  3705              BN_bn2bin(sig_openssl->r, tmp + 32 - BN_num_bytes(sig_openssl->r));
  3706              valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
  3707          }
  3708          if (valid_openssl) {
  3709              unsigned char tmp[32] = {0};
  3710              BN_bn2bin(sig_openssl->s, tmp + 32 - BN_num_bytes(sig_openssl->s));
  3711              valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
  3712          }
  3713      }
  3714      len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
  3715      if (len_openssl <= 2048) {
  3716          unsigned char *ptr = roundtrip_openssl;
  3717          CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
  3718          roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
  3719      } else {
  3720          len_openssl = 0;
  3721      }
  3722      ECDSA_SIG_free(sig_openssl);
  3723  
  3724      ret |= (parsed_der && !parsed_openssl) << 4;
  3725      ret |= (valid_der && !valid_openssl) << 5;
  3726      ret |= (roundtrips_openssl && !parsed_der) << 6;
  3727      ret |= (roundtrips_der != roundtrips_openssl) << 7;
  3728      if (roundtrips_openssl) {
  3729          ret |= (len_der != (size_t)len_openssl) << 8;
  3730          ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
  3731      }
  3732  #endif
  3733      return ret;
  3734  }
  3735  
  3736  static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
  3737      size_t i;
  3738      for (i = 0; i < ptrlen; i++) {
  3739          int shift = ptrlen - 1 - i;
  3740          if (shift >= 4) {
  3741              ptr[i] = 0;
  3742          } else {
  3743              ptr[i] = (val >> shift) & 0xFF;
  3744          }
  3745      }
  3746  }
  3747  
  3748  static void damage_array(unsigned char *sig, size_t *len) {
  3749      int pos;
  3750      int action = vet_secp256k1_rand_bits(3);
  3751      if (action < 1 && *len > 3) {
  3752          /* Delete a byte. */
  3753          pos = vet_secp256k1_rand_int(*len);
  3754          memmove(sig + pos, sig + pos + 1, *len - pos - 1);
  3755          (*len)--;
  3756          return;
  3757      } else if (action < 2 && *len < 2048) {
  3758          /* Insert a byte. */
  3759          pos = vet_secp256k1_rand_int(1 + *len);
  3760          memmove(sig + pos + 1, sig + pos, *len - pos);
  3761          sig[pos] = vet_secp256k1_rand_bits(8);
  3762          (*len)++;
  3763          return;
  3764      } else if (action < 4) {
  3765          /* Modify a byte. */
  3766          sig[vet_secp256k1_rand_int(*len)] += 1 + vet_secp256k1_rand_int(255);
  3767          return;
  3768      } else { /* action < 8 */
  3769          /* Modify a bit. */
  3770          sig[vet_secp256k1_rand_int(*len)] ^= 1 << vet_secp256k1_rand_bits(3);
  3771          return;
  3772      }
  3773  }
  3774  
  3775  static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
  3776      int der;
  3777      int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
  3778      size_t tlen, elen, glen;
  3779      int indet;
  3780      int n;
  3781  
  3782      *len = 0;
  3783      der = vet_secp256k1_rand_bits(2) == 0;
  3784      *certainly_der = der;
  3785      *certainly_not_der = 0;
  3786      indet = der ? 0 : vet_secp256k1_rand_int(10) == 0;
  3787  
  3788      for (n = 0; n < 2; n++) {
  3789          /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
  3790          nlow[n] = der ? 1 : (vet_secp256k1_rand_bits(3) != 0);
  3791          /* The length of the number in bytes (the first byte of which will always be nonzero) */
  3792          nlen[n] = nlow[n] ? vet_secp256k1_rand_int(33) : 32 + vet_secp256k1_rand_int(200) * vet_secp256k1_rand_int(8) / 8;
  3793          CHECK(nlen[n] <= 232);
  3794          /* The top bit of the number. */
  3795          nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : vet_secp256k1_rand_bits(1));
  3796          /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
  3797          nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + vet_secp256k1_rand_bits(7) : 1 + vet_secp256k1_rand_int(127));
  3798          /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
  3799          nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? vet_secp256k1_rand_int(3) : vet_secp256k1_rand_int(300 - nlen[n]) * vet_secp256k1_rand_int(8) / 8);
  3800          if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
  3801              *certainly_not_der = 1;
  3802          }
  3803          CHECK(nlen[n] + nzlen[n] <= 300);
  3804          /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
  3805          nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
  3806          if (!der) {
  3807              /* nlenlen[n] max 127 bytes */
  3808              int add = vet_secp256k1_rand_int(127 - nlenlen[n]) * vet_secp256k1_rand_int(16) * vet_secp256k1_rand_int(16) / 256;
  3809              nlenlen[n] += add;
  3810              if (add != 0) {
  3811                  *certainly_not_der = 1;
  3812              }
  3813          }
  3814          CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
  3815      }
  3816  
  3817      /* The total length of the data to go, so far */
  3818      tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
  3819      CHECK(tlen <= 856);
  3820  
  3821      /* The length of the garbage inside the tuple. */
  3822      elen = (der || indet) ? 0 : vet_secp256k1_rand_int(980 - tlen) * vet_secp256k1_rand_int(8) / 8;
  3823      if (elen != 0) {
  3824          *certainly_not_der = 1;
  3825      }
  3826      tlen += elen;
  3827      CHECK(tlen <= 980);
  3828  
  3829      /* The length of the garbage after the end of the tuple. */
  3830      glen = der ? 0 : vet_secp256k1_rand_int(990 - tlen) * vet_secp256k1_rand_int(8) / 8;
  3831      if (glen != 0) {
  3832          *certainly_not_der = 1;
  3833      }
  3834      CHECK(tlen + glen <= 990);
  3835  
  3836      /* Write the tuple header. */
  3837      sig[(*len)++] = 0x30;
  3838      if (indet) {
  3839          /* Indeterminate length */
  3840          sig[(*len)++] = 0x80;
  3841          *certainly_not_der = 1;
  3842      } else {
  3843          int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
  3844          if (!der) {
  3845              int add = vet_secp256k1_rand_int(127 - tlenlen) * vet_secp256k1_rand_int(16) * vet_secp256k1_rand_int(16) / 256;
  3846              tlenlen += add;
  3847              if (add != 0) {
  3848                  *certainly_not_der = 1;
  3849              }
  3850          }
  3851          if (tlenlen == 0) {
  3852              /* Short length notation */
  3853              sig[(*len)++] = tlen;
  3854          } else {
  3855              /* Long length notation */
  3856              sig[(*len)++] = 128 + tlenlen;
  3857              assign_big_endian(sig + *len, tlenlen, tlen);
  3858              *len += tlenlen;
  3859          }
  3860          tlen += tlenlen;
  3861      }
  3862      tlen += 2;
  3863      CHECK(tlen + glen <= 1119);
  3864  
  3865      for (n = 0; n < 2; n++) {
  3866          /* Write the integer header. */
  3867          sig[(*len)++] = 0x02;
  3868          if (nlenlen[n] == 0) {
  3869              /* Short length notation */
  3870              sig[(*len)++] = nlen[n] + nzlen[n];
  3871          } else {
  3872              /* Long length notation. */
  3873              sig[(*len)++] = 128 + nlenlen[n];
  3874              assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
  3875              *len += nlenlen[n];
  3876          }
  3877          /* Write zero padding */
  3878          while (nzlen[n] > 0) {
  3879              sig[(*len)++] = 0x00;
  3880              nzlen[n]--;
  3881          }
  3882          if (nlen[n] == 32 && !nlow[n]) {
  3883              /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
  3884              int i;
  3885              for (i = 0; i < 16; i++) {
  3886                  sig[(*len)++] = 0xFF;
  3887              }
  3888              nlen[n] -= 16;
  3889          }
  3890          /* Write first byte of number */
  3891          if (nlen[n] > 0) {
  3892              sig[(*len)++] = nhbyte[n];
  3893              nlen[n]--;
  3894          }
  3895          /* Generate remaining random bytes of number */
  3896          vet_secp256k1_rand_bytes_test(sig + *len, nlen[n]);
  3897          *len += nlen[n];
  3898          nlen[n] = 0;
  3899      }
  3900  
  3901      /* Generate random garbage inside tuple. */
  3902      vet_secp256k1_rand_bytes_test(sig + *len, elen);
  3903      *len += elen;
  3904  
  3905      /* Generate end-of-contents bytes. */
  3906      if (indet) {
  3907          sig[(*len)++] = 0;
  3908          sig[(*len)++] = 0;
  3909          tlen += 2;
  3910      }
  3911      CHECK(tlen + glen <= 1121);
  3912  
  3913      /* Generate random garbage outside tuple. */
  3914      vet_secp256k1_rand_bytes_test(sig + *len, glen);
  3915      *len += glen;
  3916      tlen += glen;
  3917      CHECK(tlen <= 1121);
  3918      CHECK(tlen == *len);
  3919  }
  3920  
  3921  void run_ecdsa_der_parse(void) {
  3922      int i,j;
  3923      for (i = 0; i < 200 * count; i++) {
  3924          unsigned char buffer[2048];
  3925          size_t buflen = 0;
  3926          int certainly_der = 0;
  3927          int certainly_not_der = 0;
  3928          random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
  3929          CHECK(buflen <= 2048);
  3930          for (j = 0; j < 16; j++) {
  3931              int ret = 0;
  3932              if (j > 0) {
  3933                  damage_array(buffer, &buflen);
  3934                  /* We don't know anything anymore about the DERness of the result */
  3935                  certainly_der = 0;
  3936                  certainly_not_der = 0;
  3937              }
  3938              ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
  3939              if (ret != 0) {
  3940                  size_t k;
  3941                  fprintf(stderr, "Failure %x on ", ret);
  3942                  for (k = 0; k < buflen; k++) {
  3943                      fprintf(stderr, "%02x ", buffer[k]);
  3944                  }
  3945                  fprintf(stderr, "\n");
  3946              }
  3947              CHECK(ret == 0);
  3948          }
  3949      }
  3950  }
  3951  
  3952  /* Tests several edge cases. */
  3953  void test_ecdsa_edge_cases(void) {
  3954      int t;
  3955      vet_secp256k1_ecdsa_signature sig;
  3956  
  3957      /* Test the case where ECDSA recomputes a point that is infinity. */
  3958      {
  3959          vet_secp256k1_gej keyj;
  3960          vet_secp256k1_ge key;
  3961          vet_secp256k1_scalar msg;
  3962          vet_secp256k1_scalar sr, ss;
  3963          vet_secp256k1_scalar_set_int(&ss, 1);
  3964          vet_secp256k1_scalar_negate(&ss, &ss);
  3965          vet_secp256k1_scalar_inverse(&ss, &ss);
  3966          vet_secp256k1_scalar_set_int(&sr, 1);
  3967          vet_secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
  3968          vet_secp256k1_ge_set_gej(&key, &keyj);
  3969          msg = ss;
  3970          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
  3971      }
  3972  
  3973      /* Verify signature with r of zero fails. */
  3974      {
  3975          const unsigned char pubkey_mods_zero[33] = {
  3976              0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  3977              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  3978              0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
  3979              0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
  3980              0x41
  3981          };
  3982          vet_secp256k1_ge key;
  3983          vet_secp256k1_scalar msg;
  3984          vet_secp256k1_scalar sr, ss;
  3985          vet_secp256k1_scalar_set_int(&ss, 1);
  3986          vet_secp256k1_scalar_set_int(&msg, 0);
  3987          vet_secp256k1_scalar_set_int(&sr, 0);
  3988          CHECK(vet_secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
  3989          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
  3990      }
  3991  
  3992      /* Verify signature with s of zero fails. */
  3993      {
  3994          const unsigned char pubkey[33] = {
  3995              0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  3996              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  3997              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  3998              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  3999              0x01
  4000          };
  4001          vet_secp256k1_ge key;
  4002          vet_secp256k1_scalar msg;
  4003          vet_secp256k1_scalar sr, ss;
  4004          vet_secp256k1_scalar_set_int(&ss, 0);
  4005          vet_secp256k1_scalar_set_int(&msg, 0);
  4006          vet_secp256k1_scalar_set_int(&sr, 1);
  4007          CHECK(vet_secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
  4008          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
  4009      }
  4010  
  4011      /* Verify signature with message 0 passes. */
  4012      {
  4013          const unsigned char pubkey[33] = {
  4014              0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  4015              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  4016              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  4017              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  4018              0x02
  4019          };
  4020          const unsigned char pubkey2[33] = {
  4021              0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  4022              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  4023              0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
  4024              0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
  4025              0x43
  4026          };
  4027          vet_secp256k1_ge key;
  4028          vet_secp256k1_ge key2;
  4029          vet_secp256k1_scalar msg;
  4030          vet_secp256k1_scalar sr, ss;
  4031          vet_secp256k1_scalar_set_int(&ss, 2);
  4032          vet_secp256k1_scalar_set_int(&msg, 0);
  4033          vet_secp256k1_scalar_set_int(&sr, 2);
  4034          CHECK(vet_secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
  4035          CHECK(vet_secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
  4036          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
  4037          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
  4038          vet_secp256k1_scalar_negate(&ss, &ss);
  4039          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
  4040          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
  4041          vet_secp256k1_scalar_set_int(&ss, 1);
  4042          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
  4043          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
  4044      }
  4045  
  4046      /* Verify signature with message 1 passes. */
  4047      {
  4048          const unsigned char pubkey[33] = {
  4049              0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
  4050              0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
  4051              0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
  4052              0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
  4053              0x25
  4054          };
  4055          const unsigned char pubkey2[33] = {
  4056              0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
  4057              0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
  4058              0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
  4059              0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
  4060              0x62
  4061          };
  4062          const unsigned char csr[32] = {
  4063              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  4064              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
  4065              0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
  4066              0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
  4067          };
  4068          vet_secp256k1_ge key;
  4069          vet_secp256k1_ge key2;
  4070          vet_secp256k1_scalar msg;
  4071          vet_secp256k1_scalar sr, ss;
  4072          vet_secp256k1_scalar_set_int(&ss, 1);
  4073          vet_secp256k1_scalar_set_int(&msg, 1);
  4074          vet_secp256k1_scalar_set_b32(&sr, csr, NULL);
  4075          CHECK(vet_secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
  4076          CHECK(vet_secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
  4077          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
  4078          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
  4079          vet_secp256k1_scalar_negate(&ss, &ss);
  4080          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
  4081          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
  4082          vet_secp256k1_scalar_set_int(&ss, 2);
  4083          vet_secp256k1_scalar_inverse_var(&ss, &ss);
  4084          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
  4085          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
  4086      }
  4087  
  4088      /* Verify signature with message -1 passes. */
  4089      {
  4090          const unsigned char pubkey[33] = {
  4091              0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
  4092              0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
  4093              0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
  4094              0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
  4095              0xf1
  4096          };
  4097          const unsigned char csr[32] = {
  4098              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  4099              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
  4100              0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
  4101              0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
  4102          };
  4103          vet_secp256k1_ge key;
  4104          vet_secp256k1_scalar msg;
  4105          vet_secp256k1_scalar sr, ss;
  4106          vet_secp256k1_scalar_set_int(&ss, 1);
  4107          vet_secp256k1_scalar_set_int(&msg, 1);
  4108          vet_secp256k1_scalar_negate(&msg, &msg);
  4109          vet_secp256k1_scalar_set_b32(&sr, csr, NULL);
  4110          CHECK(vet_secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
  4111          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
  4112          vet_secp256k1_scalar_negate(&ss, &ss);
  4113          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
  4114          vet_secp256k1_scalar_set_int(&ss, 3);
  4115          vet_secp256k1_scalar_inverse_var(&ss, &ss);
  4116          CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
  4117      }
  4118  
  4119      /* Signature where s would be zero. */
  4120      {
  4121          vet_secp256k1_pubkey pubkey;
  4122          size_t siglen;
  4123          int32_t ecount;
  4124          unsigned char signature[72];
  4125          static const unsigned char nonce[32] = {
  4126              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  4127              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  4128              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  4129              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
  4130          };
  4131          static const unsigned char nonce2[32] = {
  4132              0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
  4133              0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
  4134              0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
  4135              0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
  4136          };
  4137          const unsigned char key[32] = {
  4138              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  4139              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  4140              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  4141              0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
  4142          };
  4143          unsigned char msg[32] = {
  4144              0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
  4145              0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
  4146              0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
  4147              0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
  4148          };
  4149          ecount = 0;
  4150          vet_secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
  4151          CHECK(vet_secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
  4152          CHECK(vet_secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
  4153          msg[31] = 0xaa;
  4154          CHECK(vet_secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
  4155          CHECK(ecount == 0);
  4156          CHECK(vet_secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
  4157          CHECK(ecount == 1);
  4158          CHECK(vet_secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
  4159          CHECK(ecount == 2);
  4160          CHECK(vet_secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
  4161          CHECK(ecount == 3);
  4162          CHECK(vet_secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
  4163          CHECK(vet_secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
  4164          CHECK(vet_secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
  4165          CHECK(ecount == 4);
  4166          CHECK(vet_secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
  4167          CHECK(ecount == 5);
  4168          CHECK(vet_secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
  4169          CHECK(ecount == 6);
  4170          CHECK(vet_secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
  4171          CHECK(ecount == 6);
  4172          CHECK(vet_secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
  4173          CHECK(ecount == 7);
  4174          /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
  4175          CHECK(vet_secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
  4176          CHECK(ecount == 8);
  4177          siglen = 72;
  4178          CHECK(vet_secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
  4179          CHECK(ecount == 9);
  4180          CHECK(vet_secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
  4181          CHECK(ecount == 10);
  4182          CHECK(vet_secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
  4183          CHECK(ecount == 11);
  4184          CHECK(vet_secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
  4185          CHECK(ecount == 11);
  4186          CHECK(vet_secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
  4187          CHECK(ecount == 12);
  4188          CHECK(vet_secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
  4189          CHECK(ecount == 13);
  4190          CHECK(vet_secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
  4191          CHECK(ecount == 13);
  4192          siglen = 10;
  4193          /* Too little room for a signature does not fail via ARGCHECK. */
  4194          CHECK(vet_secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
  4195          CHECK(ecount == 13);
  4196          ecount = 0;
  4197          CHECK(vet_secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
  4198          CHECK(ecount == 1);
  4199          CHECK(vet_secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
  4200          CHECK(ecount == 2);
  4201          CHECK(vet_secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
  4202          CHECK(ecount == 3);
  4203          CHECK(vet_secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
  4204          CHECK(ecount == 3);
  4205          CHECK(vet_secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
  4206          CHECK(ecount == 4);
  4207          CHECK(vet_secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
  4208          CHECK(ecount == 5);
  4209          CHECK(vet_secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
  4210          CHECK(ecount == 5);
  4211          memset(signature, 255, 64);
  4212          CHECK(vet_secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
  4213          CHECK(ecount == 5);
  4214          vet_secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
  4215      }
  4216  
  4217      /* Nonce function corner cases. */
  4218      for (t = 0; t < 2; t++) {
  4219          static const unsigned char zero[32] = {0x00};
  4220          int i;
  4221          unsigned char key[32];
  4222          unsigned char msg[32];
  4223          vet_secp256k1_ecdsa_signature sig2;
  4224          vet_secp256k1_scalar sr[512], ss;
  4225          const unsigned char *extra;
  4226          extra = t == 0 ? NULL : zero;
  4227          memset(msg, 0, 32);
  4228          msg[31] = 1;
  4229          /* High key results in signature failure. */
  4230          memset(key, 0xFF, 32);
  4231          CHECK(vet_secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
  4232          CHECK(is_empty_signature(&sig));
  4233          /* Zero key results in signature failure. */
  4234          memset(key, 0, 32);
  4235          CHECK(vet_secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
  4236          CHECK(is_empty_signature(&sig));
  4237          /* Nonce function failure results in signature failure. */
  4238          key[31] = 1;
  4239          CHECK(vet_secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
  4240          CHECK(is_empty_signature(&sig));
  4241          /* The retry loop successfully makes its way to the first good value. */
  4242          CHECK(vet_secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
  4243          CHECK(!is_empty_signature(&sig));
  4244          CHECK(vet_secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
  4245          CHECK(!is_empty_signature(&sig2));
  4246          CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
  4247          /* The default nonce function is deterministic. */
  4248          CHECK(vet_secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
  4249          CHECK(!is_empty_signature(&sig2));
  4250          CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
  4251          /* The default nonce function changes output with different messages. */
  4252          for(i = 0; i < 256; i++) {
  4253              int j;
  4254              msg[0] = i;
  4255              CHECK(vet_secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
  4256              CHECK(!is_empty_signature(&sig2));
  4257              vet_secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
  4258              for (j = 0; j < i; j++) {
  4259                  CHECK(!vet_secp256k1_scalar_eq(&sr[i], &sr[j]));
  4260              }
  4261          }
  4262          msg[0] = 0;
  4263          msg[31] = 2;
  4264          /* The default nonce function changes output with different keys. */
  4265          for(i = 256; i < 512; i++) {
  4266              int j;
  4267              key[0] = i - 256;
  4268              CHECK(vet_secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
  4269              CHECK(!is_empty_signature(&sig2));
  4270              vet_secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
  4271              for (j = 0; j < i; j++) {
  4272                  CHECK(!vet_secp256k1_scalar_eq(&sr[i], &sr[j]));
  4273              }
  4274          }
  4275          key[0] = 0;
  4276      }
  4277  
  4278      {
  4279          /* Check that optional nonce arguments do not have equivalent effect. */
  4280          const unsigned char zeros[32] = {0};
  4281          unsigned char nonce[32];
  4282          unsigned char nonce2[32];
  4283          unsigned char nonce3[32];
  4284          unsigned char nonce4[32];
  4285          VG_UNDEF(nonce,32);
  4286          VG_UNDEF(nonce2,32);
  4287          VG_UNDEF(nonce3,32);
  4288          VG_UNDEF(nonce4,32);
  4289          CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
  4290          VG_CHECK(nonce,32);
  4291          CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
  4292          VG_CHECK(nonce2,32);
  4293          CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
  4294          VG_CHECK(nonce3,32);
  4295          CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
  4296          VG_CHECK(nonce4,32);
  4297          CHECK(memcmp(nonce, nonce2, 32) != 0);
  4298          CHECK(memcmp(nonce, nonce3, 32) != 0);
  4299          CHECK(memcmp(nonce, nonce4, 32) != 0);
  4300          CHECK(memcmp(nonce2, nonce3, 32) != 0);
  4301          CHECK(memcmp(nonce2, nonce4, 32) != 0);
  4302          CHECK(memcmp(nonce3, nonce4, 32) != 0);
  4303      }
  4304  
  4305  
  4306      /* Privkey export where pubkey is the point at infinity. */
  4307      {
  4308          unsigned char privkey[300];
  4309          unsigned char seckey[32] = {
  4310              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  4311              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
  4312              0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
  4313              0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
  4314          };
  4315          size_t outlen = 300;
  4316          CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
  4317          outlen = 300;
  4318          CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
  4319      }
  4320  }
  4321  
  4322  void run_ecdsa_edge_cases(void) {
  4323      test_ecdsa_edge_cases();
  4324  }
  4325  
  4326  #ifdef ENABLE_OPENSSL_TESTS
  4327  EC_KEY *get_openssl_key(const unsigned char *key32) {
  4328      unsigned char privkey[300];
  4329      size_t privkeylen;
  4330      const unsigned char* pbegin = privkey;
  4331      int compr = vet_secp256k1_rand_bits(1);
  4332      EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
  4333      CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
  4334      CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
  4335      CHECK(EC_KEY_check_key(ec_key));
  4336      return ec_key;
  4337  }
  4338  
  4339  void test_ecdsa_openssl(void) {
  4340      vet_secp256k1_gej qj;
  4341      vet_secp256k1_ge q;
  4342      vet_secp256k1_scalar sigr, sigs;
  4343      vet_secp256k1_scalar one;
  4344      vet_secp256k1_scalar msg2;
  4345      vet_secp256k1_scalar key, msg;
  4346      EC_KEY *ec_key;
  4347      unsigned int sigsize = 80;
  4348      size_t secp_sigsize = 80;
  4349      unsigned char message[32];
  4350      unsigned char signature[80];
  4351      unsigned char key32[32];
  4352      vet_secp256k1_rand256_test(message);
  4353      vet_secp256k1_scalar_set_b32(&msg, message, NULL);
  4354      random_scalar_order_test(&key);
  4355      vet_secp256k1_scalar_get_b32(key32, &key);
  4356      vet_secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
  4357      vet_secp256k1_ge_set_gej(&q, &qj);
  4358      ec_key = get_openssl_key(key32);
  4359      CHECK(ec_key != NULL);
  4360      CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
  4361      CHECK(vet_secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
  4362      CHECK(vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
  4363      vet_secp256k1_scalar_set_int(&one, 1);
  4364      vet_secp256k1_scalar_add(&msg2, &msg, &one);
  4365      CHECK(!vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
  4366  
  4367      random_sign(&sigr, &sigs, &key, &msg, NULL);
  4368      CHECK(vet_secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
  4369      CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
  4370  
  4371      EC_KEY_free(ec_key);
  4372  }
  4373  
  4374  void run_ecdsa_openssl(void) {
  4375      int i;
  4376      for (i = 0; i < 10*count; i++) {
  4377          test_ecdsa_openssl();
  4378      }
  4379  }
  4380  #endif
  4381  
  4382  #ifdef ENABLE_MODULE_ECDH
  4383  # include "modules/ecdh/tests_impl.h"
  4384  #endif
  4385  
  4386  #ifdef ENABLE_MODULE_SCHNORR
  4387  # include "modules/schnorr/tests_impl.h"
  4388  #endif
  4389  
  4390  #ifdef ENABLE_MODULE_RECOVERY
  4391  # include "modules/recovery/tests_impl.h"
  4392  #endif
  4393  
  4394  int main(int argc, char **argv) {
  4395      unsigned char seed16[16] = {0};
  4396      unsigned char run32[32] = {0};
  4397      /* find iteration count */
  4398      if (argc > 1) {
  4399          count = strtol(argv[1], NULL, 0);
  4400      }
  4401  
  4402      /* find random seed */
  4403      if (argc > 2) {
  4404          int pos = 0;
  4405          const char* ch = argv[2];
  4406          while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
  4407              unsigned short sh;
  4408              if (sscanf(ch, "%2hx", &sh)) {
  4409                  seed16[pos] = sh;
  4410              } else {
  4411                  break;
  4412              }
  4413              ch += 2;
  4414              pos++;
  4415          }
  4416      } else {
  4417          FILE *frand = fopen("/dev/urandom", "r");
  4418          if ((frand == NULL) || !fread(&seed16, sizeof(seed16), 1, frand)) {
  4419              uint64_t t = time(NULL) * (uint64_t)1337;
  4420              seed16[0] ^= t;
  4421              seed16[1] ^= t >> 8;
  4422              seed16[2] ^= t >> 16;
  4423              seed16[3] ^= t >> 24;
  4424              seed16[4] ^= t >> 32;
  4425              seed16[5] ^= t >> 40;
  4426              seed16[6] ^= t >> 48;
  4427              seed16[7] ^= t >> 56;
  4428          }
  4429          fclose(frand);
  4430      }
  4431      vet_secp256k1_rand_seed(seed16);
  4432  
  4433      printf("test count = %i\n", count);
  4434      printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
  4435  
  4436      /* initialize */
  4437      run_context_tests();
  4438      ctx = vet_secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
  4439      if (vet_secp256k1_rand_bits(1)) {
  4440          vet_secp256k1_rand256(run32);
  4441          CHECK(vet_secp256k1_context_randomize(ctx, vet_secp256k1_rand_bits(1) ? run32 : NULL));
  4442      }
  4443  
  4444      run_rand_bits();
  4445      run_rand_int();
  4446  
  4447      run_sha256_tests();
  4448      run_hmac_sha256_tests();
  4449      run_rfc6979_hmac_sha256_tests();
  4450  
  4451  #ifndef USE_NUM_NONE
  4452      /* num tests */
  4453      run_num_smalltests();
  4454  #endif
  4455  
  4456      /* scalar tests */
  4457      run_scalar_tests();
  4458  
  4459      /* field tests */
  4460      run_field_inv();
  4461      run_field_inv_var();
  4462      run_field_inv_all_var();
  4463      run_field_misc();
  4464      run_field_convert();
  4465      run_sqr();
  4466      run_sqrt();
  4467  
  4468      /* group tests */
  4469      run_ge();
  4470      run_group_decompress();
  4471  
  4472      /* ecmult tests */
  4473      run_wnaf();
  4474      run_point_times_order();
  4475      run_ecmult_chain();
  4476      run_ecmult_constants();
  4477      run_ecmult_gen_blind();
  4478      run_ecmult_const_tests();
  4479      run_ec_combine();
  4480  
  4481      /* endomorphism tests */
  4482  #ifdef USE_ENDOMORPHISM
  4483      run_endomorphism_tests();
  4484  #endif
  4485  
  4486      /* EC point parser test */
  4487      run_ec_pubkey_parse_test();
  4488  
  4489      /* EC key edge cases */
  4490      run_eckey_edge_case_test();
  4491  
  4492  #ifdef ENABLE_MODULE_ECDH
  4493      /* ecdh tests */
  4494      run_ecdh_tests();
  4495  #endif
  4496  
  4497      /* ecdsa tests */
  4498      run_random_pubkeys();
  4499      run_ecdsa_der_parse();
  4500      run_ecdsa_sign_verify();
  4501      run_ecdsa_end_to_end();
  4502      run_ecdsa_edge_cases();
  4503  #ifdef ENABLE_OPENSSL_TESTS
  4504      run_ecdsa_openssl();
  4505  #endif
  4506  
  4507  #ifdef ENABLE_MODULE_SCHNORR
  4508      /* Schnorr tests */
  4509      run_schnorr_tests();
  4510  #endif
  4511  
  4512  #ifdef ENABLE_MODULE_RECOVERY
  4513      /* ECDSA pubkey recovery tests */
  4514      run_recovery_tests();
  4515  #endif
  4516  
  4517      vet_secp256k1_rand256(run32);
  4518      printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
  4519  
  4520      /* shutdown */
  4521      vet_secp256k1_context_destroy(ctx);
  4522  
  4523      printf("no problems found\n");
  4524      return 0;
  4525  }