tests.c (389174B)
1 /*********************************************************************** 2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 5 ***********************************************************************/ 6 7 #include <stdio.h> 8 #include <stdlib.h> 9 #include <string.h> 10 11 #include <time.h> 12 13 #ifdef USE_EXTERNAL_DEFAULT_CALLBACKS 14 #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.") 15 #undef USE_EXTERNAL_DEFAULT_CALLBACKS 16 #endif 17 #if defined(VERIFY) && defined(COVERAGE) 18 #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.") 19 #endif 20 #include "secp256k1.c" 21 22 #include "../include/secp256k1.h" 23 #include "../include/secp256k1_preallocated.h" 24 #include "testrand_impl.h" 25 #include "checkmem.h" 26 #include "testutil.h" 27 #include "util.h" 28 29 #include "../contrib/lax_der_parsing.c" 30 #include "../contrib/lax_der_privatekey_parsing.c" 31 32 #include "modinv32_impl.h" 33 #ifdef SECP256K1_WIDEMUL_INT128 34 #include "modinv64_impl.h" 35 #include "int128_impl.h" 36 #endif 37 38 #define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else 39 40 static int COUNT = 64; 41 static haskellsecp256k1_v0_1_0_context *CTX = NULL; 42 static haskellsecp256k1_v0_1_0_context *STATIC_CTX = NULL; 43 44 static int all_bytes_equal(const void* s, unsigned char value, size_t n) { 45 const unsigned char *p = s; 46 size_t i; 47 48 for (i = 0; i < n; i++) { 49 if (p[i] != value) { 50 return 0; 51 } 52 } 53 return 1; 54 } 55 56 #define CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, callback, callback_setter) do { \ 57 int32_t _calls_to_callback = 0; \ 58 haskellsecp256k1_v0_1_0_callback _saved_callback = ctx->callback; \ 59 callback_setter(ctx, counting_callback_fn, &_calls_to_callback); \ 60 { expr_or_stmt; } \ 61 ctx->callback = _saved_callback; \ 62 CHECK(_calls_to_callback == 1); \ 63 } while(0); 64 65 /* CHECK that expr_or_stmt calls the error or illegal callback of ctx exactly once 66 * 67 * Useful for checking functions that return void (e.g., API functions that use ARG_CHECK_VOID) */ 68 #define CHECK_ERROR_VOID(ctx, expr_or_stmt) \ 69 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, error_callback, haskellsecp256k1_v0_1_0_context_set_error_callback) 70 #define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) \ 71 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, illegal_callback, haskellsecp256k1_v0_1_0_context_set_illegal_callback) 72 73 /* CHECK that 74 * - expr calls the illegal callback of ctx exactly once and, 75 * - expr == 0 (or equivalently, expr == NULL) 76 * 77 * Useful for checking functions that return an integer or a pointer. */ 78 #define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0)) 79 #define CHECK_ERROR(ctx, expr) CHECK_ERROR_VOID(ctx, CHECK((expr) == 0)) 80 81 static void counting_callback_fn(const char* str, void* data) { 82 /* Dummy callback function that just counts. */ 83 int32_t *p; 84 (void)str; 85 p = data; 86 CHECK(*p != INT32_MAX); 87 (*p)++; 88 } 89 90 static void uncounting_illegal_callback_fn(const char* str, void* data) { 91 /* Dummy callback function that just counts (backwards). */ 92 int32_t *p; 93 (void)str; 94 p = data; 95 CHECK(*p != INT32_MIN); 96 (*p)--; 97 } 98 99 static void random_field_element_magnitude(haskellsecp256k1_v0_1_0_fe *fe, int m) { 100 haskellsecp256k1_v0_1_0_fe zero; 101 int n = haskellsecp256k1_v0_1_0_testrand_int(m + 1); 102 haskellsecp256k1_v0_1_0_fe_normalize(fe); 103 if (n == 0) { 104 return; 105 } 106 haskellsecp256k1_v0_1_0_fe_clear(&zero); 107 haskellsecp256k1_v0_1_0_fe_negate(&zero, &zero, 0); 108 haskellsecp256k1_v0_1_0_fe_mul_int_unchecked(&zero, n - 1); 109 haskellsecp256k1_v0_1_0_fe_add(fe, &zero); 110 #ifdef VERIFY 111 CHECK(fe->magnitude == n); 112 #endif 113 } 114 115 static void random_fe_test(haskellsecp256k1_v0_1_0_fe *x) { 116 unsigned char bin[32]; 117 do { 118 haskellsecp256k1_v0_1_0_testrand256_test(bin); 119 if (haskellsecp256k1_v0_1_0_fe_set_b32_limit(x, bin)) { 120 return; 121 } 122 } while(1); 123 } 124 125 static void random_fe_non_zero_test(haskellsecp256k1_v0_1_0_fe *fe) { 126 do { 127 random_fe_test(fe); 128 } while(haskellsecp256k1_v0_1_0_fe_is_zero(fe)); 129 } 130 131 static void random_fe_magnitude(haskellsecp256k1_v0_1_0_fe *fe) { 132 random_field_element_magnitude(fe, 8); 133 } 134 135 static void random_ge_x_magnitude(haskellsecp256k1_v0_1_0_ge *ge) { 136 random_field_element_magnitude(&ge->x, SECP256K1_GE_X_MAGNITUDE_MAX); 137 } 138 139 static void random_ge_y_magnitude(haskellsecp256k1_v0_1_0_ge *ge) { 140 random_field_element_magnitude(&ge->y, SECP256K1_GE_Y_MAGNITUDE_MAX); 141 } 142 143 static void random_gej_x_magnitude(haskellsecp256k1_v0_1_0_gej *gej) { 144 random_field_element_magnitude(&gej->x, SECP256K1_GEJ_X_MAGNITUDE_MAX); 145 } 146 147 static void random_gej_y_magnitude(haskellsecp256k1_v0_1_0_gej *gej) { 148 random_field_element_magnitude(&gej->y, SECP256K1_GEJ_Y_MAGNITUDE_MAX); 149 } 150 151 static void random_gej_z_magnitude(haskellsecp256k1_v0_1_0_gej *gej) { 152 random_field_element_magnitude(&gej->z, SECP256K1_GEJ_Z_MAGNITUDE_MAX); 153 } 154 155 static void random_group_element_test(haskellsecp256k1_v0_1_0_ge *ge) { 156 haskellsecp256k1_v0_1_0_fe fe; 157 do { 158 random_fe_test(&fe); 159 if (haskellsecp256k1_v0_1_0_ge_set_xo_var(ge, &fe, haskellsecp256k1_v0_1_0_testrand_bits(1))) { 160 haskellsecp256k1_v0_1_0_fe_normalize(&ge->y); 161 break; 162 } 163 } while(1); 164 ge->infinity = 0; 165 } 166 167 static void random_group_element_jacobian_test(haskellsecp256k1_v0_1_0_gej *gej, const haskellsecp256k1_v0_1_0_ge *ge) { 168 haskellsecp256k1_v0_1_0_fe z2, z3; 169 random_fe_non_zero_test(&gej->z); 170 haskellsecp256k1_v0_1_0_fe_sqr(&z2, &gej->z); 171 haskellsecp256k1_v0_1_0_fe_mul(&z3, &z2, &gej->z); 172 haskellsecp256k1_v0_1_0_fe_mul(&gej->x, &ge->x, &z2); 173 haskellsecp256k1_v0_1_0_fe_mul(&gej->y, &ge->y, &z3); 174 gej->infinity = ge->infinity; 175 } 176 177 static void random_gej_test(haskellsecp256k1_v0_1_0_gej *gej) { 178 haskellsecp256k1_v0_1_0_ge ge; 179 random_group_element_test(&ge); 180 random_group_element_jacobian_test(gej, &ge); 181 } 182 183 static void random_scalar_order_test(haskellsecp256k1_v0_1_0_scalar *num) { 184 do { 185 unsigned char b32[32]; 186 int overflow = 0; 187 haskellsecp256k1_v0_1_0_testrand256_test(b32); 188 haskellsecp256k1_v0_1_0_scalar_set_b32(num, b32, &overflow); 189 if (overflow || haskellsecp256k1_v0_1_0_scalar_is_zero(num)) { 190 continue; 191 } 192 break; 193 } while(1); 194 } 195 196 static void random_scalar_order(haskellsecp256k1_v0_1_0_scalar *num) { 197 do { 198 unsigned char b32[32]; 199 int overflow = 0; 200 haskellsecp256k1_v0_1_0_testrand256(b32); 201 haskellsecp256k1_v0_1_0_scalar_set_b32(num, b32, &overflow); 202 if (overflow || haskellsecp256k1_v0_1_0_scalar_is_zero(num)) { 203 continue; 204 } 205 break; 206 } while(1); 207 } 208 209 static void random_scalar_order_b32(unsigned char *b32) { 210 haskellsecp256k1_v0_1_0_scalar num; 211 random_scalar_order(&num); 212 haskellsecp256k1_v0_1_0_scalar_get_b32(b32, &num); 213 } 214 215 static void run_xoshiro256pp_tests(void) { 216 { 217 size_t i; 218 /* Sanity check that we run before the actual seeding. */ 219 for (i = 0; i < sizeof(haskellsecp256k1_v0_1_0_test_state)/sizeof(haskellsecp256k1_v0_1_0_test_state[0]); i++) { 220 CHECK(haskellsecp256k1_v0_1_0_test_state[i] == 0); 221 } 222 } 223 { 224 int i; 225 unsigned char buf32[32]; 226 unsigned char seed16[16] = { 227 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!', 228 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!', 229 }; 230 unsigned char buf32_expected[32] = { 231 0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0, 232 0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36, 233 0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF, 234 0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30, 235 }; 236 haskellsecp256k1_v0_1_0_testrand_seed(seed16); 237 for (i = 0; i < 17; i++) { 238 haskellsecp256k1_v0_1_0_testrand256(buf32); 239 } 240 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0); 241 } 242 } 243 244 static void run_selftest_tests(void) { 245 /* Test public API */ 246 haskellsecp256k1_v0_1_0_selftest(); 247 } 248 249 static int ecmult_gen_context_eq(const haskellsecp256k1_v0_1_0_ecmult_gen_context *a, const haskellsecp256k1_v0_1_0_ecmult_gen_context *b) { 250 return a->built == b->built 251 && haskellsecp256k1_v0_1_0_scalar_eq(&a->blind, &b->blind) 252 && haskellsecp256k1_v0_1_0_gej_eq_var(&a->initial, &b->initial); 253 } 254 255 static int context_eq(const haskellsecp256k1_v0_1_0_context *a, const haskellsecp256k1_v0_1_0_context *b) { 256 return a->declassify == b->declassify 257 && ecmult_gen_context_eq(&a->ecmult_gen_ctx, &b->ecmult_gen_ctx) 258 && a->illegal_callback.fn == b->illegal_callback.fn 259 && a->illegal_callback.data == b->illegal_callback.data 260 && a->error_callback.fn == b->error_callback.fn 261 && a->error_callback.data == b->error_callback.data; 262 } 263 264 static void run_deprecated_context_flags_test(void) { 265 /* Check that a context created with any of the flags in the flags array is 266 * identical to the NONE context. */ 267 unsigned int flags[] = { SECP256K1_CONTEXT_SIGN, 268 SECP256K1_CONTEXT_VERIFY, 269 SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY }; 270 haskellsecp256k1_v0_1_0_context *none_ctx = haskellsecp256k1_v0_1_0_context_create(SECP256K1_CONTEXT_NONE); 271 int i; 272 for (i = 0; i < (int)(sizeof(flags)/sizeof(flags[0])); i++) { 273 haskellsecp256k1_v0_1_0_context *tmp_ctx; 274 CHECK(haskellsecp256k1_v0_1_0_context_preallocated_size(SECP256K1_CONTEXT_NONE) == haskellsecp256k1_v0_1_0_context_preallocated_size(flags[i])); 275 tmp_ctx = haskellsecp256k1_v0_1_0_context_create(flags[i]); 276 CHECK(context_eq(none_ctx, tmp_ctx)); 277 haskellsecp256k1_v0_1_0_context_destroy(tmp_ctx); 278 } 279 haskellsecp256k1_v0_1_0_context_destroy(none_ctx); 280 } 281 282 static void run_ec_illegal_argument_tests(void) { 283 haskellsecp256k1_v0_1_0_pubkey pubkey; 284 haskellsecp256k1_v0_1_0_pubkey zero_pubkey; 285 haskellsecp256k1_v0_1_0_ecdsa_signature sig; 286 unsigned char ctmp[32]; 287 288 /* Setup */ 289 memset(ctmp, 1, 32); 290 memset(&zero_pubkey, 0, sizeof(zero_pubkey)); 291 292 /* Verify context-type checking illegal-argument errors. */ 293 CHECK_ILLEGAL(STATIC_CTX, haskellsecp256k1_v0_1_0_ec_pubkey_create(STATIC_CTX, &pubkey, ctmp)); 294 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 295 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_create(CTX, &pubkey, ctmp) == 1); 296 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 297 CHECK_ILLEGAL(STATIC_CTX, haskellsecp256k1_v0_1_0_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL)); 298 SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig)); 299 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1); 300 SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig)); 301 CHECK(haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1); 302 CHECK(haskellsecp256k1_v0_1_0_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1); 303 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1); 304 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1); 305 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1); 306 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_negate(STATIC_CTX, &pubkey) == 1); 307 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_negate(CTX, &pubkey) == 1); 308 CHECK_ILLEGAL(STATIC_CTX, haskellsecp256k1_v0_1_0_ec_pubkey_negate(STATIC_CTX, &zero_pubkey)); 309 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_negate(CTX, NULL)); 310 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1); 311 } 312 313 static void run_static_context_tests(int use_prealloc) { 314 /* Check that deprecated haskellsecp256k1_v0_1_0_context_no_precomp is an alias to haskellsecp256k1_v0_1_0_context_static. */ 315 CHECK(haskellsecp256k1_v0_1_0_context_no_precomp == haskellsecp256k1_v0_1_0_context_static); 316 317 { 318 unsigned char seed[32] = {0x17}; 319 320 /* Randomizing haskellsecp256k1_v0_1_0_context_static is not supported. */ 321 CHECK_ILLEGAL(STATIC_CTX, haskellsecp256k1_v0_1_0_context_randomize(STATIC_CTX, seed)); 322 CHECK_ILLEGAL(STATIC_CTX, haskellsecp256k1_v0_1_0_context_randomize(STATIC_CTX, NULL)); 323 324 /* Destroying or cloning haskellsecp256k1_v0_1_0_context_static is not supported. */ 325 if (use_prealloc) { 326 CHECK_ILLEGAL(STATIC_CTX, haskellsecp256k1_v0_1_0_context_preallocated_clone_size(STATIC_CTX)); 327 { 328 haskellsecp256k1_v0_1_0_context *my_static_ctx = malloc(sizeof(*STATIC_CTX)); 329 CHECK(my_static_ctx != NULL); 330 memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx)); 331 CHECK_ILLEGAL(STATIC_CTX, haskellsecp256k1_v0_1_0_context_preallocated_clone(STATIC_CTX, my_static_ctx)); 332 CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx))); 333 free(my_static_ctx); 334 } 335 CHECK_ILLEGAL_VOID(STATIC_CTX, haskellsecp256k1_v0_1_0_context_preallocated_destroy(STATIC_CTX)); 336 } else { 337 CHECK_ILLEGAL(STATIC_CTX, haskellsecp256k1_v0_1_0_context_clone(STATIC_CTX)); 338 CHECK_ILLEGAL_VOID(STATIC_CTX, haskellsecp256k1_v0_1_0_context_destroy(STATIC_CTX)); 339 } 340 } 341 342 { 343 /* Verify that setting and resetting illegal callback works */ 344 int32_t dummy = 0; 345 haskellsecp256k1_v0_1_0_context_set_illegal_callback(STATIC_CTX, counting_callback_fn, &dummy); 346 CHECK(STATIC_CTX->illegal_callback.fn == counting_callback_fn); 347 CHECK(STATIC_CTX->illegal_callback.data == &dummy); 348 haskellsecp256k1_v0_1_0_context_set_illegal_callback(STATIC_CTX, NULL, NULL); 349 CHECK(STATIC_CTX->illegal_callback.fn == haskellsecp256k1_v0_1_0_default_illegal_callback_fn); 350 CHECK(STATIC_CTX->illegal_callback.data == NULL); 351 } 352 } 353 354 static void run_proper_context_tests(int use_prealloc) { 355 int32_t dummy = 0; 356 haskellsecp256k1_v0_1_0_context *my_ctx, *my_ctx_fresh; 357 void *my_ctx_prealloc = NULL; 358 unsigned char seed[32] = {0x17}; 359 360 haskellsecp256k1_v0_1_0_gej pubj; 361 haskellsecp256k1_v0_1_0_ge pub; 362 haskellsecp256k1_v0_1_0_scalar msg, key, nonce; 363 haskellsecp256k1_v0_1_0_scalar sigr, sigs; 364 365 /* Fresh reference context for comparison */ 366 my_ctx_fresh = haskellsecp256k1_v0_1_0_context_create(SECP256K1_CONTEXT_NONE); 367 368 if (use_prealloc) { 369 my_ctx_prealloc = malloc(haskellsecp256k1_v0_1_0_context_preallocated_size(SECP256K1_CONTEXT_NONE)); 370 CHECK(my_ctx_prealloc != NULL); 371 my_ctx = haskellsecp256k1_v0_1_0_context_preallocated_create(my_ctx_prealloc, SECP256K1_CONTEXT_NONE); 372 } else { 373 my_ctx = haskellsecp256k1_v0_1_0_context_create(SECP256K1_CONTEXT_NONE); 374 } 375 376 /* Randomize and reset randomization */ 377 CHECK(context_eq(my_ctx, my_ctx_fresh)); 378 CHECK(haskellsecp256k1_v0_1_0_context_randomize(my_ctx, seed) == 1); 379 CHECK(!context_eq(my_ctx, my_ctx_fresh)); 380 CHECK(haskellsecp256k1_v0_1_0_context_randomize(my_ctx, NULL) == 1); 381 CHECK(context_eq(my_ctx, my_ctx_fresh)); 382 383 /* set error callback (to a function that still aborts in case malloc() fails in haskellsecp256k1_v0_1_0_context_clone() below) */ 384 haskellsecp256k1_v0_1_0_context_set_error_callback(my_ctx, haskellsecp256k1_v0_1_0_default_illegal_callback_fn, NULL); 385 CHECK(my_ctx->error_callback.fn != haskellsecp256k1_v0_1_0_default_error_callback_fn); 386 CHECK(my_ctx->error_callback.fn == haskellsecp256k1_v0_1_0_default_illegal_callback_fn); 387 388 /* check if sizes for cloning are consistent */ 389 CHECK(haskellsecp256k1_v0_1_0_context_preallocated_clone_size(my_ctx) == haskellsecp256k1_v0_1_0_context_preallocated_size(SECP256K1_CONTEXT_NONE)); 390 391 /*** clone and destroy all of them to make sure cloning was complete ***/ 392 { 393 haskellsecp256k1_v0_1_0_context *ctx_tmp; 394 395 if (use_prealloc) { 396 /* clone into a non-preallocated context and then again into a new preallocated one. */ 397 ctx_tmp = my_ctx; 398 my_ctx = haskellsecp256k1_v0_1_0_context_clone(my_ctx); 399 CHECK(context_eq(ctx_tmp, my_ctx)); 400 haskellsecp256k1_v0_1_0_context_preallocated_destroy(ctx_tmp); 401 402 free(my_ctx_prealloc); 403 my_ctx_prealloc = malloc(haskellsecp256k1_v0_1_0_context_preallocated_size(SECP256K1_CONTEXT_NONE)); 404 CHECK(my_ctx_prealloc != NULL); 405 ctx_tmp = my_ctx; 406 my_ctx = haskellsecp256k1_v0_1_0_context_preallocated_clone(my_ctx, my_ctx_prealloc); 407 CHECK(context_eq(ctx_tmp, my_ctx)); 408 haskellsecp256k1_v0_1_0_context_destroy(ctx_tmp); 409 } else { 410 /* clone into a preallocated context and then again into a new non-preallocated one. */ 411 void *prealloc_tmp; 412 413 prealloc_tmp = malloc(haskellsecp256k1_v0_1_0_context_preallocated_size(SECP256K1_CONTEXT_NONE)); 414 CHECK(prealloc_tmp != NULL); 415 ctx_tmp = my_ctx; 416 my_ctx = haskellsecp256k1_v0_1_0_context_preallocated_clone(my_ctx, prealloc_tmp); 417 CHECK(context_eq(ctx_tmp, my_ctx)); 418 haskellsecp256k1_v0_1_0_context_destroy(ctx_tmp); 419 420 ctx_tmp = my_ctx; 421 my_ctx = haskellsecp256k1_v0_1_0_context_clone(my_ctx); 422 CHECK(context_eq(ctx_tmp, my_ctx)); 423 haskellsecp256k1_v0_1_0_context_preallocated_destroy(ctx_tmp); 424 free(prealloc_tmp); 425 } 426 } 427 428 /* Verify that the error callback makes it across the clone. */ 429 CHECK(my_ctx->error_callback.fn != haskellsecp256k1_v0_1_0_default_error_callback_fn); 430 CHECK(my_ctx->error_callback.fn == haskellsecp256k1_v0_1_0_default_illegal_callback_fn); 431 /* And that it resets back to default. */ 432 haskellsecp256k1_v0_1_0_context_set_error_callback(my_ctx, NULL, NULL); 433 CHECK(my_ctx->error_callback.fn == haskellsecp256k1_v0_1_0_default_error_callback_fn); 434 CHECK(context_eq(my_ctx, my_ctx_fresh)); 435 436 /* Verify that setting and resetting illegal callback works */ 437 haskellsecp256k1_v0_1_0_context_set_illegal_callback(my_ctx, counting_callback_fn, &dummy); 438 CHECK(my_ctx->illegal_callback.fn == counting_callback_fn); 439 CHECK(my_ctx->illegal_callback.data == &dummy); 440 haskellsecp256k1_v0_1_0_context_set_illegal_callback(my_ctx, NULL, NULL); 441 CHECK(my_ctx->illegal_callback.fn == haskellsecp256k1_v0_1_0_default_illegal_callback_fn); 442 CHECK(my_ctx->illegal_callback.data == NULL); 443 CHECK(context_eq(my_ctx, my_ctx_fresh)); 444 445 /*** attempt to use them ***/ 446 random_scalar_order_test(&msg); 447 random_scalar_order_test(&key); 448 haskellsecp256k1_v0_1_0_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key); 449 haskellsecp256k1_v0_1_0_ge_set_gej(&pub, &pubj); 450 451 /* obtain a working nonce */ 452 do { 453 random_scalar_order_test(&nonce); 454 } while(!haskellsecp256k1_v0_1_0_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); 455 456 /* try signing */ 457 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); 458 459 /* try verifying */ 460 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg)); 461 462 /* cleanup */ 463 if (use_prealloc) { 464 haskellsecp256k1_v0_1_0_context_preallocated_destroy(my_ctx); 465 free(my_ctx_prealloc); 466 } else { 467 haskellsecp256k1_v0_1_0_context_destroy(my_ctx); 468 } 469 haskellsecp256k1_v0_1_0_context_destroy(my_ctx_fresh); 470 471 /* Defined as no-op. */ 472 haskellsecp256k1_v0_1_0_context_destroy(NULL); 473 haskellsecp256k1_v0_1_0_context_preallocated_destroy(NULL); 474 } 475 476 static void run_scratch_tests(void) { 477 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT; 478 479 size_t checkpoint; 480 size_t checkpoint_2; 481 haskellsecp256k1_v0_1_0_scratch_space *scratch; 482 haskellsecp256k1_v0_1_0_scratch_space local_scratch; 483 484 /* Test public API */ 485 scratch = haskellsecp256k1_v0_1_0_scratch_space_create(CTX, 1000); 486 CHECK(scratch != NULL); 487 488 /* Test internal API */ 489 CHECK(haskellsecp256k1_v0_1_0_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000); 490 CHECK(haskellsecp256k1_v0_1_0_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1)); 491 CHECK(scratch->alloc_size == 0); 492 CHECK(scratch->alloc_size % ALIGNMENT == 0); 493 494 /* Allocating 500 bytes succeeds */ 495 checkpoint = haskellsecp256k1_v0_1_0_scratch_checkpoint(&CTX->error_callback, scratch); 496 CHECK(haskellsecp256k1_v0_1_0_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL); 497 CHECK(haskellsecp256k1_v0_1_0_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc); 498 CHECK(haskellsecp256k1_v0_1_0_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); 499 CHECK(scratch->alloc_size != 0); 500 CHECK(scratch->alloc_size % ALIGNMENT == 0); 501 502 /* Allocating another 501 bytes fails */ 503 CHECK(haskellsecp256k1_v0_1_0_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL); 504 CHECK(haskellsecp256k1_v0_1_0_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc); 505 CHECK(haskellsecp256k1_v0_1_0_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); 506 CHECK(scratch->alloc_size != 0); 507 CHECK(scratch->alloc_size % ALIGNMENT == 0); 508 509 /* ...but it succeeds once we apply the checkpoint to undo it */ 510 haskellsecp256k1_v0_1_0_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint); 511 CHECK(scratch->alloc_size == 0); 512 CHECK(haskellsecp256k1_v0_1_0_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000); 513 CHECK(haskellsecp256k1_v0_1_0_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL); 514 CHECK(scratch->alloc_size != 0); 515 516 /* try to apply a bad checkpoint */ 517 checkpoint_2 = haskellsecp256k1_v0_1_0_scratch_checkpoint(&CTX->error_callback, scratch); 518 haskellsecp256k1_v0_1_0_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint); 519 CHECK_ERROR_VOID(CTX, haskellsecp256k1_v0_1_0_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2)); /* checkpoint_2 is after checkpoint */ 520 CHECK_ERROR_VOID(CTX, haskellsecp256k1_v0_1_0_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1)); /* this is just wildly invalid */ 521 522 /* try to use badly initialized scratch space */ 523 haskellsecp256k1_v0_1_0_scratch_space_destroy(CTX, scratch); 524 memset(&local_scratch, 0, sizeof(local_scratch)); 525 scratch = &local_scratch; 526 CHECK_ERROR(CTX, haskellsecp256k1_v0_1_0_scratch_max_allocation(&CTX->error_callback, scratch, 0)); 527 CHECK_ERROR(CTX, haskellsecp256k1_v0_1_0_scratch_alloc(&CTX->error_callback, scratch, 500)); 528 CHECK_ERROR_VOID(CTX, haskellsecp256k1_v0_1_0_scratch_space_destroy(CTX, scratch)); 529 530 /* Test that large integers do not wrap around in a bad way */ 531 scratch = haskellsecp256k1_v0_1_0_scratch_space_create(CTX, 1000); 532 /* Try max allocation with a large number of objects. Only makes sense if 533 * ALIGNMENT is greater than 1 because otherwise the objects take no extra 534 * space. */ 535 CHECK(ALIGNMENT <= 1 || !haskellsecp256k1_v0_1_0_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1)); 536 /* Try allocating SIZE_MAX to test wrap around which only happens if 537 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch 538 * space is too small. */ 539 CHECK(haskellsecp256k1_v0_1_0_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL); 540 haskellsecp256k1_v0_1_0_scratch_space_destroy(CTX, scratch); 541 542 /* cleanup */ 543 haskellsecp256k1_v0_1_0_scratch_space_destroy(CTX, NULL); /* no-op */ 544 } 545 546 static void run_ctz_tests(void) { 547 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129}; 548 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef}; 549 int shift; 550 unsigned i; 551 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) { 552 for (shift = 0; shift < 32; ++shift) { 553 CHECK(haskellsecp256k1_v0_1_0_ctz32_var_debruijn(b32[i] << shift) == shift); 554 CHECK(haskellsecp256k1_v0_1_0_ctz32_var(b32[i] << shift) == shift); 555 } 556 } 557 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) { 558 for (shift = 0; shift < 64; ++shift) { 559 CHECK(haskellsecp256k1_v0_1_0_ctz64_var_debruijn(b64[i] << shift) == shift); 560 CHECK(haskellsecp256k1_v0_1_0_ctz64_var(b64[i] << shift) == shift); 561 } 562 } 563 } 564 565 /***** HASH TESTS *****/ 566 567 static void run_sha256_known_output_tests(void) { 568 static const char *inputs[] = { 569 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe", 570 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 571 "For this sample, this 63-byte string will be used as input data", 572 "This is exactly 64 bytes long, not counting the terminating byte", 573 "aaaaa", 574 }; 575 static const unsigned int repeat[] = { 576 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5 577 }; 578 static const unsigned char outputs[][32] = { 579 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}, 580 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad}, 581 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50}, 582 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d}, 583 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30}, 584 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1}, 585 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42}, 586 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}, 587 {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0}, 588 }; 589 unsigned int i, ninputs; 590 591 /* Skip last input vector for low iteration counts */ 592 ninputs = sizeof(inputs)/sizeof(inputs[0]) - 1; 593 CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++; 594 595 for (i = 0; i < ninputs; i++) { 596 unsigned char out[32]; 597 haskellsecp256k1_v0_1_0_sha256 hasher; 598 unsigned int j; 599 /* 1. Run: simply write the input bytestrings */ 600 j = repeat[i]; 601 haskellsecp256k1_v0_1_0_sha256_initialize(&hasher); 602 while (j > 0) { 603 haskellsecp256k1_v0_1_0_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); 604 j--; 605 } 606 haskellsecp256k1_v0_1_0_sha256_finalize(&hasher, out); 607 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(out, outputs[i], 32) == 0); 608 /* 2. Run: split the input bytestrings randomly before writing */ 609 if (strlen(inputs[i]) > 0) { 610 int split = haskellsecp256k1_v0_1_0_testrand_int(strlen(inputs[i])); 611 haskellsecp256k1_v0_1_0_sha256_initialize(&hasher); 612 j = repeat[i]; 613 while (j > 0) { 614 haskellsecp256k1_v0_1_0_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); 615 haskellsecp256k1_v0_1_0_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); 616 j--; 617 } 618 haskellsecp256k1_v0_1_0_sha256_finalize(&hasher, out); 619 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(out, outputs[i], 32) == 0); 620 } 621 } 622 } 623 624 /** SHA256 counter tests 625 626 The tests verify that the SHA256 counter doesn't wrap around at message length 627 2^i bytes for i = 20, ..., 33. This wide range aims at being independent of the 628 implementation of the counter and it catches multiple natural 32-bit overflows 629 (e.g., counting bits, counting bytes, counting blocks, ...). 630 631 The test vectors have been generated using following Python script which relies 632 on https://github.com/cloudtools/sha256/ (v0.3 on Python v3.10.2). 633 634 ``` 635 from sha256 import sha256 636 from copy import copy 637 638 def midstate_c_definition(hasher): 639 ret = ' {{0x' + hasher.state[0].hex('_', 4).replace('_', ', 0x') + '},\n' 640 ret += ' {0x00}, ' + str(hex(hasher.state[1])) + '}' 641 return ret 642 643 def output_c_literal(hasher): 644 return '{0x' + hasher.digest().hex('_').replace('_', ', 0x') + '}' 645 646 MESSAGE = b'abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno' 647 assert(len(MESSAGE) == 64) 648 BYTE_BOUNDARIES = [(2**b)//len(MESSAGE) - 1 for b in range(20, 34)] 649 650 midstates = [] 651 digests = [] 652 hasher = sha256() 653 for i in range(BYTE_BOUNDARIES[-1] + 1): 654 if i in BYTE_BOUNDARIES: 655 midstates.append(midstate_c_definition(hasher)) 656 hasher_copy = copy(hasher) 657 hasher_copy.update(MESSAGE) 658 digests.append(output_c_literal(hasher_copy)) 659 hasher.update(MESSAGE) 660 661 for x in midstates: 662 print(x + ',') 663 664 for x in digests: 665 print(x + ',') 666 ``` 667 */ 668 static void run_sha256_counter_tests(void) { 669 static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno"; 670 static const haskellsecp256k1_v0_1_0_sha256 midstates[] = { 671 {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda}, 672 {0x00}, 0xfffc0}, 673 {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26}, 674 {0x00}, 0x1fffc0}, 675 {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1}, 676 {0x00}, 0x3fffc0}, 677 {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6}, 678 {0x00}, 0x7fffc0}, 679 {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c}, 680 {0x00}, 0xffffc0}, 681 {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2}, 682 {0x00}, 0x1ffffc0}, 683 {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c}, 684 {0x00}, 0x3ffffc0}, 685 {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0}, 686 {0x00}, 0x7ffffc0}, 687 {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad}, 688 {0x00}, 0xfffffc0}, 689 {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023}, 690 {0x00}, 0x1fffffc0}, 691 {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1}, 692 {0x00}, 0x3fffffc0}, 693 {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec}, 694 {0x00}, 0x7fffffc0}, 695 {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162}, 696 {0x00}, 0xffffffc0}, 697 {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a}, 698 {0x00}, 0x1ffffffc0}, 699 }; 700 static const unsigned char outputs[][32] = { 701 {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15}, 702 {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb}, 703 {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e}, 704 {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9}, 705 {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7}, 706 {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07}, 707 {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76}, 708 {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0}, 709 {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8}, 710 {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6}, 711 {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e}, 712 {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b}, 713 {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34}, 714 {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e}, 715 }; 716 unsigned int i; 717 for (i = 0; i < sizeof(midstates)/sizeof(midstates[0]); i++) { 718 unsigned char out[32]; 719 haskellsecp256k1_v0_1_0_sha256 hasher = midstates[i]; 720 haskellsecp256k1_v0_1_0_sha256_write(&hasher, (const unsigned char*)input, strlen(input)); 721 haskellsecp256k1_v0_1_0_sha256_finalize(&hasher, out); 722 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(out, outputs[i], 32) == 0); 723 } 724 } 725 726 /* Tests for the equality of two sha256 structs. This function only produces a 727 * correct result if an integer multiple of 64 many bytes have been written 728 * into the hash functions. This function is used by some module tests. */ 729 static void test_sha256_eq(const haskellsecp256k1_v0_1_0_sha256 *sha1, const haskellsecp256k1_v0_1_0_sha256 *sha2) { 730 /* Is buffer fully consumed? */ 731 CHECK((sha1->bytes & 0x3F) == 0); 732 733 CHECK(sha1->bytes == sha2->bytes); 734 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0); 735 } 736 737 static void run_hmac_sha256_tests(void) { 738 static const char *keys[6] = { 739 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 740 "\x4a\x65\x66\x65", 741 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 742 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19", 743 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 744 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 745 }; 746 static const char *inputs[6] = { 747 "\x48\x69\x20\x54\x68\x65\x72\x65", 748 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f", 749 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd", 750 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd", 751 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74", 752 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e" 753 }; 754 static const unsigned char outputs[6][32] = { 755 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7}, 756 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43}, 757 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe}, 758 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b}, 759 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54}, 760 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2} 761 }; 762 int i; 763 for (i = 0; i < 6; i++) { 764 haskellsecp256k1_v0_1_0_hmac_sha256 hasher; 765 unsigned char out[32]; 766 haskellsecp256k1_v0_1_0_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); 767 haskellsecp256k1_v0_1_0_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); 768 haskellsecp256k1_v0_1_0_hmac_sha256_finalize(&hasher, out); 769 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(out, outputs[i], 32) == 0); 770 if (strlen(inputs[i]) > 0) { 771 int split = haskellsecp256k1_v0_1_0_testrand_int(strlen(inputs[i])); 772 haskellsecp256k1_v0_1_0_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); 773 haskellsecp256k1_v0_1_0_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); 774 haskellsecp256k1_v0_1_0_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); 775 haskellsecp256k1_v0_1_0_hmac_sha256_finalize(&hasher, out); 776 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(out, outputs[i], 32) == 0); 777 } 778 } 779 } 780 781 static void run_rfc6979_hmac_sha256_tests(void) { 782 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0}; 783 static const unsigned char out1[3][32] = { 784 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb}, 785 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a}, 786 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e} 787 }; 788 789 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55}; 790 static const unsigned char out2[3][32] = { 791 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95}, 792 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9}, 793 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94} 794 }; 795 796 haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256 rng; 797 unsigned char out[32]; 798 int i; 799 800 haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256_initialize(&rng, key1, 64); 801 for (i = 0; i < 3; i++) { 802 haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256_generate(&rng, out, 32); 803 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(out, out1[i], 32) == 0); 804 } 805 haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256_finalize(&rng); 806 807 haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256_initialize(&rng, key1, 65); 808 for (i = 0; i < 3; i++) { 809 haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256_generate(&rng, out, 32); 810 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(out, out1[i], 32) != 0); 811 } 812 haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256_finalize(&rng); 813 814 haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256_initialize(&rng, key2, 64); 815 for (i = 0; i < 3; i++) { 816 haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256_generate(&rng, out, 32); 817 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(out, out2[i], 32) == 0); 818 } 819 haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256_finalize(&rng); 820 } 821 822 static void run_tagged_sha256_tests(void) { 823 unsigned char tag[32] = { 0 }; 824 unsigned char msg[32] = { 0 }; 825 unsigned char hash32[32]; 826 unsigned char hash_expected[32] = { 827 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1, 828 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62, 829 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C, 830 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3 831 }; 832 833 /* API test */ 834 CHECK(haskellsecp256k1_v0_1_0_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1); 835 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg))); 836 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg))); 837 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0)); 838 839 /* Static test vector */ 840 memcpy(tag, "tag", 3); 841 memcpy(msg, "msg", 3); 842 CHECK(haskellsecp256k1_v0_1_0_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1); 843 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0); 844 } 845 846 /***** MODINV TESTS *****/ 847 848 /* Compute the modular inverse of (odd) x mod 2^64. */ 849 static uint64_t modinv2p64(uint64_t x) { 850 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See 851 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for 852 * why. Start with L=0, for which it is true for every odd x that 853 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */ 854 int l; 855 uint64_t w = 1; 856 CHECK(x & 1); 857 for (l = 0; l < 6; ++l) w *= (2 - w*x); 858 return w; 859 } 860 861 862 /* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity. 863 * 864 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other 865 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */ 866 static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) { 867 uint16_t mul[32]; 868 uint64_t c = 0; 869 int i, j; 870 int m_bitlen = 0; 871 int mul_bitlen = 0; 872 873 if (b != NULL) { 874 /* Compute the product of a and b, and put it in mul. */ 875 for (i = 0; i < 32; ++i) { 876 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) { 877 c += (uint64_t)a[j] * b[i - j]; 878 } 879 mul[i] = c & 0xFFFF; 880 c >>= 16; 881 } 882 CHECK(c == 0); 883 884 /* compute the highest set bit in mul */ 885 for (i = 511; i >= 0; --i) { 886 if ((mul[i >> 4] >> (i & 15)) & 1) { 887 mul_bitlen = i; 888 break; 889 } 890 } 891 } else { 892 /* if b==NULL, set mul=a. */ 893 memcpy(mul, a, 32); 894 memset(mul + 16, 0, 32); 895 /* compute the highest set bit in mul */ 896 for (i = 255; i >= 0; --i) { 897 if ((mul[i >> 4] >> (i & 15)) & 1) { 898 mul_bitlen = i; 899 break; 900 } 901 } 902 } 903 904 if (m) { 905 /* Compute the highest set bit in m. */ 906 for (i = 255; i >= 0; --i) { 907 if ((m[i >> 4] >> (i & 15)) & 1) { 908 m_bitlen = i; 909 break; 910 } 911 } 912 913 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */ 914 for (i = mul_bitlen - m_bitlen; i >= 0; --i) { 915 uint16_t mul2[32]; 916 int64_t cs; 917 918 /* Compute mul2 = mul - m<<i. */ 919 cs = 0; /* accumulator */ 920 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */ 921 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */ 922 uint16_t sub = 0; 923 int p; 924 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */ 925 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */ 926 if (bitpos >= 0 && bitpos < 256) { 927 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p; 928 } 929 } 930 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */ 931 cs += mul[j]; 932 cs -= sub; 933 mul2[j] = (cs & 0xFFFF); 934 cs >>= 16; 935 } 936 /* If remainder of subtraction is 0, set mul = mul2. */ 937 if (cs == 0) { 938 memcpy(mul, mul2, sizeof(mul)); 939 } 940 } 941 /* Sanity check: test that all limbs higher than m's highest are zero */ 942 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) { 943 CHECK(mul[i] == 0); 944 } 945 } 946 memcpy(out, mul, 32); 947 } 948 949 /* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */ 950 static void uint16_to_signed30(haskellsecp256k1_v0_1_0_modinv32_signed30* out, const uint16_t* in) { 951 int i; 952 memset(out->v, 0, sizeof(out->v)); 953 for (i = 0; i < 256; ++i) { 954 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30); 955 } 956 } 957 958 /* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */ 959 static void signed30_to_uint16(uint16_t* out, const haskellsecp256k1_v0_1_0_modinv32_signed30* in) { 960 int i; 961 memset(out, 0, 32); 962 for (i = 0; i < 256; ++i) { 963 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15); 964 } 965 } 966 967 /* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */ 968 static void mutate_sign_signed30(haskellsecp256k1_v0_1_0_modinv32_signed30* x) { 969 int i; 970 for (i = 0; i < 16; ++i) { 971 int pos = haskellsecp256k1_v0_1_0_testrand_bits(3); 972 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) { 973 x->v[pos] -= 0x40000000; 974 x->v[pos + 1] += 1; 975 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) { 976 x->v[pos] += 0x40000000; 977 x->v[pos + 1] -= 1; 978 } 979 } 980 } 981 982 /* Test haskellsecp256k1_v0_1_0_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */ 983 static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) { 984 uint16_t tmp[16]; 985 haskellsecp256k1_v0_1_0_modinv32_signed30 x; 986 haskellsecp256k1_v0_1_0_modinv32_modinfo m; 987 int i, vartime, nonzero; 988 989 uint16_to_signed30(&x, in); 990 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0; 991 uint16_to_signed30(&m.modulus, mod); 992 993 /* compute 1/modulus mod 2^30 */ 994 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff; 995 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1); 996 997 /* Test haskellsecp256k1_v0_1_0_jacobi32_maybe_var. */ 998 if (nonzero) { 999 int jac; 1000 uint16_t sqr[16], negone[16]; 1001 mulmod256(sqr, in, in, mod); 1002 uint16_to_signed30(&x, sqr); 1003 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */ 1004 jac = haskellsecp256k1_v0_1_0_jacobi32_maybe_var(&x, &m); 1005 CHECK(jac == 0 || jac == 1); 1006 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite 1007 * jacobi symbols if and only if (mod % 4) == 3. */ 1008 negone[0] = mod[0] - 1; 1009 for (i = 1; i < 16; ++i) negone[i] = mod[i]; 1010 mulmod256(sqr, sqr, negone, mod); 1011 uint16_to_signed30(&x, sqr); 1012 jac = haskellsecp256k1_v0_1_0_jacobi32_maybe_var(&x, &m); 1013 CHECK(jac == 0 || jac == 1 - (mod[0] & 2)); 1014 } 1015 1016 uint16_to_signed30(&x, in); 1017 mutate_sign_signed30(&m.modulus); 1018 for (vartime = 0; vartime < 2; ++vartime) { 1019 /* compute inverse */ 1020 (vartime ? haskellsecp256k1_v0_1_0_modinv32_var : haskellsecp256k1_v0_1_0_modinv32)(&x, &m); 1021 1022 /* produce output */ 1023 signed30_to_uint16(out, &x); 1024 1025 /* check if the inverse times the input is 1 (mod m), unless x is 0. */ 1026 mulmod256(tmp, out, in, mod); 1027 CHECK(tmp[0] == nonzero); 1028 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0); 1029 1030 /* invert again */ 1031 (vartime ? haskellsecp256k1_v0_1_0_modinv32_var : haskellsecp256k1_v0_1_0_modinv32)(&x, &m); 1032 1033 /* check if the result is equal to the input */ 1034 signed30_to_uint16(tmp, &x); 1035 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]); 1036 } 1037 } 1038 1039 #ifdef SECP256K1_WIDEMUL_INT128 1040 /* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */ 1041 static void uint16_to_signed62(haskellsecp256k1_v0_1_0_modinv64_signed62* out, const uint16_t* in) { 1042 int i; 1043 memset(out->v, 0, sizeof(out->v)); 1044 for (i = 0; i < 256; ++i) { 1045 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62); 1046 } 1047 } 1048 1049 /* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */ 1050 static void signed62_to_uint16(uint16_t* out, const haskellsecp256k1_v0_1_0_modinv64_signed62* in) { 1051 int i; 1052 memset(out, 0, 32); 1053 for (i = 0; i < 256; ++i) { 1054 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15); 1055 } 1056 } 1057 1058 /* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */ 1059 static void mutate_sign_signed62(haskellsecp256k1_v0_1_0_modinv64_signed62* x) { 1060 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2); 1061 int i; 1062 for (i = 0; i < 8; ++i) { 1063 int pos = haskellsecp256k1_v0_1_0_testrand_bits(2); 1064 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) { 1065 x->v[pos] -= (M62 + 1); 1066 x->v[pos + 1] += 1; 1067 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) { 1068 x->v[pos] += (M62 + 1); 1069 x->v[pos + 1] -= 1; 1070 } 1071 } 1072 } 1073 1074 /* Test haskellsecp256k1_v0_1_0_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */ 1075 static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) { 1076 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2); 1077 uint16_t tmp[16]; 1078 haskellsecp256k1_v0_1_0_modinv64_signed62 x; 1079 haskellsecp256k1_v0_1_0_modinv64_modinfo m; 1080 int i, vartime, nonzero; 1081 1082 uint16_to_signed62(&x, in); 1083 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0; 1084 uint16_to_signed62(&m.modulus, mod); 1085 1086 /* compute 1/modulus mod 2^62 */ 1087 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62; 1088 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1); 1089 1090 /* Test haskellsecp256k1_v0_1_0_jacobi64_maybe_var. */ 1091 if (nonzero) { 1092 int jac; 1093 uint16_t sqr[16], negone[16]; 1094 mulmod256(sqr, in, in, mod); 1095 uint16_to_signed62(&x, sqr); 1096 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */ 1097 jac = haskellsecp256k1_v0_1_0_jacobi64_maybe_var(&x, &m); 1098 CHECK(jac == 0 || jac == 1); 1099 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite 1100 * jacobi symbols if and only if (mod % 4) == 3. */ 1101 negone[0] = mod[0] - 1; 1102 for (i = 1; i < 16; ++i) negone[i] = mod[i]; 1103 mulmod256(sqr, sqr, negone, mod); 1104 uint16_to_signed62(&x, sqr); 1105 jac = haskellsecp256k1_v0_1_0_jacobi64_maybe_var(&x, &m); 1106 CHECK(jac == 0 || jac == 1 - (mod[0] & 2)); 1107 } 1108 1109 uint16_to_signed62(&x, in); 1110 mutate_sign_signed62(&m.modulus); 1111 for (vartime = 0; vartime < 2; ++vartime) { 1112 /* compute inverse */ 1113 (vartime ? haskellsecp256k1_v0_1_0_modinv64_var : haskellsecp256k1_v0_1_0_modinv64)(&x, &m); 1114 1115 /* produce output */ 1116 signed62_to_uint16(out, &x); 1117 1118 /* check if the inverse times the input is 1 (mod m), unless x is 0. */ 1119 mulmod256(tmp, out, in, mod); 1120 CHECK(tmp[0] == nonzero); 1121 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0); 1122 1123 /* invert again */ 1124 (vartime ? haskellsecp256k1_v0_1_0_modinv64_var : haskellsecp256k1_v0_1_0_modinv64)(&x, &m); 1125 1126 /* check if the result is equal to the input */ 1127 signed62_to_uint16(tmp, &x); 1128 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]); 1129 } 1130 } 1131 #endif 1132 1133 /* test if a and b are coprime */ 1134 static int coprime(const uint16_t* a, const uint16_t* b) { 1135 uint16_t x[16], y[16], t[16]; 1136 int i; 1137 int iszero; 1138 memcpy(x, a, 32); 1139 memcpy(y, b, 32); 1140 1141 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */ 1142 while (1) { 1143 iszero = 1; 1144 for (i = 0; i < 16; ++i) { 1145 if (x[i] != 0) { 1146 iszero = 0; 1147 break; 1148 } 1149 } 1150 if (iszero) break; 1151 mulmod256(t, y, NULL, x); 1152 memcpy(y, x, 32); 1153 memcpy(x, t, 32); 1154 } 1155 1156 /* return whether y=1 */ 1157 if (y[0] != 1) return 0; 1158 for (i = 1; i < 16; ++i) { 1159 if (y[i] != 0) return 0; 1160 } 1161 return 1; 1162 } 1163 1164 static void run_modinv_tests(void) { 1165 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */ 1166 static const uint16_t CASES[][3][16] = { 1167 /* Test cases triggering edge cases in divsteps */ 1168 1169 /* Test case known to need 713 divsteps */ 1170 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477, 1171 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e}, 1172 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54, 1173 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b}, 1174 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab, 1175 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}}, 1176 /* Test case known to need 589 divsteps, reaching delta=-140 and 1177 delta=141. */ 1178 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9, 1179 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c}, 1180 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da, 1181 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3}, 1182 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0, 1183 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}}, 1184 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */ 1185 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94, 1186 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040}, 1187 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d, 1188 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3}, 1189 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005, 1190 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}}, 1191 /* example needing 713 divsteps; delta=-2..3 */ 1192 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9, 1193 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d}, 1194 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772, 1195 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298}, 1196 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797, 1197 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}}, 1198 /* example needing 713 divsteps; delta=-2..3 */ 1199 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850, 1200 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78}, 1201 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c, 1202 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2}, 1203 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358, 1204 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}}, 1205 /* example needing 713 divsteps; delta=-2..3 */ 1206 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9, 1207 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc}, 1208 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e, 1209 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29}, 1210 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da, 1211 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}}, 1212 /* example reaching delta=-64..65; 661 divsteps */ 1213 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2, 1214 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530}, 1215 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16, 1216 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598}, 1217 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f, 1218 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}}, 1219 /* example reaching delta=-64..65; 661 divsteps */ 1220 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717, 1221 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a}, 1222 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94, 1223 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108}, 1224 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187, 1225 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}}, 1226 /* example reaching delta=-64..65; 661 divsteps */ 1227 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb, 1228 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a}, 1229 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6, 1230 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230}, 1231 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb, 1232 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}}, 1233 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */ 1234 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee, 1235 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc}, 1236 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005, 1237 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67}, 1238 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572, 1239 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}}, 1240 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */ 1241 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185, 1242 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d}, 1243 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde, 1244 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5}, 1245 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0, 1246 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}}, 1247 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */ 1248 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7, 1249 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50}, 1250 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a, 1251 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24}, 1252 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb, 1253 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}}, 1254 /* example doing 446 (f,g/2) steps; 523 divsteps */ 1255 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf, 1256 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a}, 1257 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f, 1258 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32}, 1259 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c, 1260 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}}, 1261 /* example doing 446 (f,g/2) steps; 523 divsteps */ 1262 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd, 1263 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7}, 1264 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283, 1265 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087}, 1266 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8, 1267 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}}, 1268 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */ 1269 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878, 1270 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5}, 1271 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703, 1272 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b}, 1273 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d, 1274 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}}, 1275 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */ 1276 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836, 1277 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c}, 1278 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6, 1279 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62}, 1280 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344, 1281 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}}, 1282 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */ 1283 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5, 1284 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5}, 1285 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153, 1286 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032}, 1287 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2, 1288 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}}, 1289 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */ 1290 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c, 1291 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f}, 1292 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717, 1293 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b}, 1294 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951, 1295 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}}, 1296 1297 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */ 1298 1299 /* example needing 590 divsteps; delta=-5/2..7/2 */ 1300 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a, 1301 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e}, 1302 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0, 1303 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8}, 1304 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54, 1305 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}}, 1306 /* example needing 590 divsteps; delta=-3/2..5/2 */ 1307 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e, 1308 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d}, 1309 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a, 1310 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7}, 1311 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451, 1312 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}}, 1313 /* example needing 590 divsteps; delta=-3/2..5/2 */ 1314 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11, 1315 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40}, 1316 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805, 1317 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9}, 1318 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7, 1319 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}}, 1320 /* example needing 590 divsteps; delta=-5/2..7/2 */ 1321 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce, 1322 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1}, 1323 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba, 1324 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5}, 1325 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c, 1326 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}}, 1327 /* example needing 590 divsteps; delta=-3/2..5/2 */ 1328 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7, 1329 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82}, 1330 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712, 1331 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89}, 1332 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919, 1333 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}}, 1334 /* example reaching delta=-127/2..129/2; 571 divsteps */ 1335 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681, 1336 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56}, 1337 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868, 1338 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f}, 1339 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db, 1340 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}}, 1341 /* example reaching delta=-127/2..129/2; 571 divsteps */ 1342 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7, 1343 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c}, 1344 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1, 1345 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36}, 1346 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074, 1347 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}}, 1348 /* example reaching delta=-127/2..129/2; 571 divsteps */ 1349 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d, 1350 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56}, 1351 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669, 1352 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f}, 1353 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0, 1354 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}}, 1355 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */ 1356 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a, 1357 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14}, 1358 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae, 1359 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943}, 1360 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa, 1361 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}}, 1362 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */ 1363 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8, 1364 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4}, 1365 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332, 1366 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4}, 1367 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9, 1368 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}}, 1369 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */ 1370 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982, 1371 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14}, 1372 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d, 1373 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943}, 1374 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495, 1375 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}}, 1376 /* example doing 453 (f,g/2) steps; 514 divsteps */ 1377 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae, 1378 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448}, 1379 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089, 1380 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7}, 1381 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241, 1382 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}}, 1383 /* example doing 453 (f,g/2) steps; 514 divsteps */ 1384 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1, 1385 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2}, 1386 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5, 1387 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823}, 1388 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159, 1389 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}}, 1390 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */ 1391 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877, 1392 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19}, 1393 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49, 1394 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9}, 1395 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e, 1396 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}}, 1397 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */ 1398 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3, 1399 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b}, 1400 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4, 1401 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf}, 1402 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042, 1403 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}}, 1404 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */ 1405 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6, 1406 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42}, 1407 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936, 1408 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305}, 1409 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a, 1410 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}}, 1411 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */ 1412 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52, 1413 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359}, 1414 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a, 1415 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f}, 1416 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9, 1417 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}}, 1418 1419 /* Test cases with the group order as modulus. */ 1420 1421 /* Test case with the group order as modulus, needing 635 divsteps. */ 1422 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120, 1423 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686}, 1424 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1425 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1426 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc, 1427 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}}, 1428 /* example with group size as modulus needing 631 divsteps */ 1429 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7, 1430 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b}, 1431 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1432 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1433 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb, 1434 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}}, 1435 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */ 1436 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce, 1437 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf}, 1438 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1439 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1440 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32, 1441 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}}, 1442 /* Test case with the group size as modulus, needing 981 divsteps with 1443 broken eta handling. */ 1444 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae, 1445 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2}, 1446 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1447 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1448 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126, 1449 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}}, 1450 /* Test case with the group size as modulus, input = 0. */ 1451 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1452 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1453 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1454 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1455 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1456 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, 1457 /* Test case with the group size as modulus, input = 1. */ 1458 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1459 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1460 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1461 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1462 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1463 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, 1464 /* Test case with the group size as modulus, input = 2. */ 1465 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1466 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1467 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1468 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1469 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57, 1470 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}}, 1471 /* Test case with the group size as modulus, input = group - 1. */ 1472 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1473 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1474 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1475 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1476 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae, 1477 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}}, 1478 1479 /* Test cases with the field size as modulus. */ 1480 1481 /* Test case with the field size as modulus, needing 637 divsteps. */ 1482 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688, 1483 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e}, 1484 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1485 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1486 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701, 1487 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}}, 1488 /* example with field size as modulus needing 637 divsteps */ 1489 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff, 1490 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8}, 1491 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1492 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1493 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce, 1494 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}}, 1495 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */ 1496 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e, 1497 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f}, 1498 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1499 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1500 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291, 1501 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}}, 1502 /* Test case with the field size as modulus, needing 935 divsteps with 1503 broken eta handling. */ 1504 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8, 1505 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93}, 1506 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1507 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1508 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed, 1509 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}}, 1510 /* Test case with the field size as modulus, input = 0. */ 1511 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1512 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1513 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1514 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1515 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1516 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, 1517 /* Test case with the field size as modulus, input = 1. */ 1518 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1519 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1520 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1521 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1522 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1523 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}}, 1524 /* Test case with the field size as modulus, input = 2. */ 1525 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 1526 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}, 1527 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1528 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1529 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1530 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}}, 1531 /* Test case with the field size as modulus, input = field - 1. */ 1532 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1533 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1534 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1535 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}, 1536 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 1537 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}}, 1538 1539 /* Selected from a large number of random inputs to reach small/large 1540 * d/e values in various configurations. */ 1541 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70, 1542 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30}, 1543 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8, 1544 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff}, 1545 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842, 1546 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}}, 1547 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98, 1548 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e}, 1549 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43, 1550 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6}, 1551 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae, 1552 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}}, 1553 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5, 1554 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac}, 1555 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969, 1556 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb}, 1557 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512, 1558 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}}, 1559 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c, 1560 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8}, 1561 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702, 1562 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2}, 1563 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce, 1564 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}}, 1565 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737, 1566 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4}, 1567 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4, 1568 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff}, 1569 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33, 1570 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}}, 1571 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb, 1572 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97}, 1573 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311, 1574 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640}, 1575 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7, 1576 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}}, 1577 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd, 1578 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576}, 1579 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621, 1580 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64}, 1581 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821, 1582 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}}, 1583 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89, 1584 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e}, 1585 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa, 1586 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5}, 1587 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0, 1588 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}}, 1589 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3, 1590 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c}, 1591 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd, 1592 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff}, 1593 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c, 1594 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}}, 1595 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f, 1596 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a}, 1597 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b, 1598 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff}, 1599 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf, 1600 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}}, 1601 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49, 1602 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe}, 1603 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8, 1604 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff}, 1605 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac, 1606 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}}, 1607 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e, 1608 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e}, 1609 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba, 1610 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77}, 1611 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569, 1612 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}}, 1613 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611, 1614 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d}, 1615 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a, 1616 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff}, 1617 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376, 1618 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}}, 1619 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b, 1620 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4}, 1621 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016, 1622 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff}, 1623 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f, 1624 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}}, 1625 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7, 1626 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8}, 1627 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104, 1628 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff}, 1629 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405, 1630 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}}, 1631 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033, 1632 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914}, 1633 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346, 1634 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3}, 1635 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c, 1636 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}}, 1637 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c, 1638 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025}, 1639 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb, 1640 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93}, 1641 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744, 1642 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}}, 1643 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904, 1644 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94}, 1645 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94, 1646 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b}, 1647 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e, 1648 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}}, 1649 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4, 1650 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f}, 1651 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550, 1652 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97}, 1653 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618, 1654 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}}, 1655 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7, 1656 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166}, 1657 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54, 1658 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa}, 1659 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5, 1660 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}}, 1661 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a, 1662 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1}, 1663 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328, 1664 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb}, 1665 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857, 1666 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}}, 1667 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413, 1668 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3}, 1669 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92, 1670 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c}, 1671 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f, 1672 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}}, 1673 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe, 1674 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d}, 1675 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e, 1676 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb}, 1677 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424, 1678 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}}, 1679 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56, 1680 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428}, 1681 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998, 1682 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff}, 1683 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8, 1684 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}}, 1685 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9, 1686 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d}, 1687 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e, 1688 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a}, 1689 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614, 1690 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}}, 1691 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7, 1692 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067}, 1693 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b, 1694 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185}, 1695 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42, 1696 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}}, 1697 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74, 1698 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4}, 1699 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781, 1700 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351}, 1701 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65, 1702 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}}, 1703 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced, 1704 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79}, 1705 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c, 1706 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0}, 1707 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145, 1708 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}}, 1709 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a, 1710 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096}, 1711 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf, 1712 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628}, 1713 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da, 1714 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}}, 1715 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91, 1716 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4}, 1717 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5, 1718 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad}, 1719 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41, 1720 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}}, 1721 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224, 1722 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000}, 1723 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183, 1724 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000}, 1725 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3, 1726 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}}, 1727 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b, 1728 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f}, 1729 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35, 1730 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb}, 1731 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3, 1732 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}}, 1733 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995, 1734 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c}, 1735 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60, 1736 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb}, 1737 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134, 1738 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}}, 1739 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6, 1740 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097}, 1741 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40, 1742 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0}, 1743 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0, 1744 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}}, 1745 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82, 1746 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14}, 1747 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee, 1748 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80}, 1749 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051, 1750 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}} 1751 }; 1752 1753 int i, j, ok; 1754 1755 /* Test known inputs/outputs */ 1756 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) { 1757 uint16_t out[16]; 1758 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]); 1759 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]); 1760 #ifdef SECP256K1_WIDEMUL_INT128 1761 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]); 1762 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]); 1763 #endif 1764 } 1765 1766 for (i = 0; i < 100 * COUNT; ++i) { 1767 /* 256-bit numbers in 16-uint16_t's notation */ 1768 static const uint16_t ZERO[16] = {0}; 1769 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */ 1770 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */ 1771 uint16_t id[16]; /* the inverse of xd mod md */ 1772 1773 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */ 1774 do { 1775 /* generate random xd and md (with many subsequent 0s and 1s) */ 1776 haskellsecp256k1_v0_1_0_testrand256_test((unsigned char*)xd); 1777 haskellsecp256k1_v0_1_0_testrand256_test((unsigned char*)md); 1778 md[0] |= 1; /* modulus must be odd */ 1779 /* If modulus is 1, find another one. */ 1780 ok = md[0] != 1; 1781 for (j = 1; j < 16; ++j) ok |= md[j] != 0; 1782 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */ 1783 } while (!(ok && coprime(xd, md))); 1784 1785 test_modinv32_uint16(id, xd, md); 1786 #ifdef SECP256K1_WIDEMUL_INT128 1787 test_modinv64_uint16(id, xd, md); 1788 #endif 1789 1790 /* In a few cases, also test with input=0 */ 1791 if (i < COUNT) { 1792 test_modinv32_uint16(id, ZERO, md); 1793 #ifdef SECP256K1_WIDEMUL_INT128 1794 test_modinv64_uint16(id, ZERO, md); 1795 #endif 1796 } 1797 } 1798 } 1799 1800 /***** INT128 TESTS *****/ 1801 1802 #ifdef SECP256K1_WIDEMUL_INT128 1803 /* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */ 1804 static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) { 1805 int i; 1806 uint32_t carry = 0; 1807 for (i = 0; i < 16; ++i) { 1808 carry += a[i]; 1809 carry += b[i]; 1810 out[i] = carry; 1811 carry >>= 16; 1812 } 1813 } 1814 1815 /* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */ 1816 static void neg256(uint16_t* out, const uint16_t* a) { 1817 int i; 1818 uint32_t carry = 1; 1819 for (i = 0; i < 16; ++i) { 1820 carry += (uint16_t)~a[i]; 1821 out[i] = carry; 1822 carry >>= 16; 1823 } 1824 } 1825 1826 /* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */ 1827 static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) { 1828 uint16_t sign = sign_extend && (a[15] >> 15); 1829 int i, j; 1830 for (i = 15; i >= 0; --i) { 1831 uint16_t v = 0; 1832 for (j = 0; j < 16; ++j) { 1833 int frompos = i*16 + j + n; 1834 if (frompos >= 256) { 1835 v |= sign << j; 1836 } else { 1837 v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j; 1838 } 1839 } 1840 out[i] = v; 1841 } 1842 } 1843 1844 /* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */ 1845 static void load256u64(uint16_t* out, uint64_t v, int is_signed) { 1846 int i; 1847 uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0; 1848 for (i = 0; i < 4; ++i) { 1849 out[i] = v >> (16 * i); 1850 } 1851 for (i = 4; i < 16; ++i) { 1852 out[i] = sign; 1853 } 1854 } 1855 1856 /* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */ 1857 static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) { 1858 int i; 1859 uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0; 1860 for (i = 0; i < 4; ++i) { 1861 out[i] = lo >> (16 * i); 1862 } 1863 for (i = 4; i < 8; ++i) { 1864 out[i] = hi >> (16 * (i - 4)); 1865 } 1866 for (i = 8; i < 16; ++i) { 1867 out[i] = sign; 1868 } 1869 } 1870 1871 /* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */ 1872 static int int256is127(const uint16_t* v) { 1873 int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000); 1874 int i; 1875 for (i = 8; i < 16; ++i) { 1876 if (v[i] != 0) all_0 = 0; 1877 if (v[i] != 0xffff) all_1 = 0; 1878 } 1879 return all_0 || all_1; 1880 } 1881 1882 static void load256u128(uint16_t* out, const haskellsecp256k1_v0_1_0_uint128* v) { 1883 uint64_t lo = haskellsecp256k1_v0_1_0_u128_to_u64(v), hi = haskellsecp256k1_v0_1_0_u128_hi_u64(v); 1884 load256two64(out, hi, lo, 0); 1885 } 1886 1887 static void load256i128(uint16_t* out, const haskellsecp256k1_v0_1_0_int128* v) { 1888 uint64_t lo; 1889 int64_t hi; 1890 haskellsecp256k1_v0_1_0_int128 c = *v; 1891 lo = haskellsecp256k1_v0_1_0_i128_to_u64(&c); 1892 haskellsecp256k1_v0_1_0_i128_rshift(&c, 64); 1893 hi = haskellsecp256k1_v0_1_0_i128_to_i64(&c); 1894 load256two64(out, hi, lo, 1); 1895 } 1896 1897 static void run_int128_test_case(void) { 1898 unsigned char buf[32]; 1899 uint64_t v[4]; 1900 haskellsecp256k1_v0_1_0_int128 swa, swz; 1901 haskellsecp256k1_v0_1_0_uint128 uwa, uwz; 1902 uint64_t ub, uc; 1903 int64_t sb, sc; 1904 uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32]; 1905 uint16_t rub[16], ruc[16], rsb[16], rsc[16]; 1906 int i; 1907 1908 /* Generate 32-byte random value. */ 1909 haskellsecp256k1_v0_1_0_testrand256_test(buf); 1910 /* Convert into 4 64-bit integers. */ 1911 for (i = 0; i < 4; ++i) { 1912 uint64_t vi = 0; 1913 int j; 1914 for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j]; 1915 v[i] = vi; 1916 } 1917 /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */ 1918 haskellsecp256k1_v0_1_0_u128_load(&uwa, v[1], v[0]); 1919 haskellsecp256k1_v0_1_0_i128_load(&swa, v[1], v[0]); 1920 ub = v[2]; 1921 sb = v[2]; 1922 uc = v[3]; 1923 sc = v[3]; 1924 /* Load those also into 16-bit array representations. */ 1925 load256u128(ruwa, &uwa); 1926 load256i128(rswa, &swa); 1927 load256u64(rub, ub, 0); 1928 load256u64(rsb, sb, 1); 1929 load256u64(ruc, uc, 0); 1930 load256u64(rsc, sc, 1); 1931 /* test haskellsecp256k1_v0_1_0_u128_mul */ 1932 mulmod256(ruwr, rub, ruc, NULL); 1933 haskellsecp256k1_v0_1_0_u128_mul(&uwz, ub, uc); 1934 load256u128(ruwz, &uwz); 1935 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(ruwr, ruwz, 16) == 0); 1936 /* test haskellsecp256k1_v0_1_0_u128_accum_mul */ 1937 mulmod256(ruwr, rub, ruc, NULL); 1938 add256(ruwr, ruwr, ruwa); 1939 uwz = uwa; 1940 haskellsecp256k1_v0_1_0_u128_accum_mul(&uwz, ub, uc); 1941 load256u128(ruwz, &uwz); 1942 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(ruwr, ruwz, 16) == 0); 1943 /* test haskellsecp256k1_v0_1_0_u128_accum_u64 */ 1944 add256(ruwr, rub, ruwa); 1945 uwz = uwa; 1946 haskellsecp256k1_v0_1_0_u128_accum_u64(&uwz, ub); 1947 load256u128(ruwz, &uwz); 1948 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(ruwr, ruwz, 16) == 0); 1949 /* test haskellsecp256k1_v0_1_0_u128_rshift */ 1950 rshift256(ruwr, ruwa, uc % 128, 0); 1951 uwz = uwa; 1952 haskellsecp256k1_v0_1_0_u128_rshift(&uwz, uc % 128); 1953 load256u128(ruwz, &uwz); 1954 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(ruwr, ruwz, 16) == 0); 1955 /* test haskellsecp256k1_v0_1_0_u128_to_u64 */ 1956 CHECK(haskellsecp256k1_v0_1_0_u128_to_u64(&uwa) == v[0]); 1957 /* test haskellsecp256k1_v0_1_0_u128_hi_u64 */ 1958 CHECK(haskellsecp256k1_v0_1_0_u128_hi_u64(&uwa) == v[1]); 1959 /* test haskellsecp256k1_v0_1_0_u128_from_u64 */ 1960 haskellsecp256k1_v0_1_0_u128_from_u64(&uwz, ub); 1961 load256u128(ruwz, &uwz); 1962 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(rub, ruwz, 16) == 0); 1963 /* test haskellsecp256k1_v0_1_0_u128_check_bits */ 1964 { 1965 int uwa_bits = 0; 1966 int j; 1967 for (j = 0; j < 128; ++j) { 1968 if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j; 1969 } 1970 for (j = 0; j < 128; ++j) { 1971 CHECK(haskellsecp256k1_v0_1_0_u128_check_bits(&uwa, j) == (uwa_bits <= j)); 1972 } 1973 } 1974 /* test haskellsecp256k1_v0_1_0_i128_mul */ 1975 mulmod256(rswr, rsb, rsc, NULL); 1976 haskellsecp256k1_v0_1_0_i128_mul(&swz, sb, sc); 1977 load256i128(rswz, &swz); 1978 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(rswr, rswz, 16) == 0); 1979 /* test haskellsecp256k1_v0_1_0_i128_accum_mul */ 1980 mulmod256(rswr, rsb, rsc, NULL); 1981 add256(rswr, rswr, rswa); 1982 if (int256is127(rswr)) { 1983 swz = swa; 1984 haskellsecp256k1_v0_1_0_i128_accum_mul(&swz, sb, sc); 1985 load256i128(rswz, &swz); 1986 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(rswr, rswz, 16) == 0); 1987 } 1988 /* test haskellsecp256k1_v0_1_0_i128_det */ 1989 { 1990 uint16_t rsd[16], rse[16], rst[32]; 1991 int64_t sd = v[0], se = v[1]; 1992 load256u64(rsd, sd, 1); 1993 load256u64(rse, se, 1); 1994 mulmod256(rst, rsc, rsd, NULL); 1995 neg256(rst, rst); 1996 mulmod256(rswr, rsb, rse, NULL); 1997 add256(rswr, rswr, rst); 1998 haskellsecp256k1_v0_1_0_i128_det(&swz, sb, sc, sd, se); 1999 load256i128(rswz, &swz); 2000 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(rswr, rswz, 16) == 0); 2001 } 2002 /* test haskellsecp256k1_v0_1_0_i128_rshift */ 2003 rshift256(rswr, rswa, uc % 127, 1); 2004 swz = swa; 2005 haskellsecp256k1_v0_1_0_i128_rshift(&swz, uc % 127); 2006 load256i128(rswz, &swz); 2007 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(rswr, rswz, 16) == 0); 2008 /* test haskellsecp256k1_v0_1_0_i128_to_u64 */ 2009 CHECK(haskellsecp256k1_v0_1_0_i128_to_u64(&swa) == v[0]); 2010 /* test haskellsecp256k1_v0_1_0_i128_from_i64 */ 2011 haskellsecp256k1_v0_1_0_i128_from_i64(&swz, sb); 2012 load256i128(rswz, &swz); 2013 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(rsb, rswz, 16) == 0); 2014 /* test haskellsecp256k1_v0_1_0_i128_to_i64 */ 2015 CHECK(haskellsecp256k1_v0_1_0_i128_to_i64(&swz) == sb); 2016 /* test haskellsecp256k1_v0_1_0_i128_eq_var */ 2017 { 2018 int expect = (uc & 1); 2019 swz = swa; 2020 if (!expect) { 2021 /* Make sure swz != swa */ 2022 uint64_t v0c = v[0], v1c = v[1]; 2023 if (ub & 64) { 2024 v1c ^= (((uint64_t)1) << (ub & 63)); 2025 } else { 2026 v0c ^= (((uint64_t)1) << (ub & 63)); 2027 } 2028 haskellsecp256k1_v0_1_0_i128_load(&swz, v1c, v0c); 2029 } 2030 CHECK(haskellsecp256k1_v0_1_0_i128_eq_var(&swa, &swz) == expect); 2031 } 2032 /* test haskellsecp256k1_v0_1_0_i128_check_pow2 (sign == 1) */ 2033 { 2034 int expect = (uc & 1); 2035 int pos = ub % 127; 2036 if (expect) { 2037 /* If expect==1, set swz to exactly 2^pos. */ 2038 uint64_t hi = 0; 2039 uint64_t lo = 0; 2040 if (pos >= 64) { 2041 hi = (((uint64_t)1) << (pos & 63)); 2042 } else { 2043 lo = (((uint64_t)1) << (pos & 63)); 2044 } 2045 haskellsecp256k1_v0_1_0_i128_load(&swz, hi, lo); 2046 } else { 2047 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */ 2048 if (pos >= 64) { 2049 if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1; 2050 } else { 2051 if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1; 2052 } 2053 swz = swa; 2054 } 2055 CHECK(haskellsecp256k1_v0_1_0_i128_check_pow2(&swz, pos, 1) == expect); 2056 } 2057 /* test haskellsecp256k1_v0_1_0_i128_check_pow2 (sign == -1) */ 2058 { 2059 int expect = (uc & 1); 2060 int pos = ub % 127; 2061 if (expect) { 2062 /* If expect==1, set swz to exactly -2^pos. */ 2063 uint64_t hi = ~(uint64_t)0; 2064 uint64_t lo = ~(uint64_t)0; 2065 if (pos >= 64) { 2066 hi <<= (pos & 63); 2067 lo = 0; 2068 } else { 2069 lo <<= (pos & 63); 2070 } 2071 haskellsecp256k1_v0_1_0_i128_load(&swz, hi, lo); 2072 } else { 2073 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */ 2074 if (pos >= 64) { 2075 if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1; 2076 } else { 2077 if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1; 2078 } 2079 swz = swa; 2080 } 2081 CHECK(haskellsecp256k1_v0_1_0_i128_check_pow2(&swz, pos, -1) == expect); 2082 } 2083 } 2084 2085 static void run_int128_tests(void) { 2086 { /* haskellsecp256k1_v0_1_0_u128_accum_mul */ 2087 haskellsecp256k1_v0_1_0_uint128 res; 2088 2089 /* Check haskellsecp256k1_v0_1_0_u128_accum_mul overflow */ 2090 haskellsecp256k1_v0_1_0_u128_mul(&res, UINT64_MAX, UINT64_MAX); 2091 haskellsecp256k1_v0_1_0_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX); 2092 CHECK(haskellsecp256k1_v0_1_0_u128_to_u64(&res) == 2); 2093 CHECK(haskellsecp256k1_v0_1_0_u128_hi_u64(&res) == 18446744073709551612U); 2094 } 2095 { /* haskellsecp256k1_v0_1_0_u128_accum_mul */ 2096 haskellsecp256k1_v0_1_0_int128 res; 2097 2098 /* Compute INT128_MAX = 2^127 - 1 with haskellsecp256k1_v0_1_0_i128_accum_mul */ 2099 haskellsecp256k1_v0_1_0_i128_mul(&res, INT64_MAX, INT64_MAX); 2100 haskellsecp256k1_v0_1_0_i128_accum_mul(&res, INT64_MAX, INT64_MAX); 2101 CHECK(haskellsecp256k1_v0_1_0_i128_to_u64(&res) == 2); 2102 haskellsecp256k1_v0_1_0_i128_accum_mul(&res, 4, 9223372036854775807); 2103 haskellsecp256k1_v0_1_0_i128_accum_mul(&res, 1, 1); 2104 CHECK(haskellsecp256k1_v0_1_0_i128_to_u64(&res) == UINT64_MAX); 2105 haskellsecp256k1_v0_1_0_i128_rshift(&res, 64); 2106 CHECK(haskellsecp256k1_v0_1_0_i128_to_i64(&res) == INT64_MAX); 2107 2108 /* Compute INT128_MIN = - 2^127 with haskellsecp256k1_v0_1_0_i128_accum_mul */ 2109 haskellsecp256k1_v0_1_0_i128_mul(&res, INT64_MAX, INT64_MIN); 2110 CHECK(haskellsecp256k1_v0_1_0_i128_to_u64(&res) == (uint64_t)INT64_MIN); 2111 haskellsecp256k1_v0_1_0_i128_accum_mul(&res, INT64_MAX, INT64_MIN); 2112 CHECK(haskellsecp256k1_v0_1_0_i128_to_u64(&res) == 0); 2113 haskellsecp256k1_v0_1_0_i128_accum_mul(&res, 2, INT64_MIN); 2114 CHECK(haskellsecp256k1_v0_1_0_i128_to_u64(&res) == 0); 2115 haskellsecp256k1_v0_1_0_i128_rshift(&res, 64); 2116 CHECK(haskellsecp256k1_v0_1_0_i128_to_i64(&res) == INT64_MIN); 2117 } 2118 { 2119 /* Randomized tests. */ 2120 int i; 2121 for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case(); 2122 } 2123 } 2124 #endif 2125 2126 /***** SCALAR TESTS *****/ 2127 2128 static void scalar_test(void) { 2129 haskellsecp256k1_v0_1_0_scalar s; 2130 haskellsecp256k1_v0_1_0_scalar s1; 2131 haskellsecp256k1_v0_1_0_scalar s2; 2132 unsigned char c[32]; 2133 2134 /* Set 's' to a random scalar, with value 'snum'. */ 2135 random_scalar_order_test(&s); 2136 2137 /* Set 's1' to a random scalar, with value 's1num'. */ 2138 random_scalar_order_test(&s1); 2139 2140 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */ 2141 random_scalar_order_test(&s2); 2142 haskellsecp256k1_v0_1_0_scalar_get_b32(c, &s2); 2143 2144 { 2145 int i; 2146 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */ 2147 haskellsecp256k1_v0_1_0_scalar n; 2148 haskellsecp256k1_v0_1_0_scalar_set_int(&n, 0); 2149 for (i = 0; i < 256; i += 4) { 2150 haskellsecp256k1_v0_1_0_scalar t; 2151 int j; 2152 haskellsecp256k1_v0_1_0_scalar_set_int(&t, haskellsecp256k1_v0_1_0_scalar_get_bits(&s, 256 - 4 - i, 4)); 2153 for (j = 0; j < 4; j++) { 2154 haskellsecp256k1_v0_1_0_scalar_add(&n, &n, &n); 2155 } 2156 haskellsecp256k1_v0_1_0_scalar_add(&n, &n, &t); 2157 } 2158 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&n, &s)); 2159 } 2160 2161 { 2162 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */ 2163 haskellsecp256k1_v0_1_0_scalar n; 2164 int i = 0; 2165 haskellsecp256k1_v0_1_0_scalar_set_int(&n, 0); 2166 while (i < 256) { 2167 haskellsecp256k1_v0_1_0_scalar t; 2168 int j; 2169 int now = haskellsecp256k1_v0_1_0_testrand_int(15) + 1; 2170 if (now + i > 256) { 2171 now = 256 - i; 2172 } 2173 haskellsecp256k1_v0_1_0_scalar_set_int(&t, haskellsecp256k1_v0_1_0_scalar_get_bits_var(&s, 256 - now - i, now)); 2174 for (j = 0; j < now; j++) { 2175 haskellsecp256k1_v0_1_0_scalar_add(&n, &n, &n); 2176 } 2177 haskellsecp256k1_v0_1_0_scalar_add(&n, &n, &t); 2178 i += now; 2179 } 2180 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&n, &s)); 2181 } 2182 2183 { 2184 /* Test commutativity of add. */ 2185 haskellsecp256k1_v0_1_0_scalar r1, r2; 2186 haskellsecp256k1_v0_1_0_scalar_add(&r1, &s1, &s2); 2187 haskellsecp256k1_v0_1_0_scalar_add(&r2, &s2, &s1); 2188 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&r1, &r2)); 2189 } 2190 2191 { 2192 haskellsecp256k1_v0_1_0_scalar r1, r2; 2193 haskellsecp256k1_v0_1_0_scalar b; 2194 int i; 2195 /* Test add_bit. */ 2196 int bit = haskellsecp256k1_v0_1_0_testrand_bits(8); 2197 haskellsecp256k1_v0_1_0_scalar_set_int(&b, 1); 2198 CHECK(haskellsecp256k1_v0_1_0_scalar_is_one(&b)); 2199 for (i = 0; i < bit; i++) { 2200 haskellsecp256k1_v0_1_0_scalar_add(&b, &b, &b); 2201 } 2202 r1 = s1; 2203 r2 = s1; 2204 if (!haskellsecp256k1_v0_1_0_scalar_add(&r1, &r1, &b)) { 2205 /* No overflow happened. */ 2206 haskellsecp256k1_v0_1_0_scalar_cadd_bit(&r2, bit, 1); 2207 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&r1, &r2)); 2208 /* cadd is a noop when flag is zero */ 2209 haskellsecp256k1_v0_1_0_scalar_cadd_bit(&r2, bit, 0); 2210 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&r1, &r2)); 2211 } 2212 } 2213 2214 { 2215 /* Test commutativity of mul. */ 2216 haskellsecp256k1_v0_1_0_scalar r1, r2; 2217 haskellsecp256k1_v0_1_0_scalar_mul(&r1, &s1, &s2); 2218 haskellsecp256k1_v0_1_0_scalar_mul(&r2, &s2, &s1); 2219 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&r1, &r2)); 2220 } 2221 2222 { 2223 /* Test associativity of add. */ 2224 haskellsecp256k1_v0_1_0_scalar r1, r2; 2225 haskellsecp256k1_v0_1_0_scalar_add(&r1, &s1, &s2); 2226 haskellsecp256k1_v0_1_0_scalar_add(&r1, &r1, &s); 2227 haskellsecp256k1_v0_1_0_scalar_add(&r2, &s2, &s); 2228 haskellsecp256k1_v0_1_0_scalar_add(&r2, &s1, &r2); 2229 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&r1, &r2)); 2230 } 2231 2232 { 2233 /* Test associativity of mul. */ 2234 haskellsecp256k1_v0_1_0_scalar r1, r2; 2235 haskellsecp256k1_v0_1_0_scalar_mul(&r1, &s1, &s2); 2236 haskellsecp256k1_v0_1_0_scalar_mul(&r1, &r1, &s); 2237 haskellsecp256k1_v0_1_0_scalar_mul(&r2, &s2, &s); 2238 haskellsecp256k1_v0_1_0_scalar_mul(&r2, &s1, &r2); 2239 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&r1, &r2)); 2240 } 2241 2242 { 2243 /* Test distributitivity of mul over add. */ 2244 haskellsecp256k1_v0_1_0_scalar r1, r2, t; 2245 haskellsecp256k1_v0_1_0_scalar_add(&r1, &s1, &s2); 2246 haskellsecp256k1_v0_1_0_scalar_mul(&r1, &r1, &s); 2247 haskellsecp256k1_v0_1_0_scalar_mul(&r2, &s1, &s); 2248 haskellsecp256k1_v0_1_0_scalar_mul(&t, &s2, &s); 2249 haskellsecp256k1_v0_1_0_scalar_add(&r2, &r2, &t); 2250 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&r1, &r2)); 2251 } 2252 2253 { 2254 /* Test multiplicative identity. */ 2255 haskellsecp256k1_v0_1_0_scalar r1; 2256 haskellsecp256k1_v0_1_0_scalar_mul(&r1, &s1, &haskellsecp256k1_v0_1_0_scalar_one); 2257 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&r1, &s1)); 2258 } 2259 2260 { 2261 /* Test additive identity. */ 2262 haskellsecp256k1_v0_1_0_scalar r1; 2263 haskellsecp256k1_v0_1_0_scalar_add(&r1, &s1, &haskellsecp256k1_v0_1_0_scalar_zero); 2264 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&r1, &s1)); 2265 } 2266 2267 { 2268 /* Test zero product property. */ 2269 haskellsecp256k1_v0_1_0_scalar r1; 2270 haskellsecp256k1_v0_1_0_scalar_mul(&r1, &s1, &haskellsecp256k1_v0_1_0_scalar_zero); 2271 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&r1, &haskellsecp256k1_v0_1_0_scalar_zero)); 2272 } 2273 2274 { 2275 /* Test halving. */ 2276 haskellsecp256k1_v0_1_0_scalar r; 2277 haskellsecp256k1_v0_1_0_scalar_add(&r, &s, &s); 2278 haskellsecp256k1_v0_1_0_scalar_half(&r, &r); 2279 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&r, &s)); 2280 } 2281 } 2282 2283 static void run_scalar_set_b32_seckey_tests(void) { 2284 unsigned char b32[32]; 2285 haskellsecp256k1_v0_1_0_scalar s1; 2286 haskellsecp256k1_v0_1_0_scalar s2; 2287 2288 /* Usually set_b32 and set_b32_seckey give the same result */ 2289 random_scalar_order_b32(b32); 2290 haskellsecp256k1_v0_1_0_scalar_set_b32(&s1, b32, NULL); 2291 CHECK(haskellsecp256k1_v0_1_0_scalar_set_b32_seckey(&s2, b32) == 1); 2292 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&s1, &s2) == 1); 2293 2294 memset(b32, 0, sizeof(b32)); 2295 CHECK(haskellsecp256k1_v0_1_0_scalar_set_b32_seckey(&s2, b32) == 0); 2296 memset(b32, 0xFF, sizeof(b32)); 2297 CHECK(haskellsecp256k1_v0_1_0_scalar_set_b32_seckey(&s2, b32) == 0); 2298 } 2299 2300 static void run_scalar_tests(void) { 2301 int i; 2302 for (i = 0; i < 128 * COUNT; i++) { 2303 scalar_test(); 2304 } 2305 for (i = 0; i < COUNT; i++) { 2306 run_scalar_set_b32_seckey_tests(); 2307 } 2308 2309 { 2310 /* Check that the scalar constants haskellsecp256k1_v0_1_0_scalar_zero and 2311 haskellsecp256k1_v0_1_0_scalar_one contain the expected values. */ 2312 haskellsecp256k1_v0_1_0_scalar zero, one; 2313 2314 CHECK(haskellsecp256k1_v0_1_0_scalar_is_zero(&haskellsecp256k1_v0_1_0_scalar_zero)); 2315 haskellsecp256k1_v0_1_0_scalar_set_int(&zero, 0); 2316 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&zero, &haskellsecp256k1_v0_1_0_scalar_zero)); 2317 2318 CHECK(haskellsecp256k1_v0_1_0_scalar_is_one(&haskellsecp256k1_v0_1_0_scalar_one)); 2319 haskellsecp256k1_v0_1_0_scalar_set_int(&one, 1); 2320 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&one, &haskellsecp256k1_v0_1_0_scalar_one)); 2321 } 2322 2323 { 2324 /* (-1)+1 should be zero. */ 2325 haskellsecp256k1_v0_1_0_scalar o; 2326 haskellsecp256k1_v0_1_0_scalar_negate(&o, &haskellsecp256k1_v0_1_0_scalar_one); 2327 haskellsecp256k1_v0_1_0_scalar_add(&o, &o, &haskellsecp256k1_v0_1_0_scalar_one); 2328 CHECK(haskellsecp256k1_v0_1_0_scalar_is_zero(&o)); 2329 haskellsecp256k1_v0_1_0_scalar_negate(&o, &o); 2330 CHECK(haskellsecp256k1_v0_1_0_scalar_is_zero(&o)); 2331 } 2332 2333 { 2334 /* Test that halving and doubling roundtrips on some fixed values. */ 2335 static const haskellsecp256k1_v0_1_0_scalar HALF_TESTS[] = { 2336 /* 0 */ 2337 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0), 2338 /* 1 */ 2339 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1), 2340 /* -1 */ 2341 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd0364140ul), 2342 /* -2 (largest odd value) */ 2343 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd036413Ful), 2344 /* Half the secp256k1 order */ 2345 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a0ul), 2346 /* Half the secp256k1 order + 1 */ 2347 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a1ul), 2348 /* 2^255 */ 2349 SECP256K1_SCALAR_CONST(0x80000000ul, 0, 0, 0, 0, 0, 0, 0), 2350 /* 2^255 - 1 */ 2351 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful), 2352 }; 2353 unsigned n; 2354 for (n = 0; n < sizeof(HALF_TESTS) / sizeof(HALF_TESTS[0]); ++n) { 2355 haskellsecp256k1_v0_1_0_scalar s; 2356 haskellsecp256k1_v0_1_0_scalar_half(&s, &HALF_TESTS[n]); 2357 haskellsecp256k1_v0_1_0_scalar_add(&s, &s, &s); 2358 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&s, &HALF_TESTS[n])); 2359 haskellsecp256k1_v0_1_0_scalar_add(&s, &s, &s); 2360 haskellsecp256k1_v0_1_0_scalar_half(&s, &s); 2361 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&s, &HALF_TESTS[n])); 2362 } 2363 } 2364 2365 { 2366 /* Does check_overflow check catch all ones? */ 2367 static const haskellsecp256k1_v0_1_0_scalar overflowed = SECP256K1_SCALAR_CONST( 2368 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 2369 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL 2370 ); 2371 CHECK(haskellsecp256k1_v0_1_0_scalar_check_overflow(&overflowed)); 2372 } 2373 2374 { 2375 /* Static test vectors. 2376 * These were reduced from ~10^12 random vectors based on comparison-decision 2377 * and edge-case coverage on 32-bit and 64-bit implementations. 2378 * The responses were generated with Sage 5.9. 2379 */ 2380 haskellsecp256k1_v0_1_0_scalar x; 2381 haskellsecp256k1_v0_1_0_scalar y; 2382 haskellsecp256k1_v0_1_0_scalar z; 2383 haskellsecp256k1_v0_1_0_scalar zz; 2384 haskellsecp256k1_v0_1_0_scalar r1; 2385 haskellsecp256k1_v0_1_0_scalar r2; 2386 haskellsecp256k1_v0_1_0_scalar zzv; 2387 int overflow; 2388 unsigned char chal[33][2][32] = { 2389 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00, 2390 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 2391 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 2392 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff}, 2393 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00, 2394 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 2395 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2396 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}}, 2397 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00, 2398 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 2399 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2400 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 2401 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2402 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 2403 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff, 2404 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}}, 2405 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2406 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 2407 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00, 2408 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00}, 2409 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80, 2410 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0, 2411 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00, 2412 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}}, 2413 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2414 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 2415 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2416 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff}, 2417 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 2418 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0, 2419 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff, 2420 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2421 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00, 2422 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 2423 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00, 2424 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff}, 2425 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 2426 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2427 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f, 2428 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}}, 2429 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f, 2430 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80, 2431 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00, 2432 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 2433 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 2434 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff, 2435 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 2436 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}}, 2437 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 2438 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 2439 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00, 2440 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0}, 2441 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 2442 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 2443 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 2444 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 2445 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00, 2446 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2447 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 2448 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff}, 2449 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 2450 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0, 2451 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2452 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 2453 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2454 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 2455 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 2456 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 2457 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2458 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2461 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff, 2462 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2463 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80, 2464 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f}, 2465 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 2466 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff, 2467 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00, 2468 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}}, 2469 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff, 2470 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 2471 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80, 2472 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff}, 2473 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 2474 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2475 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 2476 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}}, 2477 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2478 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2479 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2480 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80}, 2481 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2482 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff, 2483 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 2484 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2485 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2486 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2487 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2488 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00}, 2489 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 2490 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f, 2491 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff, 2492 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}}, 2493 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2494 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 2495 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2496 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00}, 2497 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 2498 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2499 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00, 2500 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}}, 2501 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00, 2502 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03, 2503 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2504 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 2505 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff, 2506 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2507 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2508 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}}, 2509 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 2510 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2511 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2512 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 2513 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2514 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff, 2515 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 2516 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}}, 2517 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2518 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2519 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00, 2520 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80}, 2521 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2522 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 2523 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e, 2524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2525 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2526 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 2527 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 2528 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00}, 2529 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 2530 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00, 2531 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2532 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}}, 2533 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80, 2534 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2535 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 2536 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 2537 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2538 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80, 2539 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 2540 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}}, 2541 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff, 2542 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00, 2543 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2544 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07}, 2545 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2546 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 2547 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff, 2548 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}}, 2549 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2550 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2551 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2552 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 2553 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2554 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 2555 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 2556 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}}, 2557 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2558 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2559 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2560 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, 2561 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2562 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2563 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2564 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2565 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2566 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2567 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2568 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 2569 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2570 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2571 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2572 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 2573 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0, 2574 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2575 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 2576 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f}, 2577 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 2578 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00, 2579 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 2580 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}}, 2581 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2582 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2583 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2584 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 2585 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2586 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2587 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2588 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}}, 2589 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2590 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 2591 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 2592 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}, 2593 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2594 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2595 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2596 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}, 2597 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2598 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00, 2599 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 2600 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, 2601 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 2602 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80, 2603 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 2604 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, 2605 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00, 2606 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2607 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 2608 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff}, 2609 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 2610 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff, 2611 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2612 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}}, 2613 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2614 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff, 2615 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 2616 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00}, 2617 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 2618 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 2619 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f, 2620 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}}, 2621 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2622 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01, 2623 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff, 2624 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}, 2625 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 2626 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80, 2627 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff, 2628 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}}, 2629 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 2630 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2631 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8, 2632 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80}, 2633 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2634 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00, 2635 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f, 2636 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}}, 2637 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00, 2638 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83, 2639 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80, 2640 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0}, 2641 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 2642 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00, 2643 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 2644 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}}, 2645 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 2646 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 2647 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb, 2648 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}, 2649 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 2650 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00, 2651 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb, 2652 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}} 2653 }; 2654 unsigned char res[33][2][32] = { 2655 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9, 2656 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1, 2657 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6, 2658 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35}, 2659 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d, 2660 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c, 2661 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49, 2662 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}}, 2663 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22, 2664 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c, 2665 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f, 2666 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8}, 2667 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77, 2668 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4, 2669 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59, 2670 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}}, 2671 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef, 2672 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab, 2673 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55, 2674 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c}, 2675 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96, 2676 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f, 2677 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12, 2678 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}}, 2679 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c, 2680 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf, 2681 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9, 2682 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48}, 2683 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42, 2684 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5, 2685 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c, 2686 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}}, 2687 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb, 2688 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74, 2689 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6, 2690 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63}, 2691 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3, 2692 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99, 2693 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58, 2694 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}}, 2695 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b, 2696 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7, 2697 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f, 2698 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0}, 2699 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d, 2700 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d, 2701 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9, 2702 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}}, 2703 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7, 2704 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70, 2705 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06, 2706 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e}, 2707 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9, 2708 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79, 2709 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e, 2710 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}}, 2711 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb, 2712 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5, 2713 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a, 2714 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe}, 2715 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48, 2716 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e, 2717 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc, 2718 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}}, 2719 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b, 2720 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0, 2721 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53, 2722 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8}, 2723 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c, 2724 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01, 2725 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f, 2726 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}}, 2727 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7, 2728 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c, 2729 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92, 2730 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30}, 2731 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62, 2732 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e, 2733 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb, 2734 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}}, 2735 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25, 2736 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d, 2737 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0, 2738 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13}, 2739 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60, 2740 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00, 2741 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4, 2742 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}}, 2743 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31, 2744 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4, 2745 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88, 2746 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa}, 2747 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57, 2748 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38, 2749 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51, 2750 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}}, 2751 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c, 2752 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f, 2753 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2, 2754 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4}, 2755 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01, 2756 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4, 2757 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86, 2758 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}}, 2759 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5, 2760 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51, 2761 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3, 2762 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62}, 2763 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c, 2764 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91, 2765 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c, 2766 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}}, 2767 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e, 2768 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56, 2769 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58, 2770 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4}, 2771 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41, 2772 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7, 2773 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92, 2774 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}}, 2775 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec, 2776 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19, 2777 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3, 2778 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4}, 2779 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87, 2780 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a, 2781 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92, 2782 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}}, 2783 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64, 2784 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3, 2785 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f, 2786 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33}, 2787 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c, 2788 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d, 2789 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea, 2790 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}}, 2791 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7, 2792 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a, 2793 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae, 2794 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe}, 2795 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc, 2796 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39, 2797 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14, 2798 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}}, 2799 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23, 2800 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d, 2801 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2, 2802 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16}, 2803 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c, 2804 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84, 2805 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0, 2806 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}}, 2807 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb, 2808 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94, 2809 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b, 2810 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e}, 2811 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54, 2812 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00, 2813 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb, 2814 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}}, 2815 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2816 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2817 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2818 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 2819 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2820 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2821 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2822 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}, 2823 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2824 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2825 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2826 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 2827 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2828 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2829 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2830 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}, 2831 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1, 2832 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0, 2833 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59, 2834 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}, 2835 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1, 2836 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0, 2837 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59, 2838 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}}, 2839 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0, 2840 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b, 2841 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94, 2842 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8}, 2843 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26, 2844 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d, 2845 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a, 2846 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}}, 2847 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2848 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 2849 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 2850 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd}, 2851 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1, 2852 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0, 2853 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59, 2854 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}}, 2855 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 2856 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 2857 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 2858 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}, 2859 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2860 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2861 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 2862 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}}, 2863 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39, 2864 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea, 2865 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf, 2866 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae}, 2867 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b, 2868 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb, 2869 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6, 2870 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}}, 2871 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a, 2872 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f, 2873 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9, 2874 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56}, 2875 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93, 2876 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07, 2877 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71, 2878 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}}, 2879 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87, 2880 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9, 2881 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55, 2882 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73}, 2883 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d, 2884 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86, 2885 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb, 2886 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}}, 2887 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2, 2888 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7, 2889 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41, 2890 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7}, 2891 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06, 2892 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04, 2893 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08, 2894 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}}, 2895 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2, 2896 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b, 2897 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40, 2898 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68}, 2899 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e, 2900 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a, 2901 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b, 2902 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}}, 2903 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67, 2904 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f, 2905 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a, 2906 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51}, 2907 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2, 2908 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38, 2909 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34, 2910 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}}, 2911 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34, 2912 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13, 2913 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46, 2914 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}, 2915 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34, 2916 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13, 2917 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46, 2918 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}} 2919 }; 2920 for (i = 0; i < 33; i++) { 2921 haskellsecp256k1_v0_1_0_scalar_set_b32(&x, chal[i][0], &overflow); 2922 CHECK(!overflow); 2923 haskellsecp256k1_v0_1_0_scalar_set_b32(&y, chal[i][1], &overflow); 2924 CHECK(!overflow); 2925 haskellsecp256k1_v0_1_0_scalar_set_b32(&r1, res[i][0], &overflow); 2926 CHECK(!overflow); 2927 haskellsecp256k1_v0_1_0_scalar_set_b32(&r2, res[i][1], &overflow); 2928 CHECK(!overflow); 2929 haskellsecp256k1_v0_1_0_scalar_mul(&z, &x, &y); 2930 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&r1, &z)); 2931 if (!haskellsecp256k1_v0_1_0_scalar_is_zero(&y)) { 2932 haskellsecp256k1_v0_1_0_scalar_inverse(&zz, &y); 2933 haskellsecp256k1_v0_1_0_scalar_inverse_var(&zzv, &y); 2934 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&zzv, &zz)); 2935 haskellsecp256k1_v0_1_0_scalar_mul(&z, &z, &zz); 2936 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&x, &z)); 2937 haskellsecp256k1_v0_1_0_scalar_mul(&zz, &zz, &y); 2938 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&haskellsecp256k1_v0_1_0_scalar_one, &zz)); 2939 } 2940 haskellsecp256k1_v0_1_0_scalar_mul(&z, &x, &x); 2941 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&r2, &z)); 2942 } 2943 } 2944 } 2945 2946 /***** FIELD TESTS *****/ 2947 2948 static void random_fe_non_square(haskellsecp256k1_v0_1_0_fe *ns) { 2949 haskellsecp256k1_v0_1_0_fe r; 2950 random_fe_non_zero(ns); 2951 if (haskellsecp256k1_v0_1_0_fe_sqrt(&r, ns)) { 2952 haskellsecp256k1_v0_1_0_fe_negate(ns, ns, 1); 2953 } 2954 } 2955 2956 static int check_fe_equal(const haskellsecp256k1_v0_1_0_fe *a, const haskellsecp256k1_v0_1_0_fe *b) { 2957 haskellsecp256k1_v0_1_0_fe an = *a; 2958 haskellsecp256k1_v0_1_0_fe bn = *b; 2959 haskellsecp256k1_v0_1_0_fe_normalize_weak(&an); 2960 return haskellsecp256k1_v0_1_0_fe_equal(&an, &bn); 2961 } 2962 2963 static void run_field_convert(void) { 2964 static const unsigned char b32[32] = { 2965 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 2966 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 2967 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 2968 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40 2969 }; 2970 static const haskellsecp256k1_v0_1_0_fe_storage fes = SECP256K1_FE_STORAGE_CONST( 2971 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, 2972 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL 2973 ); 2974 static const haskellsecp256k1_v0_1_0_fe fe = SECP256K1_FE_CONST( 2975 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, 2976 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL 2977 ); 2978 haskellsecp256k1_v0_1_0_fe fe2; 2979 unsigned char b322[32]; 2980 haskellsecp256k1_v0_1_0_fe_storage fes2; 2981 /* Check conversions to fe. */ 2982 CHECK(haskellsecp256k1_v0_1_0_fe_set_b32_limit(&fe2, b32)); 2983 CHECK(haskellsecp256k1_v0_1_0_fe_equal(&fe, &fe2)); 2984 haskellsecp256k1_v0_1_0_fe_from_storage(&fe2, &fes); 2985 CHECK(haskellsecp256k1_v0_1_0_fe_equal(&fe, &fe2)); 2986 /* Check conversion from fe. */ 2987 haskellsecp256k1_v0_1_0_fe_get_b32(b322, &fe); 2988 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(b322, b32, 32) == 0); 2989 haskellsecp256k1_v0_1_0_fe_to_storage(&fes2, &fe); 2990 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&fes2, &fes, sizeof(fes)) == 0); 2991 } 2992 2993 static void run_field_be32_overflow(void) { 2994 { 2995 static const unsigned char zero_overflow[32] = { 2996 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 2997 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 2998 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 2999 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F, 3000 }; 3001 static const unsigned char zero[32] = { 0x00 }; 3002 unsigned char out[32]; 3003 haskellsecp256k1_v0_1_0_fe fe; 3004 CHECK(haskellsecp256k1_v0_1_0_fe_set_b32_limit(&fe, zero_overflow) == 0); 3005 haskellsecp256k1_v0_1_0_fe_set_b32_mod(&fe, zero_overflow); 3006 CHECK(haskellsecp256k1_v0_1_0_fe_normalizes_to_zero(&fe) == 1); 3007 haskellsecp256k1_v0_1_0_fe_normalize(&fe); 3008 CHECK(haskellsecp256k1_v0_1_0_fe_is_zero(&fe) == 1); 3009 haskellsecp256k1_v0_1_0_fe_get_b32(out, &fe); 3010 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(out, zero, 32) == 0); 3011 } 3012 { 3013 static const unsigned char one_overflow[32] = { 3014 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3015 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3016 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3017 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30, 3018 }; 3019 static const unsigned char one[32] = { 3020 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3021 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3022 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3023 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 3024 }; 3025 unsigned char out[32]; 3026 haskellsecp256k1_v0_1_0_fe fe; 3027 CHECK(haskellsecp256k1_v0_1_0_fe_set_b32_limit(&fe, one_overflow) == 0); 3028 haskellsecp256k1_v0_1_0_fe_set_b32_mod(&fe, one_overflow); 3029 haskellsecp256k1_v0_1_0_fe_normalize(&fe); 3030 CHECK(haskellsecp256k1_v0_1_0_fe_cmp_var(&fe, &haskellsecp256k1_v0_1_0_fe_one) == 0); 3031 haskellsecp256k1_v0_1_0_fe_get_b32(out, &fe); 3032 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(out, one, 32) == 0); 3033 } 3034 { 3035 static const unsigned char ff_overflow[32] = { 3036 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3037 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3038 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3039 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 3040 }; 3041 static const unsigned char ff[32] = { 3042 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3043 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3044 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3045 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0, 3046 }; 3047 unsigned char out[32]; 3048 haskellsecp256k1_v0_1_0_fe fe; 3049 const haskellsecp256k1_v0_1_0_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0); 3050 CHECK(haskellsecp256k1_v0_1_0_fe_set_b32_limit(&fe, ff_overflow) == 0); 3051 haskellsecp256k1_v0_1_0_fe_set_b32_mod(&fe, ff_overflow); 3052 haskellsecp256k1_v0_1_0_fe_normalize(&fe); 3053 CHECK(haskellsecp256k1_v0_1_0_fe_cmp_var(&fe, &fe_ff) == 0); 3054 haskellsecp256k1_v0_1_0_fe_get_b32(out, &fe); 3055 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(out, ff, 32) == 0); 3056 } 3057 } 3058 3059 /* Returns true if two field elements have the same representation. */ 3060 static int fe_identical(const haskellsecp256k1_v0_1_0_fe *a, const haskellsecp256k1_v0_1_0_fe *b) { 3061 int ret = 1; 3062 /* Compare the struct member that holds the limbs. */ 3063 ret &= (haskellsecp256k1_v0_1_0_memcmp_var(a->n, b->n, sizeof(a->n)) == 0); 3064 return ret; 3065 } 3066 3067 static void run_field_half(void) { 3068 haskellsecp256k1_v0_1_0_fe t, u; 3069 int m; 3070 3071 /* Check magnitude 0 input */ 3072 haskellsecp256k1_v0_1_0_fe_get_bounds(&t, 0); 3073 haskellsecp256k1_v0_1_0_fe_half(&t); 3074 #ifdef VERIFY 3075 CHECK(t.magnitude == 1); 3076 CHECK(t.normalized == 0); 3077 #endif 3078 CHECK(haskellsecp256k1_v0_1_0_fe_normalizes_to_zero(&t)); 3079 3080 /* Check non-zero magnitudes in the supported range */ 3081 for (m = 1; m < 32; m++) { 3082 /* Check max-value input */ 3083 haskellsecp256k1_v0_1_0_fe_get_bounds(&t, m); 3084 3085 u = t; 3086 haskellsecp256k1_v0_1_0_fe_half(&u); 3087 #ifdef VERIFY 3088 CHECK(u.magnitude == (m >> 1) + 1); 3089 CHECK(u.normalized == 0); 3090 #endif 3091 haskellsecp256k1_v0_1_0_fe_normalize_weak(&u); 3092 haskellsecp256k1_v0_1_0_fe_add(&u, &u); 3093 CHECK(check_fe_equal(&t, &u)); 3094 3095 /* Check worst-case input: ensure the LSB is 1 so that P will be added, 3096 * which will also cause all carries to be 1, since all limbs that can 3097 * generate a carry are initially even and all limbs of P are odd in 3098 * every existing field implementation. */ 3099 haskellsecp256k1_v0_1_0_fe_get_bounds(&t, m); 3100 CHECK(t.n[0] > 0); 3101 CHECK((t.n[0] & 1) == 0); 3102 --t.n[0]; 3103 3104 u = t; 3105 haskellsecp256k1_v0_1_0_fe_half(&u); 3106 #ifdef VERIFY 3107 CHECK(u.magnitude == (m >> 1) + 1); 3108 CHECK(u.normalized == 0); 3109 #endif 3110 haskellsecp256k1_v0_1_0_fe_normalize_weak(&u); 3111 haskellsecp256k1_v0_1_0_fe_add(&u, &u); 3112 CHECK(check_fe_equal(&t, &u)); 3113 } 3114 } 3115 3116 static void run_field_misc(void) { 3117 haskellsecp256k1_v0_1_0_fe x; 3118 haskellsecp256k1_v0_1_0_fe y; 3119 haskellsecp256k1_v0_1_0_fe z; 3120 haskellsecp256k1_v0_1_0_fe q; 3121 int v; 3122 haskellsecp256k1_v0_1_0_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5); 3123 int i, j; 3124 for (i = 0; i < 1000 * COUNT; i++) { 3125 haskellsecp256k1_v0_1_0_fe_storage xs, ys, zs; 3126 if (i & 1) { 3127 random_fe(&x); 3128 } else { 3129 random_fe_test(&x); 3130 } 3131 random_fe_non_zero(&y); 3132 v = haskellsecp256k1_v0_1_0_testrand_bits(15); 3133 /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */ 3134 haskellsecp256k1_v0_1_0_fe_set_int(&q, v); /* q = v */ 3135 z = x; /* z = x */ 3136 haskellsecp256k1_v0_1_0_fe_add(&z, &q); /* z = x+v */ 3137 q = x; /* q = x */ 3138 haskellsecp256k1_v0_1_0_fe_add_int(&q, v); /* q = x+v */ 3139 CHECK(check_fe_equal(&q, &z)); 3140 /* Test the fe equality and comparison operations. */ 3141 CHECK(haskellsecp256k1_v0_1_0_fe_cmp_var(&x, &x) == 0); 3142 CHECK(haskellsecp256k1_v0_1_0_fe_equal(&x, &x)); 3143 z = x; 3144 haskellsecp256k1_v0_1_0_fe_add(&z,&y); 3145 /* Test fe conditional move; z is not normalized here. */ 3146 q = x; 3147 haskellsecp256k1_v0_1_0_fe_cmov(&x, &z, 0); 3148 #ifdef VERIFY 3149 CHECK(!x.normalized); 3150 CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude)); 3151 CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude)); 3152 #endif 3153 x = q; 3154 haskellsecp256k1_v0_1_0_fe_cmov(&x, &x, 1); 3155 CHECK(!fe_identical(&x, &z)); 3156 CHECK(fe_identical(&x, &q)); 3157 haskellsecp256k1_v0_1_0_fe_cmov(&q, &z, 1); 3158 #ifdef VERIFY 3159 CHECK(!q.normalized); 3160 CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude)); 3161 CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude)); 3162 #endif 3163 CHECK(fe_identical(&q, &z)); 3164 q = z; 3165 haskellsecp256k1_v0_1_0_fe_normalize_var(&x); 3166 haskellsecp256k1_v0_1_0_fe_normalize_var(&z); 3167 CHECK(!haskellsecp256k1_v0_1_0_fe_equal(&x, &z)); 3168 haskellsecp256k1_v0_1_0_fe_normalize_var(&q); 3169 haskellsecp256k1_v0_1_0_fe_cmov(&q, &z, (i&1)); 3170 #ifdef VERIFY 3171 CHECK(q.normalized && q.magnitude == 1); 3172 #endif 3173 for (j = 0; j < 6; j++) { 3174 haskellsecp256k1_v0_1_0_fe_negate_unchecked(&z, &z, j+1); 3175 haskellsecp256k1_v0_1_0_fe_normalize_var(&q); 3176 haskellsecp256k1_v0_1_0_fe_cmov(&q, &z, (j&1)); 3177 #ifdef VERIFY 3178 CHECK(!q.normalized && q.magnitude == z.magnitude); 3179 #endif 3180 } 3181 haskellsecp256k1_v0_1_0_fe_normalize_var(&z); 3182 /* Test storage conversion and conditional moves. */ 3183 haskellsecp256k1_v0_1_0_fe_to_storage(&xs, &x); 3184 haskellsecp256k1_v0_1_0_fe_to_storage(&ys, &y); 3185 haskellsecp256k1_v0_1_0_fe_to_storage(&zs, &z); 3186 haskellsecp256k1_v0_1_0_fe_storage_cmov(&zs, &xs, 0); 3187 haskellsecp256k1_v0_1_0_fe_storage_cmov(&zs, &zs, 1); 3188 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&xs, &zs, sizeof(xs)) != 0); 3189 haskellsecp256k1_v0_1_0_fe_storage_cmov(&ys, &xs, 1); 3190 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&xs, &ys, sizeof(xs)) == 0); 3191 haskellsecp256k1_v0_1_0_fe_from_storage(&x, &xs); 3192 haskellsecp256k1_v0_1_0_fe_from_storage(&y, &ys); 3193 haskellsecp256k1_v0_1_0_fe_from_storage(&z, &zs); 3194 /* Test that mul_int, mul, and add agree. */ 3195 haskellsecp256k1_v0_1_0_fe_add(&y, &x); 3196 haskellsecp256k1_v0_1_0_fe_add(&y, &x); 3197 z = x; 3198 haskellsecp256k1_v0_1_0_fe_mul_int(&z, 3); 3199 CHECK(check_fe_equal(&y, &z)); 3200 haskellsecp256k1_v0_1_0_fe_add(&y, &x); 3201 haskellsecp256k1_v0_1_0_fe_add(&z, &x); 3202 CHECK(check_fe_equal(&z, &y)); 3203 z = x; 3204 haskellsecp256k1_v0_1_0_fe_mul_int(&z, 5); 3205 haskellsecp256k1_v0_1_0_fe_mul(&q, &x, &fe5); 3206 CHECK(check_fe_equal(&z, &q)); 3207 haskellsecp256k1_v0_1_0_fe_negate(&x, &x, 1); 3208 haskellsecp256k1_v0_1_0_fe_add(&z, &x); 3209 haskellsecp256k1_v0_1_0_fe_add(&q, &x); 3210 CHECK(check_fe_equal(&y, &z)); 3211 CHECK(check_fe_equal(&q, &y)); 3212 /* Check haskellsecp256k1_v0_1_0_fe_half. */ 3213 z = x; 3214 haskellsecp256k1_v0_1_0_fe_half(&z); 3215 haskellsecp256k1_v0_1_0_fe_add(&z, &z); 3216 CHECK(check_fe_equal(&x, &z)); 3217 haskellsecp256k1_v0_1_0_fe_add(&z, &z); 3218 haskellsecp256k1_v0_1_0_fe_half(&z); 3219 CHECK(check_fe_equal(&x, &z)); 3220 } 3221 } 3222 3223 static void test_fe_mul(const haskellsecp256k1_v0_1_0_fe* a, const haskellsecp256k1_v0_1_0_fe* b, int use_sqr) 3224 { 3225 haskellsecp256k1_v0_1_0_fe c, an, bn; 3226 /* Variables in BE 32-byte format. */ 3227 unsigned char a32[32], b32[32], c32[32]; 3228 /* Variables in LE 16x uint16_t format. */ 3229 uint16_t a16[16], b16[16], c16[16]; 3230 /* Field modulus in LE 16x uint16_t format. */ 3231 static const uint16_t m16[16] = { 3232 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 3233 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 3234 }; 3235 uint16_t t16[32]; 3236 int i; 3237 3238 /* Compute C = A * B in fe format. */ 3239 c = *a; 3240 if (use_sqr) { 3241 haskellsecp256k1_v0_1_0_fe_sqr(&c, &c); 3242 } else { 3243 haskellsecp256k1_v0_1_0_fe_mul(&c, &c, b); 3244 } 3245 3246 /* Convert A, B, C into LE 16x uint16_t format. */ 3247 an = *a; 3248 bn = *b; 3249 haskellsecp256k1_v0_1_0_fe_normalize_var(&c); 3250 haskellsecp256k1_v0_1_0_fe_normalize_var(&an); 3251 haskellsecp256k1_v0_1_0_fe_normalize_var(&bn); 3252 haskellsecp256k1_v0_1_0_fe_get_b32(a32, &an); 3253 haskellsecp256k1_v0_1_0_fe_get_b32(b32, &bn); 3254 haskellsecp256k1_v0_1_0_fe_get_b32(c32, &c); 3255 for (i = 0; i < 16; ++i) { 3256 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8); 3257 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8); 3258 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8); 3259 } 3260 /* Compute T = A * B in LE 16x uint16_t format. */ 3261 mulmod256(t16, a16, b16, m16); 3262 /* Compare */ 3263 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(t16, c16, 32) == 0); 3264 } 3265 3266 static void run_fe_mul(void) { 3267 int i; 3268 for (i = 0; i < 100 * COUNT; ++i) { 3269 haskellsecp256k1_v0_1_0_fe a, b, c, d; 3270 random_fe(&a); 3271 random_fe_magnitude(&a); 3272 random_fe(&b); 3273 random_fe_magnitude(&b); 3274 random_fe_test(&c); 3275 random_fe_magnitude(&c); 3276 random_fe_test(&d); 3277 random_fe_magnitude(&d); 3278 test_fe_mul(&a, &a, 1); 3279 test_fe_mul(&c, &c, 1); 3280 test_fe_mul(&a, &b, 0); 3281 test_fe_mul(&a, &c, 0); 3282 test_fe_mul(&c, &b, 0); 3283 test_fe_mul(&c, &d, 0); 3284 } 3285 } 3286 3287 static void run_sqr(void) { 3288 haskellsecp256k1_v0_1_0_fe x, s; 3289 3290 { 3291 int i; 3292 haskellsecp256k1_v0_1_0_fe_set_int(&x, 1); 3293 haskellsecp256k1_v0_1_0_fe_negate(&x, &x, 1); 3294 3295 for (i = 1; i <= 512; ++i) { 3296 haskellsecp256k1_v0_1_0_fe_mul_int(&x, 2); 3297 haskellsecp256k1_v0_1_0_fe_normalize(&x); 3298 haskellsecp256k1_v0_1_0_fe_sqr(&s, &x); 3299 } 3300 } 3301 } 3302 3303 static void test_sqrt(const haskellsecp256k1_v0_1_0_fe *a, const haskellsecp256k1_v0_1_0_fe *k) { 3304 haskellsecp256k1_v0_1_0_fe r1, r2; 3305 int v = haskellsecp256k1_v0_1_0_fe_sqrt(&r1, a); 3306 CHECK((v == 0) == (k == NULL)); 3307 3308 if (k != NULL) { 3309 /* Check that the returned root is +/- the given known answer */ 3310 haskellsecp256k1_v0_1_0_fe_negate(&r2, &r1, 1); 3311 haskellsecp256k1_v0_1_0_fe_add(&r1, k); haskellsecp256k1_v0_1_0_fe_add(&r2, k); 3312 haskellsecp256k1_v0_1_0_fe_normalize(&r1); haskellsecp256k1_v0_1_0_fe_normalize(&r2); 3313 CHECK(haskellsecp256k1_v0_1_0_fe_is_zero(&r1) || haskellsecp256k1_v0_1_0_fe_is_zero(&r2)); 3314 } 3315 } 3316 3317 static void run_sqrt(void) { 3318 haskellsecp256k1_v0_1_0_fe ns, x, s, t; 3319 int i; 3320 3321 /* Check sqrt(0) is 0 */ 3322 haskellsecp256k1_v0_1_0_fe_set_int(&x, 0); 3323 haskellsecp256k1_v0_1_0_fe_sqr(&s, &x); 3324 test_sqrt(&s, &x); 3325 3326 /* Check sqrt of small squares (and their negatives) */ 3327 for (i = 1; i <= 100; i++) { 3328 haskellsecp256k1_v0_1_0_fe_set_int(&x, i); 3329 haskellsecp256k1_v0_1_0_fe_sqr(&s, &x); 3330 test_sqrt(&s, &x); 3331 haskellsecp256k1_v0_1_0_fe_negate(&t, &s, 1); 3332 test_sqrt(&t, NULL); 3333 } 3334 3335 /* Consistency checks for large random values */ 3336 for (i = 0; i < 10; i++) { 3337 int j; 3338 random_fe_non_square(&ns); 3339 for (j = 0; j < COUNT; j++) { 3340 random_fe(&x); 3341 haskellsecp256k1_v0_1_0_fe_sqr(&s, &x); 3342 CHECK(haskellsecp256k1_v0_1_0_fe_is_square_var(&s)); 3343 test_sqrt(&s, &x); 3344 haskellsecp256k1_v0_1_0_fe_negate(&t, &s, 1); 3345 CHECK(!haskellsecp256k1_v0_1_0_fe_is_square_var(&t)); 3346 test_sqrt(&t, NULL); 3347 haskellsecp256k1_v0_1_0_fe_mul(&t, &s, &ns); 3348 test_sqrt(&t, NULL); 3349 } 3350 } 3351 } 3352 3353 /***** FIELD/SCALAR INVERSE TESTS *****/ 3354 3355 static const haskellsecp256k1_v0_1_0_scalar scalar_minus_one = SECP256K1_SCALAR_CONST( 3356 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 3357 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140 3358 ); 3359 3360 static const haskellsecp256k1_v0_1_0_fe fe_minus_one = SECP256K1_FE_CONST( 3361 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 3362 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E 3363 ); 3364 3365 /* These tests test the following identities: 3366 * 3367 * for x==0: 1/x == 0 3368 * for x!=0: x*(1/x) == 1 3369 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1) 3370 */ 3371 3372 static void test_inverse_scalar(haskellsecp256k1_v0_1_0_scalar* out, const haskellsecp256k1_v0_1_0_scalar* x, int var) 3373 { 3374 haskellsecp256k1_v0_1_0_scalar l, r, t; 3375 3376 (var ? haskellsecp256k1_v0_1_0_scalar_inverse_var : haskellsecp256k1_v0_1_0_scalar_inverse)(&l, x); /* l = 1/x */ 3377 if (out) *out = l; 3378 if (haskellsecp256k1_v0_1_0_scalar_is_zero(x)) { 3379 CHECK(haskellsecp256k1_v0_1_0_scalar_is_zero(&l)); 3380 return; 3381 } 3382 haskellsecp256k1_v0_1_0_scalar_mul(&t, x, &l); /* t = x*(1/x) */ 3383 CHECK(haskellsecp256k1_v0_1_0_scalar_is_one(&t)); /* x*(1/x) == 1 */ 3384 haskellsecp256k1_v0_1_0_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */ 3385 if (haskellsecp256k1_v0_1_0_scalar_is_zero(&r)) return; 3386 (var ? haskellsecp256k1_v0_1_0_scalar_inverse_var : haskellsecp256k1_v0_1_0_scalar_inverse)(&r, &r); /* r = 1/(x-1) */ 3387 haskellsecp256k1_v0_1_0_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */ 3388 (var ? haskellsecp256k1_v0_1_0_scalar_inverse_var : haskellsecp256k1_v0_1_0_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */ 3389 haskellsecp256k1_v0_1_0_scalar_add(&l, &l, &haskellsecp256k1_v0_1_0_scalar_one); /* l = 1/(1/x-1)+1 */ 3390 haskellsecp256k1_v0_1_0_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */ 3391 CHECK(haskellsecp256k1_v0_1_0_scalar_is_zero(&l)); /* l == 0 */ 3392 } 3393 3394 static void test_inverse_field(haskellsecp256k1_v0_1_0_fe* out, const haskellsecp256k1_v0_1_0_fe* x, int var) 3395 { 3396 haskellsecp256k1_v0_1_0_fe l, r, t; 3397 3398 (var ? haskellsecp256k1_v0_1_0_fe_inv_var : haskellsecp256k1_v0_1_0_fe_inv)(&l, x) ; /* l = 1/x */ 3399 if (out) *out = l; 3400 t = *x; /* t = x */ 3401 if (haskellsecp256k1_v0_1_0_fe_normalizes_to_zero_var(&t)) { 3402 CHECK(haskellsecp256k1_v0_1_0_fe_normalizes_to_zero(&l)); 3403 return; 3404 } 3405 haskellsecp256k1_v0_1_0_fe_mul(&t, x, &l); /* t = x*(1/x) */ 3406 haskellsecp256k1_v0_1_0_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */ 3407 CHECK(haskellsecp256k1_v0_1_0_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */ 3408 r = *x; /* r = x */ 3409 haskellsecp256k1_v0_1_0_fe_add(&r, &fe_minus_one); /* r = x-1 */ 3410 if (haskellsecp256k1_v0_1_0_fe_normalizes_to_zero_var(&r)) return; 3411 (var ? haskellsecp256k1_v0_1_0_fe_inv_var : haskellsecp256k1_v0_1_0_fe_inv)(&r, &r); /* r = 1/(x-1) */ 3412 haskellsecp256k1_v0_1_0_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */ 3413 (var ? haskellsecp256k1_v0_1_0_fe_inv_var : haskellsecp256k1_v0_1_0_fe_inv)(&l, &l); /* l = 1/(1/x-1) */ 3414 haskellsecp256k1_v0_1_0_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */ 3415 haskellsecp256k1_v0_1_0_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */ 3416 CHECK(haskellsecp256k1_v0_1_0_fe_normalizes_to_zero_var(&l)); /* l == 0 */ 3417 } 3418 3419 static void run_inverse_tests(void) 3420 { 3421 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */ 3422 static const haskellsecp256k1_v0_1_0_fe fe_cases[][2] = { 3423 /* 0 */ 3424 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), 3425 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)}, 3426 /* 1 */ 3427 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1), 3428 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)}, 3429 /* -1 */ 3430 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e), 3431 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)}, 3432 /* 2 */ 3433 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2), 3434 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)}, 3435 /* 2**128 */ 3436 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0), 3437 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)}, 3438 /* Input known to need 637 divsteps */ 3439 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3), 3440 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)}, 3441 /* Input known to need 567 divsteps starting with delta=1/2. */ 3442 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc), 3443 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)}, 3444 /* Input known to need 566 divsteps starting with delta=1/2. */ 3445 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae), 3446 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)}, 3447 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */ 3448 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000), 3449 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)}, 3450 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192), 3451 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)}, 3452 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100), 3453 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)}, 3454 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8), 3455 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)}, 3456 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440), 3457 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)}, 3458 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff), 3459 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)}, 3460 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe), 3461 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)}, 3462 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f), 3463 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)}, 3464 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690), 3465 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)}, 3466 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000), 3467 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)}, 3468 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */ 3469 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950), 3470 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)}, 3471 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057), 3472 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)}, 3473 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058), 3474 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)}, 3475 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a), 3476 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)}, 3477 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c), 3478 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)}, 3479 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21), 3480 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)}, 3481 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600), 3482 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)}, 3483 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec), 3484 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)}, 3485 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c), 3486 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)}, 3487 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696), 3488 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)}, 3489 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e), 3490 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)}, 3491 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78), 3492 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)}, 3493 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d), 3494 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)}, 3495 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870), 3496 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)}, 3497 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc), 3498 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)}, 3499 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef), 3500 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)}, 3501 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6), 3502 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)}, 3503 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709), 3504 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)}, 3505 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787), 3506 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)}, 3507 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760), 3508 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)}, 3509 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d), 3510 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)}, 3511 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3), 3512 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)}, 3513 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4), 3514 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)}, 3515 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91), 3516 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)}, 3517 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a), 3518 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)}, 3519 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9), 3520 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)}, 3521 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd), 3522 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)}, 3523 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb), 3524 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)} 3525 }; 3526 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */ 3527 static const haskellsecp256k1_v0_1_0_scalar scalar_cases[][2] = { 3528 /* 0 */ 3529 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0), 3530 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)}, 3531 /* 1 */ 3532 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1), 3533 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)}, 3534 /* -1 */ 3535 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140), 3536 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)}, 3537 /* 2 */ 3538 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2), 3539 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)}, 3540 /* 2**128 */ 3541 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0), 3542 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)}, 3543 /* Input known to need 635 divsteps */ 3544 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3), 3545 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)}, 3546 /* Input known to need 566 divsteps starting with delta=1/2. */ 3547 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72), 3548 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)}, 3549 /* Input known to need 565 divsteps starting with delta=1/2. */ 3550 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4), 3551 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)}, 3552 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */ 3553 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e), 3554 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)}, 3555 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0), 3556 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)}, 3557 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9), 3558 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)}, 3559 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2), 3560 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)}, 3561 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905), 3562 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)}, 3563 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec), 3564 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)}, 3565 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816), 3566 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)}, 3567 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f), 3568 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)}, 3569 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a), 3570 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)}, 3571 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504), 3572 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)}, 3573 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7), 3574 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)}, 3575 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640), 3576 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)}, 3577 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03), 3578 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)}, 3579 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4), 3580 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)}, 3581 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730), 3582 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)}, 3583 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948), 3584 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)}, 3585 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f), 3586 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)}, 3587 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000), 3588 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)}, 3589 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9), 3590 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)}, 3591 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3), 3592 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)}, 3593 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189), 3594 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)}, 3595 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141), 3596 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)}, 3597 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13), 3598 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)}, 3599 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0), 3600 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)}, 3601 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785), 3602 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)}, 3603 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0), 3604 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)}, 3605 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265), 3606 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)}, 3607 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5), 3608 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)}, 3609 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8), 3610 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)} 3611 }; 3612 int i, var, testrand; 3613 unsigned char b32[32]; 3614 haskellsecp256k1_v0_1_0_fe x_fe; 3615 haskellsecp256k1_v0_1_0_scalar x_scalar; 3616 memset(b32, 0, sizeof(b32)); 3617 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */ 3618 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) { 3619 for (var = 0; var <= 1; ++var) { 3620 test_inverse_field(&x_fe, &fe_cases[i][0], var); 3621 check_fe_equal(&x_fe, &fe_cases[i][1]); 3622 test_inverse_field(&x_fe, &fe_cases[i][1], var); 3623 check_fe_equal(&x_fe, &fe_cases[i][0]); 3624 } 3625 } 3626 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) { 3627 for (var = 0; var <= 1; ++var) { 3628 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var); 3629 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&x_scalar, &scalar_cases[i][1])); 3630 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var); 3631 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&x_scalar, &scalar_cases[i][0])); 3632 } 3633 } 3634 /* Test inputs 0..999 and their respective negations. */ 3635 for (i = 0; i < 1000; ++i) { 3636 b32[31] = i & 0xff; 3637 b32[30] = (i >> 8) & 0xff; 3638 haskellsecp256k1_v0_1_0_scalar_set_b32(&x_scalar, b32, NULL); 3639 haskellsecp256k1_v0_1_0_fe_set_b32_mod(&x_fe, b32); 3640 for (var = 0; var <= 1; ++var) { 3641 test_inverse_scalar(NULL, &x_scalar, var); 3642 test_inverse_field(NULL, &x_fe, var); 3643 } 3644 haskellsecp256k1_v0_1_0_scalar_negate(&x_scalar, &x_scalar); 3645 haskellsecp256k1_v0_1_0_fe_negate(&x_fe, &x_fe, 1); 3646 for (var = 0; var <= 1; ++var) { 3647 test_inverse_scalar(NULL, &x_scalar, var); 3648 test_inverse_field(NULL, &x_fe, var); 3649 } 3650 } 3651 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */ 3652 for (testrand = 0; testrand <= 1; ++testrand) { 3653 for (i = 0; i < 64 * COUNT; ++i) { 3654 (testrand ? haskellsecp256k1_v0_1_0_testrand256_test : haskellsecp256k1_v0_1_0_testrand256)(b32); 3655 haskellsecp256k1_v0_1_0_scalar_set_b32(&x_scalar, b32, NULL); 3656 haskellsecp256k1_v0_1_0_fe_set_b32_mod(&x_fe, b32); 3657 for (var = 0; var <= 1; ++var) { 3658 test_inverse_scalar(NULL, &x_scalar, var); 3659 test_inverse_field(NULL, &x_fe, var); 3660 } 3661 } 3662 } 3663 } 3664 3665 /***** GROUP TESTS *****/ 3666 3667 /* This compares jacobian points including their Z, not just their geometric meaning. */ 3668 static int gej_xyz_equals_gej(const haskellsecp256k1_v0_1_0_gej *a, const haskellsecp256k1_v0_1_0_gej *b) { 3669 haskellsecp256k1_v0_1_0_gej a2; 3670 haskellsecp256k1_v0_1_0_gej b2; 3671 int ret = 1; 3672 ret &= a->infinity == b->infinity; 3673 if (ret && !a->infinity) { 3674 a2 = *a; 3675 b2 = *b; 3676 haskellsecp256k1_v0_1_0_fe_normalize(&a2.x); 3677 haskellsecp256k1_v0_1_0_fe_normalize(&a2.y); 3678 haskellsecp256k1_v0_1_0_fe_normalize(&a2.z); 3679 haskellsecp256k1_v0_1_0_fe_normalize(&b2.x); 3680 haskellsecp256k1_v0_1_0_fe_normalize(&b2.y); 3681 haskellsecp256k1_v0_1_0_fe_normalize(&b2.z); 3682 ret &= haskellsecp256k1_v0_1_0_fe_cmp_var(&a2.x, &b2.x) == 0; 3683 ret &= haskellsecp256k1_v0_1_0_fe_cmp_var(&a2.y, &b2.y) == 0; 3684 ret &= haskellsecp256k1_v0_1_0_fe_cmp_var(&a2.z, &b2.z) == 0; 3685 } 3686 return ret; 3687 } 3688 3689 static void test_ge(void) { 3690 int i, i1; 3691 int runs = 6; 3692 /* 25 points are used: 3693 * - infinity 3694 * - for each of four random points p1 p2 p3 p4, we add the point, its 3695 * negation, and then those two again but with randomized Z coordinate. 3696 * - The same is then done for lambda*p1 and lambda^2*p1. 3697 */ 3698 haskellsecp256k1_v0_1_0_ge *ge = (haskellsecp256k1_v0_1_0_ge *)checked_malloc(&CTX->error_callback, sizeof(haskellsecp256k1_v0_1_0_ge) * (1 + 4 * runs)); 3699 haskellsecp256k1_v0_1_0_gej *gej = (haskellsecp256k1_v0_1_0_gej *)checked_malloc(&CTX->error_callback, sizeof(haskellsecp256k1_v0_1_0_gej) * (1 + 4 * runs)); 3700 haskellsecp256k1_v0_1_0_fe zf, r; 3701 haskellsecp256k1_v0_1_0_fe zfi2, zfi3; 3702 3703 haskellsecp256k1_v0_1_0_gej_set_infinity(&gej[0]); 3704 haskellsecp256k1_v0_1_0_ge_clear(&ge[0]); 3705 haskellsecp256k1_v0_1_0_ge_set_gej_var(&ge[0], &gej[0]); 3706 for (i = 0; i < runs; i++) { 3707 int j, k; 3708 haskellsecp256k1_v0_1_0_ge g; 3709 random_group_element_test(&g); 3710 if (i >= runs - 2) { 3711 haskellsecp256k1_v0_1_0_ge_mul_lambda(&g, &ge[1]); 3712 CHECK(!haskellsecp256k1_v0_1_0_ge_eq_var(&g, &ge[1])); 3713 } 3714 if (i >= runs - 1) { 3715 haskellsecp256k1_v0_1_0_ge_mul_lambda(&g, &g); 3716 } 3717 ge[1 + 4 * i] = g; 3718 ge[2 + 4 * i] = g; 3719 haskellsecp256k1_v0_1_0_ge_neg(&ge[3 + 4 * i], &g); 3720 haskellsecp256k1_v0_1_0_ge_neg(&ge[4 + 4 * i], &g); 3721 haskellsecp256k1_v0_1_0_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]); 3722 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]); 3723 haskellsecp256k1_v0_1_0_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]); 3724 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]); 3725 for (j = 0; j < 4; j++) { 3726 random_ge_x_magnitude(&ge[1 + j + 4 * i]); 3727 random_ge_y_magnitude(&ge[1 + j + 4 * i]); 3728 random_gej_x_magnitude(&gej[1 + j + 4 * i]); 3729 random_gej_y_magnitude(&gej[1 + j + 4 * i]); 3730 random_gej_z_magnitude(&gej[1 + j + 4 * i]); 3731 } 3732 3733 for (j = 0; j < 4; ++j) { 3734 for (k = 0; k < 4; ++k) { 3735 int expect_equal = (j >> 1) == (k >> 1); 3736 CHECK(haskellsecp256k1_v0_1_0_ge_eq_var(&ge[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal); 3737 CHECK(haskellsecp256k1_v0_1_0_gej_eq_var(&gej[1 + j + 4 * i], &gej[1 + k + 4 * i]) == expect_equal); 3738 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&gej[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal); 3739 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&gej[1 + k + 4 * i], &ge[1 + j + 4 * i]) == expect_equal); 3740 } 3741 } 3742 } 3743 3744 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */ 3745 random_fe_non_zero_test(&zf); 3746 random_fe_magnitude(&zf); 3747 haskellsecp256k1_v0_1_0_fe_inv_var(&zfi3, &zf); 3748 haskellsecp256k1_v0_1_0_fe_sqr(&zfi2, &zfi3); 3749 haskellsecp256k1_v0_1_0_fe_mul(&zfi3, &zfi3, &zfi2); 3750 3751 /* Generate random r */ 3752 random_fe_non_zero_test(&r); 3753 3754 for (i1 = 0; i1 < 1 + 4 * runs; i1++) { 3755 int i2; 3756 for (i2 = 0; i2 < 1 + 4 * runs; i2++) { 3757 /* Compute reference result using gej + gej (var). */ 3758 haskellsecp256k1_v0_1_0_gej refj, resj; 3759 haskellsecp256k1_v0_1_0_ge ref; 3760 haskellsecp256k1_v0_1_0_fe zr; 3761 haskellsecp256k1_v0_1_0_gej_add_var(&refj, &gej[i1], &gej[i2], haskellsecp256k1_v0_1_0_gej_is_infinity(&gej[i1]) ? NULL : &zr); 3762 /* Check Z ratio. */ 3763 if (!haskellsecp256k1_v0_1_0_gej_is_infinity(&gej[i1]) && !haskellsecp256k1_v0_1_0_gej_is_infinity(&refj)) { 3764 haskellsecp256k1_v0_1_0_fe zrz; haskellsecp256k1_v0_1_0_fe_mul(&zrz, &zr, &gej[i1].z); 3765 CHECK(haskellsecp256k1_v0_1_0_fe_equal(&zrz, &refj.z)); 3766 } 3767 haskellsecp256k1_v0_1_0_ge_set_gej_var(&ref, &refj); 3768 3769 /* Test gej + ge with Z ratio result (var). */ 3770 haskellsecp256k1_v0_1_0_gej_add_ge_var(&resj, &gej[i1], &ge[i2], haskellsecp256k1_v0_1_0_gej_is_infinity(&gej[i1]) ? NULL : &zr); 3771 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&resj, &ref)); 3772 if (!haskellsecp256k1_v0_1_0_gej_is_infinity(&gej[i1]) && !haskellsecp256k1_v0_1_0_gej_is_infinity(&resj)) { 3773 haskellsecp256k1_v0_1_0_fe zrz; haskellsecp256k1_v0_1_0_fe_mul(&zrz, &zr, &gej[i1].z); 3774 CHECK(haskellsecp256k1_v0_1_0_fe_equal(&zrz, &resj.z)); 3775 } 3776 3777 /* Test gej + ge (var, with additional Z factor). */ 3778 { 3779 haskellsecp256k1_v0_1_0_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */ 3780 haskellsecp256k1_v0_1_0_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2); 3781 haskellsecp256k1_v0_1_0_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3); 3782 random_ge_x_magnitude(&ge2_zfi); 3783 random_ge_y_magnitude(&ge2_zfi); 3784 haskellsecp256k1_v0_1_0_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf); 3785 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&resj, &ref)); 3786 } 3787 3788 /* Test gej + ge (const). */ 3789 if (i2 != 0) { 3790 /* haskellsecp256k1_v0_1_0_gej_add_ge does not support its second argument being infinity. */ 3791 haskellsecp256k1_v0_1_0_gej_add_ge(&resj, &gej[i1], &ge[i2]); 3792 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&resj, &ref)); 3793 } 3794 3795 /* Test doubling (var). */ 3796 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) { 3797 haskellsecp256k1_v0_1_0_fe zr2; 3798 /* Normal doubling with Z ratio result. */ 3799 haskellsecp256k1_v0_1_0_gej_double_var(&resj, &gej[i1], &zr2); 3800 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&resj, &ref)); 3801 /* Check Z ratio. */ 3802 haskellsecp256k1_v0_1_0_fe_mul(&zr2, &zr2, &gej[i1].z); 3803 CHECK(haskellsecp256k1_v0_1_0_fe_equal(&zr2, &resj.z)); 3804 /* Normal doubling. */ 3805 haskellsecp256k1_v0_1_0_gej_double_var(&resj, &gej[i2], NULL); 3806 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&resj, &ref)); 3807 /* Constant-time doubling. */ 3808 haskellsecp256k1_v0_1_0_gej_double(&resj, &gej[i2]); 3809 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&resj, &ref)); 3810 } 3811 3812 /* Test adding opposites. */ 3813 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) { 3814 CHECK(haskellsecp256k1_v0_1_0_ge_is_infinity(&ref)); 3815 } 3816 3817 /* Test adding infinity. */ 3818 if (i1 == 0) { 3819 CHECK(haskellsecp256k1_v0_1_0_ge_is_infinity(&ge[i1])); 3820 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&gej[i1])); 3821 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&gej[i2], &ref)); 3822 } 3823 if (i2 == 0) { 3824 CHECK(haskellsecp256k1_v0_1_0_ge_is_infinity(&ge[i2])); 3825 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&gej[i2])); 3826 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&gej[i1], &ref)); 3827 } 3828 } 3829 } 3830 3831 /* Test adding all points together in random order equals infinity. */ 3832 { 3833 haskellsecp256k1_v0_1_0_gej sum = SECP256K1_GEJ_CONST_INFINITY; 3834 haskellsecp256k1_v0_1_0_gej *gej_shuffled = (haskellsecp256k1_v0_1_0_gej *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(haskellsecp256k1_v0_1_0_gej)); 3835 for (i = 0; i < 4 * runs + 1; i++) { 3836 gej_shuffled[i] = gej[i]; 3837 } 3838 for (i = 0; i < 4 * runs + 1; i++) { 3839 int swap = i + haskellsecp256k1_v0_1_0_testrand_int(4 * runs + 1 - i); 3840 if (swap != i) { 3841 haskellsecp256k1_v0_1_0_gej t = gej_shuffled[i]; 3842 gej_shuffled[i] = gej_shuffled[swap]; 3843 gej_shuffled[swap] = t; 3844 } 3845 } 3846 for (i = 0; i < 4 * runs + 1; i++) { 3847 haskellsecp256k1_v0_1_0_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL); 3848 } 3849 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&sum)); 3850 free(gej_shuffled); 3851 } 3852 3853 /* Test batch gej -> ge conversion without known z ratios. */ 3854 { 3855 haskellsecp256k1_v0_1_0_ge *ge_set_all = (haskellsecp256k1_v0_1_0_ge *)checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(haskellsecp256k1_v0_1_0_ge)); 3856 haskellsecp256k1_v0_1_0_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1); 3857 for (i = 0; i < 4 * runs + 1; i++) { 3858 haskellsecp256k1_v0_1_0_fe s; 3859 random_fe_non_zero(&s); 3860 haskellsecp256k1_v0_1_0_gej_rescale(&gej[i], &s); 3861 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&gej[i], &ge_set_all[i])); 3862 } 3863 free(ge_set_all); 3864 } 3865 3866 /* Test that all elements have X coordinates on the curve. */ 3867 for (i = 1; i < 4 * runs + 1; i++) { 3868 haskellsecp256k1_v0_1_0_fe n; 3869 CHECK(haskellsecp256k1_v0_1_0_ge_x_on_curve_var(&ge[i].x)); 3870 /* And the same holds after random rescaling. */ 3871 haskellsecp256k1_v0_1_0_fe_mul(&n, &zf, &ge[i].x); 3872 CHECK(haskellsecp256k1_v0_1_0_ge_x_frac_on_curve_var(&n, &zf)); 3873 } 3874 3875 /* Test correspondence of haskellsecp256k1_v0_1_0_ge_x{,_frac}_on_curve_var with ge_set_xo. */ 3876 { 3877 haskellsecp256k1_v0_1_0_fe n; 3878 haskellsecp256k1_v0_1_0_ge q; 3879 int ret_on_curve, ret_frac_on_curve, ret_set_xo; 3880 haskellsecp256k1_v0_1_0_fe_mul(&n, &zf, &r); 3881 ret_on_curve = haskellsecp256k1_v0_1_0_ge_x_on_curve_var(&r); 3882 ret_frac_on_curve = haskellsecp256k1_v0_1_0_ge_x_frac_on_curve_var(&n, &zf); 3883 ret_set_xo = haskellsecp256k1_v0_1_0_ge_set_xo_var(&q, &r, 0); 3884 CHECK(ret_on_curve == ret_frac_on_curve); 3885 CHECK(ret_on_curve == ret_set_xo); 3886 if (ret_set_xo) CHECK(haskellsecp256k1_v0_1_0_fe_equal(&r, &q.x)); 3887 } 3888 3889 /* Test batch gej -> ge conversion with many infinities. */ 3890 for (i = 0; i < 4 * runs + 1; i++) { 3891 int odd; 3892 random_group_element_test(&ge[i]); 3893 odd = haskellsecp256k1_v0_1_0_fe_is_odd(&ge[i].x); 3894 CHECK(odd == 0 || odd == 1); 3895 /* randomly set half the points to infinity */ 3896 if (odd == i % 2) { 3897 haskellsecp256k1_v0_1_0_ge_set_infinity(&ge[i]); 3898 } 3899 haskellsecp256k1_v0_1_0_gej_set_ge(&gej[i], &ge[i]); 3900 } 3901 /* batch convert */ 3902 haskellsecp256k1_v0_1_0_ge_set_all_gej_var(ge, gej, 4 * runs + 1); 3903 /* check result */ 3904 for (i = 0; i < 4 * runs + 1; i++) { 3905 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&gej[i], &ge[i])); 3906 } 3907 3908 /* Test batch gej -> ge conversion with all infinities. */ 3909 for (i = 0; i < 4 * runs + 1; i++) { 3910 haskellsecp256k1_v0_1_0_gej_set_infinity(&gej[i]); 3911 } 3912 /* batch convert */ 3913 haskellsecp256k1_v0_1_0_ge_set_all_gej_var(ge, gej, 4 * runs + 1); 3914 /* check result */ 3915 for (i = 0; i < 4 * runs + 1; i++) { 3916 CHECK(haskellsecp256k1_v0_1_0_ge_is_infinity(&ge[i])); 3917 } 3918 3919 free(ge); 3920 free(gej); 3921 } 3922 3923 static void test_intialized_inf(void) { 3924 haskellsecp256k1_v0_1_0_ge p; 3925 haskellsecp256k1_v0_1_0_gej pj, npj, infj1, infj2, infj3; 3926 haskellsecp256k1_v0_1_0_fe zinv; 3927 3928 /* Test that adding P+(-P) results in a fully initialized infinity*/ 3929 random_group_element_test(&p); 3930 haskellsecp256k1_v0_1_0_gej_set_ge(&pj, &p); 3931 haskellsecp256k1_v0_1_0_gej_neg(&npj, &pj); 3932 3933 haskellsecp256k1_v0_1_0_gej_add_var(&infj1, &pj, &npj, NULL); 3934 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&infj1)); 3935 CHECK(haskellsecp256k1_v0_1_0_fe_is_zero(&infj1.x)); 3936 CHECK(haskellsecp256k1_v0_1_0_fe_is_zero(&infj1.y)); 3937 CHECK(haskellsecp256k1_v0_1_0_fe_is_zero(&infj1.z)); 3938 3939 haskellsecp256k1_v0_1_0_gej_add_ge_var(&infj2, &npj, &p, NULL); 3940 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&infj2)); 3941 CHECK(haskellsecp256k1_v0_1_0_fe_is_zero(&infj2.x)); 3942 CHECK(haskellsecp256k1_v0_1_0_fe_is_zero(&infj2.y)); 3943 CHECK(haskellsecp256k1_v0_1_0_fe_is_zero(&infj2.z)); 3944 3945 haskellsecp256k1_v0_1_0_fe_set_int(&zinv, 1); 3946 haskellsecp256k1_v0_1_0_gej_add_zinv_var(&infj3, &npj, &p, &zinv); 3947 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&infj3)); 3948 CHECK(haskellsecp256k1_v0_1_0_fe_is_zero(&infj3.x)); 3949 CHECK(haskellsecp256k1_v0_1_0_fe_is_zero(&infj3.y)); 3950 CHECK(haskellsecp256k1_v0_1_0_fe_is_zero(&infj3.z)); 3951 3952 3953 } 3954 3955 static void test_add_neg_y_diff_x(void) { 3956 /* The point of this test is to check that we can add two points 3957 * whose y-coordinates are negatives of each other but whose x 3958 * coordinates differ. If the x-coordinates were the same, these 3959 * points would be negatives of each other and their sum is 3960 * infinity. This is cool because it "covers up" any degeneracy 3961 * in the addition algorithm that would cause the xy coordinates 3962 * of the sum to be wrong (since infinity has no xy coordinates). 3963 * HOWEVER, if the x-coordinates are different, infinity is the 3964 * wrong answer, and such degeneracies are exposed. This is the 3965 * root of https://github.com/bitcoin-core/secp256k1/issues/257 3966 * which this test is a regression test for. 3967 * 3968 * These points were generated in sage as 3969 * 3970 * load("haskellsecp256k1_v0_1_0_params.sage") 3971 * 3972 * # random "bad pair" 3973 * P = C.random_element() 3974 * Q = -int(LAMBDA) * P 3975 * print(" P: %x %x" % P.xy()) 3976 * print(" Q: %x %x" % Q.xy()) 3977 * print("P + Q: %x %x" % (P + Q).xy()) 3978 */ 3979 haskellsecp256k1_v0_1_0_gej aj = SECP256K1_GEJ_CONST( 3980 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30, 3981 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb, 3982 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8, 3983 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d 3984 ); 3985 haskellsecp256k1_v0_1_0_gej bj = SECP256K1_GEJ_CONST( 3986 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86, 3987 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7, 3988 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57, 3989 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2 3990 ); 3991 haskellsecp256k1_v0_1_0_gej sumj = SECP256K1_GEJ_CONST( 3992 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027, 3993 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a, 3994 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08, 3995 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe 3996 ); 3997 haskellsecp256k1_v0_1_0_ge b; 3998 haskellsecp256k1_v0_1_0_gej resj; 3999 haskellsecp256k1_v0_1_0_ge res; 4000 haskellsecp256k1_v0_1_0_ge_set_gej(&b, &bj); 4001 4002 haskellsecp256k1_v0_1_0_gej_add_var(&resj, &aj, &bj, NULL); 4003 haskellsecp256k1_v0_1_0_ge_set_gej(&res, &resj); 4004 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&sumj, &res)); 4005 4006 haskellsecp256k1_v0_1_0_gej_add_ge(&resj, &aj, &b); 4007 haskellsecp256k1_v0_1_0_ge_set_gej(&res, &resj); 4008 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&sumj, &res)); 4009 4010 haskellsecp256k1_v0_1_0_gej_add_ge_var(&resj, &aj, &b, NULL); 4011 haskellsecp256k1_v0_1_0_ge_set_gej(&res, &resj); 4012 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&sumj, &res)); 4013 } 4014 4015 static void run_ge(void) { 4016 int i; 4017 for (i = 0; i < COUNT * 32; i++) { 4018 test_ge(); 4019 } 4020 test_add_neg_y_diff_x(); 4021 test_intialized_inf(); 4022 } 4023 4024 static void test_gej_cmov(const haskellsecp256k1_v0_1_0_gej *a, const haskellsecp256k1_v0_1_0_gej *b) { 4025 haskellsecp256k1_v0_1_0_gej t = *a; 4026 haskellsecp256k1_v0_1_0_gej_cmov(&t, b, 0); 4027 CHECK(gej_xyz_equals_gej(&t, a)); 4028 haskellsecp256k1_v0_1_0_gej_cmov(&t, b, 1); 4029 CHECK(gej_xyz_equals_gej(&t, b)); 4030 } 4031 4032 static void run_gej(void) { 4033 int i; 4034 haskellsecp256k1_v0_1_0_gej a, b; 4035 4036 /* Tests for haskellsecp256k1_v0_1_0_gej_cmov */ 4037 for (i = 0; i < COUNT; i++) { 4038 haskellsecp256k1_v0_1_0_gej_set_infinity(&a); 4039 haskellsecp256k1_v0_1_0_gej_set_infinity(&b); 4040 test_gej_cmov(&a, &b); 4041 4042 random_gej_test(&a); 4043 test_gej_cmov(&a, &b); 4044 test_gej_cmov(&b, &a); 4045 4046 b = a; 4047 test_gej_cmov(&a, &b); 4048 4049 random_gej_test(&b); 4050 test_gej_cmov(&a, &b); 4051 test_gej_cmov(&b, &a); 4052 } 4053 4054 /* Tests for haskellsecp256k1_v0_1_0_gej_eq_var */ 4055 for (i = 0; i < COUNT; i++) { 4056 haskellsecp256k1_v0_1_0_fe fe; 4057 random_gej_test(&a); 4058 random_gej_test(&b); 4059 CHECK(!haskellsecp256k1_v0_1_0_gej_eq_var(&a, &b)); 4060 4061 b = a; 4062 random_fe_non_zero_test(&fe); 4063 haskellsecp256k1_v0_1_0_gej_rescale(&a, &fe); 4064 CHECK(haskellsecp256k1_v0_1_0_gej_eq_var(&a, &b)); 4065 } 4066 } 4067 4068 static void test_ec_combine(void) { 4069 haskellsecp256k1_v0_1_0_scalar sum = haskellsecp256k1_v0_1_0_scalar_zero; 4070 haskellsecp256k1_v0_1_0_pubkey data[6]; 4071 const haskellsecp256k1_v0_1_0_pubkey* d[6]; 4072 haskellsecp256k1_v0_1_0_pubkey sd; 4073 haskellsecp256k1_v0_1_0_pubkey sd2; 4074 haskellsecp256k1_v0_1_0_gej Qj; 4075 haskellsecp256k1_v0_1_0_ge Q; 4076 int i; 4077 for (i = 1; i <= 6; i++) { 4078 haskellsecp256k1_v0_1_0_scalar s; 4079 random_scalar_order_test(&s); 4080 haskellsecp256k1_v0_1_0_scalar_add(&sum, &sum, &s); 4081 haskellsecp256k1_v0_1_0_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &s); 4082 haskellsecp256k1_v0_1_0_ge_set_gej(&Q, &Qj); 4083 haskellsecp256k1_v0_1_0_pubkey_save(&data[i - 1], &Q); 4084 d[i - 1] = &data[i - 1]; 4085 haskellsecp256k1_v0_1_0_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &sum); 4086 haskellsecp256k1_v0_1_0_ge_set_gej(&Q, &Qj); 4087 haskellsecp256k1_v0_1_0_pubkey_save(&sd, &Q); 4088 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_combine(CTX, &sd2, d, i) == 1); 4089 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&sd, &sd2, sizeof(sd)) == 0); 4090 } 4091 } 4092 4093 static void run_ec_combine(void) { 4094 int i; 4095 for (i = 0; i < COUNT * 8; i++) { 4096 test_ec_combine(); 4097 } 4098 } 4099 4100 static void test_group_decompress(const haskellsecp256k1_v0_1_0_fe* x) { 4101 /* The input itself, normalized. */ 4102 haskellsecp256k1_v0_1_0_fe fex = *x; 4103 /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */ 4104 haskellsecp256k1_v0_1_0_ge ge_even, ge_odd; 4105 /* Return values of the above calls. */ 4106 int res_even, res_odd; 4107 4108 haskellsecp256k1_v0_1_0_fe_normalize_var(&fex); 4109 4110 res_even = haskellsecp256k1_v0_1_0_ge_set_xo_var(&ge_even, &fex, 0); 4111 res_odd = haskellsecp256k1_v0_1_0_ge_set_xo_var(&ge_odd, &fex, 1); 4112 4113 CHECK(res_even == res_odd); 4114 4115 if (res_even) { 4116 haskellsecp256k1_v0_1_0_fe_normalize_var(&ge_odd.x); 4117 haskellsecp256k1_v0_1_0_fe_normalize_var(&ge_even.x); 4118 haskellsecp256k1_v0_1_0_fe_normalize_var(&ge_odd.y); 4119 haskellsecp256k1_v0_1_0_fe_normalize_var(&ge_even.y); 4120 4121 /* No infinity allowed. */ 4122 CHECK(!ge_even.infinity); 4123 CHECK(!ge_odd.infinity); 4124 4125 /* Check that the x coordinates check out. */ 4126 CHECK(haskellsecp256k1_v0_1_0_fe_equal(&ge_even.x, x)); 4127 CHECK(haskellsecp256k1_v0_1_0_fe_equal(&ge_odd.x, x)); 4128 4129 /* Check odd/even Y in ge_odd, ge_even. */ 4130 CHECK(haskellsecp256k1_v0_1_0_fe_is_odd(&ge_odd.y)); 4131 CHECK(!haskellsecp256k1_v0_1_0_fe_is_odd(&ge_even.y)); 4132 } 4133 } 4134 4135 static void run_group_decompress(void) { 4136 int i; 4137 for (i = 0; i < COUNT * 4; i++) { 4138 haskellsecp256k1_v0_1_0_fe fe; 4139 random_fe_test(&fe); 4140 test_group_decompress(&fe); 4141 } 4142 } 4143 4144 /***** ECMULT TESTS *****/ 4145 4146 static void test_pre_g_table(const haskellsecp256k1_v0_1_0_ge_storage * pre_g, size_t n) { 4147 /* Tests the pre_g / pre_g_128 tables for consistency. 4148 * For independent verification we take a "geometric" approach to verification. 4149 * We check that every entry is on-curve. 4150 * We check that for consecutive entries p and q, that p + gg - q = 0 by checking 4151 * (1) p, gg, and -q are colinear. 4152 * (2) p, gg, and -q are all distinct. 4153 * where gg is twice the generator, where the generator is the first table entry. 4154 * 4155 * Checking the table's generators are correct is done in run_ecmult_pre_g. 4156 */ 4157 haskellsecp256k1_v0_1_0_gej g2; 4158 haskellsecp256k1_v0_1_0_ge p, q, gg; 4159 haskellsecp256k1_v0_1_0_fe dpx, dpy, dqx, dqy; 4160 size_t i; 4161 4162 CHECK(0 < n); 4163 4164 haskellsecp256k1_v0_1_0_ge_from_storage(&p, &pre_g[0]); 4165 CHECK(haskellsecp256k1_v0_1_0_ge_is_valid_var(&p)); 4166 4167 haskellsecp256k1_v0_1_0_gej_set_ge(&g2, &p); 4168 haskellsecp256k1_v0_1_0_gej_double_var(&g2, &g2, NULL); 4169 haskellsecp256k1_v0_1_0_ge_set_gej_var(&gg, &g2); 4170 for (i = 1; i < n; ++i) { 4171 haskellsecp256k1_v0_1_0_fe_negate(&dpx, &p.x, 1); haskellsecp256k1_v0_1_0_fe_add(&dpx, &gg.x); haskellsecp256k1_v0_1_0_fe_normalize_weak(&dpx); 4172 haskellsecp256k1_v0_1_0_fe_negate(&dpy, &p.y, 1); haskellsecp256k1_v0_1_0_fe_add(&dpy, &gg.y); haskellsecp256k1_v0_1_0_fe_normalize_weak(&dpy); 4173 /* Check that p is not equal to gg */ 4174 CHECK(!haskellsecp256k1_v0_1_0_fe_normalizes_to_zero_var(&dpx) || !haskellsecp256k1_v0_1_0_fe_normalizes_to_zero_var(&dpy)); 4175 4176 haskellsecp256k1_v0_1_0_ge_from_storage(&q, &pre_g[i]); 4177 CHECK(haskellsecp256k1_v0_1_0_ge_is_valid_var(&q)); 4178 4179 haskellsecp256k1_v0_1_0_fe_negate(&dqx, &q.x, 1); haskellsecp256k1_v0_1_0_fe_add(&dqx, &gg.x); 4180 dqy = q.y; haskellsecp256k1_v0_1_0_fe_add(&dqy, &gg.y); 4181 /* Check that -q is not equal to gg */ 4182 CHECK(!haskellsecp256k1_v0_1_0_fe_normalizes_to_zero_var(&dqx) || !haskellsecp256k1_v0_1_0_fe_normalizes_to_zero_var(&dqy)); 4183 4184 /* Check that -q is not equal to p */ 4185 CHECK(!haskellsecp256k1_v0_1_0_fe_equal(&dpx, &dqx) || !haskellsecp256k1_v0_1_0_fe_equal(&dpy, &dqy)); 4186 4187 /* Check that p, -q and gg are colinear */ 4188 haskellsecp256k1_v0_1_0_fe_mul(&dpx, &dpx, &dqy); 4189 haskellsecp256k1_v0_1_0_fe_mul(&dpy, &dpy, &dqx); 4190 CHECK(haskellsecp256k1_v0_1_0_fe_equal(&dpx, &dpy)); 4191 4192 p = q; 4193 } 4194 } 4195 4196 static void run_ecmult_pre_g(void) { 4197 haskellsecp256k1_v0_1_0_ge_storage gs; 4198 haskellsecp256k1_v0_1_0_gej gj; 4199 haskellsecp256k1_v0_1_0_ge g; 4200 size_t i; 4201 4202 /* Check that the pre_g and pre_g_128 tables are consistent. */ 4203 test_pre_g_table(haskellsecp256k1_v0_1_0_pre_g, ECMULT_TABLE_SIZE(WINDOW_G)); 4204 test_pre_g_table(haskellsecp256k1_v0_1_0_pre_g_128, ECMULT_TABLE_SIZE(WINDOW_G)); 4205 4206 /* Check the first entry from the pre_g table. */ 4207 haskellsecp256k1_v0_1_0_ge_to_storage(&gs, &haskellsecp256k1_v0_1_0_ge_const_g); 4208 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&gs, &haskellsecp256k1_v0_1_0_pre_g[0], sizeof(gs)) == 0); 4209 4210 /* Check the first entry from the pre_g_128 table. */ 4211 haskellsecp256k1_v0_1_0_gej_set_ge(&gj, &haskellsecp256k1_v0_1_0_ge_const_g); 4212 for (i = 0; i < 128; ++i) { 4213 haskellsecp256k1_v0_1_0_gej_double_var(&gj, &gj, NULL); 4214 } 4215 haskellsecp256k1_v0_1_0_ge_set_gej(&g, &gj); 4216 haskellsecp256k1_v0_1_0_ge_to_storage(&gs, &g); 4217 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&gs, &haskellsecp256k1_v0_1_0_pre_g_128[0], sizeof(gs)) == 0); 4218 } 4219 4220 static void run_ecmult_chain(void) { 4221 /* random starting point A (on the curve) */ 4222 haskellsecp256k1_v0_1_0_gej a = SECP256K1_GEJ_CONST( 4223 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3, 4224 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004, 4225 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f, 4226 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f 4227 ); 4228 /* two random initial factors xn and gn */ 4229 haskellsecp256k1_v0_1_0_scalar xn = SECP256K1_SCALAR_CONST( 4230 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c, 4231 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407 4232 ); 4233 haskellsecp256k1_v0_1_0_scalar gn = SECP256K1_SCALAR_CONST( 4234 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9, 4235 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de 4236 ); 4237 /* two small multipliers to be applied to xn and gn in every iteration: */ 4238 static const haskellsecp256k1_v0_1_0_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337); 4239 static const haskellsecp256k1_v0_1_0_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113); 4240 /* accumulators with the resulting coefficients to A and G */ 4241 haskellsecp256k1_v0_1_0_scalar ae = haskellsecp256k1_v0_1_0_scalar_one; 4242 haskellsecp256k1_v0_1_0_scalar ge = haskellsecp256k1_v0_1_0_scalar_zero; 4243 /* actual points */ 4244 haskellsecp256k1_v0_1_0_gej x; 4245 haskellsecp256k1_v0_1_0_gej x2; 4246 int i; 4247 4248 /* the point being computed */ 4249 x = a; 4250 for (i = 0; i < 200*COUNT; i++) { 4251 /* in each iteration, compute X = xn*X + gn*G; */ 4252 haskellsecp256k1_v0_1_0_ecmult(&x, &x, &xn, &gn); 4253 /* also compute ae and ge: the actual accumulated factors for A and G */ 4254 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */ 4255 haskellsecp256k1_v0_1_0_scalar_mul(&ae, &ae, &xn); 4256 haskellsecp256k1_v0_1_0_scalar_mul(&ge, &ge, &xn); 4257 haskellsecp256k1_v0_1_0_scalar_add(&ge, &ge, &gn); 4258 /* modify xn and gn */ 4259 haskellsecp256k1_v0_1_0_scalar_mul(&xn, &xn, &xf); 4260 haskellsecp256k1_v0_1_0_scalar_mul(&gn, &gn, &gf); 4261 4262 /* verify */ 4263 if (i == 19999) { 4264 /* expected result after 19999 iterations */ 4265 haskellsecp256k1_v0_1_0_gej rp = SECP256K1_GEJ_CONST( 4266 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE, 4267 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830, 4268 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D, 4269 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88 4270 ); 4271 CHECK(haskellsecp256k1_v0_1_0_gej_eq_var(&rp, &x)); 4272 } 4273 } 4274 /* redo the computation, but directly with the resulting ae and ge coefficients: */ 4275 haskellsecp256k1_v0_1_0_ecmult(&x2, &a, &ae, &ge); 4276 CHECK(haskellsecp256k1_v0_1_0_gej_eq_var(&x, &x2)); 4277 } 4278 4279 static void test_point_times_order(const haskellsecp256k1_v0_1_0_gej *point) { 4280 /* X * (point + G) + (order-X) * (pointer + G) = 0 */ 4281 haskellsecp256k1_v0_1_0_scalar x; 4282 haskellsecp256k1_v0_1_0_scalar nx; 4283 haskellsecp256k1_v0_1_0_gej res1, res2; 4284 haskellsecp256k1_v0_1_0_ge res3; 4285 unsigned char pub[65]; 4286 size_t psize = 65; 4287 random_scalar_order_test(&x); 4288 haskellsecp256k1_v0_1_0_scalar_negate(&nx, &x); 4289 haskellsecp256k1_v0_1_0_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */ 4290 haskellsecp256k1_v0_1_0_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */ 4291 haskellsecp256k1_v0_1_0_gej_add_var(&res1, &res1, &res2, NULL); 4292 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&res1)); 4293 haskellsecp256k1_v0_1_0_ge_set_gej(&res3, &res1); 4294 CHECK(haskellsecp256k1_v0_1_0_ge_is_infinity(&res3)); 4295 CHECK(haskellsecp256k1_v0_1_0_ge_is_valid_var(&res3) == 0); 4296 CHECK(haskellsecp256k1_v0_1_0_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0); 4297 psize = 65; 4298 CHECK(haskellsecp256k1_v0_1_0_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0); 4299 /* check zero/one edge cases */ 4300 haskellsecp256k1_v0_1_0_ecmult(&res1, point, &haskellsecp256k1_v0_1_0_scalar_zero, &haskellsecp256k1_v0_1_0_scalar_zero); 4301 haskellsecp256k1_v0_1_0_ge_set_gej(&res3, &res1); 4302 CHECK(haskellsecp256k1_v0_1_0_ge_is_infinity(&res3)); 4303 haskellsecp256k1_v0_1_0_ecmult(&res1, point, &haskellsecp256k1_v0_1_0_scalar_one, &haskellsecp256k1_v0_1_0_scalar_zero); 4304 haskellsecp256k1_v0_1_0_ge_set_gej(&res3, &res1); 4305 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(point, &res3)); 4306 haskellsecp256k1_v0_1_0_ecmult(&res1, point, &haskellsecp256k1_v0_1_0_scalar_zero, &haskellsecp256k1_v0_1_0_scalar_one); 4307 haskellsecp256k1_v0_1_0_ge_set_gej(&res3, &res1); 4308 CHECK(haskellsecp256k1_v0_1_0_ge_eq_var(&haskellsecp256k1_v0_1_0_ge_const_g, &res3)); 4309 } 4310 4311 /* These scalars reach large (in absolute value) outputs when fed to haskellsecp256k1_v0_1_0_scalar_split_lambda. 4312 * 4313 * They are computed as: 4314 * - For a in [-2, -1, 0, 1, 2]: 4315 * - For b in [-3, -1, 1, 3]: 4316 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER 4317 */ 4318 static const haskellsecp256k1_v0_1_0_scalar scalars_near_split_bounds[20] = { 4319 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc), 4320 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd), 4321 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe), 4322 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff), 4323 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d), 4324 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e), 4325 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f), 4326 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330), 4327 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f), 4328 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0), 4329 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1), 4330 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2), 4331 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11), 4332 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12), 4333 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13), 4334 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14), 4335 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42), 4336 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43), 4337 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44), 4338 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45) 4339 }; 4340 4341 static void test_ecmult_target(const haskellsecp256k1_v0_1_0_scalar* target, int mode) { 4342 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */ 4343 haskellsecp256k1_v0_1_0_scalar n1, n2; 4344 haskellsecp256k1_v0_1_0_ge p; 4345 haskellsecp256k1_v0_1_0_gej pj, p1j, p2j, ptj; 4346 4347 /* Generate random n1,n2 such that n1+n2 = -target. */ 4348 random_scalar_order_test(&n1); 4349 haskellsecp256k1_v0_1_0_scalar_add(&n2, &n1, target); 4350 haskellsecp256k1_v0_1_0_scalar_negate(&n2, &n2); 4351 4352 /* Generate a random input point. */ 4353 if (mode != 0) { 4354 random_group_element_test(&p); 4355 haskellsecp256k1_v0_1_0_gej_set_ge(&pj, &p); 4356 } 4357 4358 /* EC multiplications */ 4359 if (mode == 0) { 4360 haskellsecp256k1_v0_1_0_ecmult_gen(&CTX->ecmult_gen_ctx, &p1j, &n1); 4361 haskellsecp256k1_v0_1_0_ecmult_gen(&CTX->ecmult_gen_ctx, &p2j, &n2); 4362 haskellsecp256k1_v0_1_0_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target); 4363 } else if (mode == 1) { 4364 haskellsecp256k1_v0_1_0_ecmult(&p1j, &pj, &n1, &haskellsecp256k1_v0_1_0_scalar_zero); 4365 haskellsecp256k1_v0_1_0_ecmult(&p2j, &pj, &n2, &haskellsecp256k1_v0_1_0_scalar_zero); 4366 haskellsecp256k1_v0_1_0_ecmult(&ptj, &pj, target, &haskellsecp256k1_v0_1_0_scalar_zero); 4367 } else { 4368 haskellsecp256k1_v0_1_0_ecmult_const(&p1j, &p, &n1); 4369 haskellsecp256k1_v0_1_0_ecmult_const(&p2j, &p, &n2); 4370 haskellsecp256k1_v0_1_0_ecmult_const(&ptj, &p, target); 4371 } 4372 4373 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */ 4374 haskellsecp256k1_v0_1_0_gej_add_var(&ptj, &ptj, &p1j, NULL); 4375 haskellsecp256k1_v0_1_0_gej_add_var(&ptj, &ptj, &p2j, NULL); 4376 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&ptj)); 4377 } 4378 4379 static void run_ecmult_near_split_bound(void) { 4380 int i; 4381 unsigned j; 4382 for (i = 0; i < 4*COUNT; ++i) { 4383 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) { 4384 test_ecmult_target(&scalars_near_split_bounds[j], 0); 4385 test_ecmult_target(&scalars_near_split_bounds[j], 1); 4386 test_ecmult_target(&scalars_near_split_bounds[j], 2); 4387 } 4388 } 4389 } 4390 4391 static void run_point_times_order(void) { 4392 int i; 4393 haskellsecp256k1_v0_1_0_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2); 4394 static const haskellsecp256k1_v0_1_0_fe xr = SECP256K1_FE_CONST( 4395 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C, 4396 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45 4397 ); 4398 for (i = 0; i < 500; i++) { 4399 haskellsecp256k1_v0_1_0_ge p; 4400 if (haskellsecp256k1_v0_1_0_ge_set_xo_var(&p, &x, 1)) { 4401 haskellsecp256k1_v0_1_0_gej j; 4402 CHECK(haskellsecp256k1_v0_1_0_ge_is_valid_var(&p)); 4403 haskellsecp256k1_v0_1_0_gej_set_ge(&j, &p); 4404 test_point_times_order(&j); 4405 } 4406 haskellsecp256k1_v0_1_0_fe_sqr(&x, &x); 4407 } 4408 haskellsecp256k1_v0_1_0_fe_normalize_var(&x); 4409 CHECK(haskellsecp256k1_v0_1_0_fe_equal(&x, &xr)); 4410 } 4411 4412 static void ecmult_const_random_mult(void) { 4413 /* random starting point A (on the curve) */ 4414 haskellsecp256k1_v0_1_0_ge a = SECP256K1_GE_CONST( 4415 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b, 4416 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a, 4417 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c, 4418 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d 4419 ); 4420 /* random initial factor xn */ 4421 haskellsecp256k1_v0_1_0_scalar xn = SECP256K1_SCALAR_CONST( 4422 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327, 4423 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b 4424 ); 4425 /* expected xn * A (from sage) */ 4426 haskellsecp256k1_v0_1_0_ge expected_b = SECP256K1_GE_CONST( 4427 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd, 4428 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786, 4429 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f, 4430 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956 4431 ); 4432 haskellsecp256k1_v0_1_0_gej b; 4433 haskellsecp256k1_v0_1_0_ecmult_const(&b, &a, &xn); 4434 4435 CHECK(haskellsecp256k1_v0_1_0_ge_is_valid_var(&a)); 4436 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&b, &expected_b)); 4437 } 4438 4439 static void ecmult_const_commutativity(void) { 4440 haskellsecp256k1_v0_1_0_scalar a; 4441 haskellsecp256k1_v0_1_0_scalar b; 4442 haskellsecp256k1_v0_1_0_gej res1; 4443 haskellsecp256k1_v0_1_0_gej res2; 4444 haskellsecp256k1_v0_1_0_ge mid1; 4445 haskellsecp256k1_v0_1_0_ge mid2; 4446 random_scalar_order_test(&a); 4447 random_scalar_order_test(&b); 4448 4449 haskellsecp256k1_v0_1_0_ecmult_const(&res1, &haskellsecp256k1_v0_1_0_ge_const_g, &a); 4450 haskellsecp256k1_v0_1_0_ecmult_const(&res2, &haskellsecp256k1_v0_1_0_ge_const_g, &b); 4451 haskellsecp256k1_v0_1_0_ge_set_gej(&mid1, &res1); 4452 haskellsecp256k1_v0_1_0_ge_set_gej(&mid2, &res2); 4453 haskellsecp256k1_v0_1_0_ecmult_const(&res1, &mid1, &b); 4454 haskellsecp256k1_v0_1_0_ecmult_const(&res2, &mid2, &a); 4455 haskellsecp256k1_v0_1_0_ge_set_gej(&mid1, &res1); 4456 haskellsecp256k1_v0_1_0_ge_set_gej(&mid2, &res2); 4457 CHECK(haskellsecp256k1_v0_1_0_ge_eq_var(&mid1, &mid2)); 4458 } 4459 4460 static void ecmult_const_mult_zero_one(void) { 4461 haskellsecp256k1_v0_1_0_scalar s; 4462 haskellsecp256k1_v0_1_0_scalar negone; 4463 haskellsecp256k1_v0_1_0_gej res1; 4464 haskellsecp256k1_v0_1_0_ge res2; 4465 haskellsecp256k1_v0_1_0_ge point; 4466 haskellsecp256k1_v0_1_0_ge inf; 4467 4468 random_scalar_order_test(&s); 4469 haskellsecp256k1_v0_1_0_scalar_negate(&negone, &haskellsecp256k1_v0_1_0_scalar_one); 4470 random_group_element_test(&point); 4471 haskellsecp256k1_v0_1_0_ge_set_infinity(&inf); 4472 4473 /* 0*point */ 4474 haskellsecp256k1_v0_1_0_ecmult_const(&res1, &point, &haskellsecp256k1_v0_1_0_scalar_zero); 4475 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&res1)); 4476 4477 /* s*inf */ 4478 haskellsecp256k1_v0_1_0_ecmult_const(&res1, &inf, &s); 4479 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&res1)); 4480 4481 /* 1*point */ 4482 haskellsecp256k1_v0_1_0_ecmult_const(&res1, &point, &haskellsecp256k1_v0_1_0_scalar_one); 4483 haskellsecp256k1_v0_1_0_ge_set_gej(&res2, &res1); 4484 CHECK(haskellsecp256k1_v0_1_0_ge_eq_var(&res2, &point)); 4485 4486 /* -1*point */ 4487 haskellsecp256k1_v0_1_0_ecmult_const(&res1, &point, &negone); 4488 haskellsecp256k1_v0_1_0_gej_neg(&res1, &res1); 4489 haskellsecp256k1_v0_1_0_ge_set_gej(&res2, &res1); 4490 CHECK(haskellsecp256k1_v0_1_0_ge_eq_var(&res2, &point)); 4491 } 4492 4493 static void ecmult_const_check_result(const haskellsecp256k1_v0_1_0_ge *A, const haskellsecp256k1_v0_1_0_scalar* q, const haskellsecp256k1_v0_1_0_gej *res) { 4494 haskellsecp256k1_v0_1_0_gej pointj, res2j; 4495 haskellsecp256k1_v0_1_0_ge res2; 4496 haskellsecp256k1_v0_1_0_gej_set_ge(&pointj, A); 4497 haskellsecp256k1_v0_1_0_ecmult(&res2j, &pointj, q, &haskellsecp256k1_v0_1_0_scalar_zero); 4498 haskellsecp256k1_v0_1_0_ge_set_gej(&res2, &res2j); 4499 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(res, &res2)); 4500 } 4501 4502 static void ecmult_const_edges(void) { 4503 haskellsecp256k1_v0_1_0_scalar q; 4504 haskellsecp256k1_v0_1_0_ge point; 4505 haskellsecp256k1_v0_1_0_gej res; 4506 size_t i; 4507 size_t cases = 1 + sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); 4508 4509 /* We are trying to reach the following edge cases (variables are defined as 4510 * in ecmult_const_impl.h): 4511 * 1. i = 0: s = 0 <=> q = -K 4512 * 2. i > 0: v1, v2 large values 4513 * <=> s1, s2 large values 4514 * <=> s = scalars_near_split_bounds[i] 4515 * <=> q = 2*scalars_near_split_bounds[i] - K 4516 */ 4517 for (i = 0; i < cases; ++i) { 4518 haskellsecp256k1_v0_1_0_scalar_negate(&q, &haskellsecp256k1_v0_1_0_ecmult_const_K); 4519 if (i > 0) { 4520 haskellsecp256k1_v0_1_0_scalar_add(&q, &q, &scalars_near_split_bounds[i - 1]); 4521 haskellsecp256k1_v0_1_0_scalar_add(&q, &q, &scalars_near_split_bounds[i - 1]); 4522 } 4523 random_group_element_test(&point); 4524 haskellsecp256k1_v0_1_0_ecmult_const(&res, &point, &q); 4525 ecmult_const_check_result(&point, &q, &res); 4526 } 4527 } 4528 4529 static void ecmult_const_mult_xonly(void) { 4530 int i; 4531 4532 /* Test correspondence between haskellsecp256k1_v0_1_0_ecmult_const and haskellsecp256k1_v0_1_0_ecmult_const_xonly. */ 4533 for (i = 0; i < 2*COUNT; ++i) { 4534 haskellsecp256k1_v0_1_0_ge base; 4535 haskellsecp256k1_v0_1_0_gej basej, resj; 4536 haskellsecp256k1_v0_1_0_fe n, d, resx, v; 4537 haskellsecp256k1_v0_1_0_scalar q; 4538 int res; 4539 /* Random base point. */ 4540 random_group_element_test(&base); 4541 /* Random scalar to multiply it with. */ 4542 random_scalar_order_test(&q); 4543 /* If i is odd, n=d*base.x for random non-zero d */ 4544 if (i & 1) { 4545 random_fe_non_zero_test(&d); 4546 haskellsecp256k1_v0_1_0_fe_mul(&n, &base.x, &d); 4547 } else { 4548 n = base.x; 4549 } 4550 /* Perform x-only multiplication. */ 4551 res = haskellsecp256k1_v0_1_0_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2); 4552 CHECK(res); 4553 /* Perform normal multiplication. */ 4554 haskellsecp256k1_v0_1_0_gej_set_ge(&basej, &base); 4555 haskellsecp256k1_v0_1_0_ecmult(&resj, &basej, &q, NULL); 4556 /* Check that resj's X coordinate corresponds with resx. */ 4557 haskellsecp256k1_v0_1_0_fe_sqr(&v, &resj.z); 4558 haskellsecp256k1_v0_1_0_fe_mul(&v, &v, &resx); 4559 CHECK(check_fe_equal(&v, &resj.x)); 4560 } 4561 4562 /* Test that haskellsecp256k1_v0_1_0_ecmult_const_xonly correctly rejects X coordinates not on curve. */ 4563 for (i = 0; i < 2*COUNT; ++i) { 4564 haskellsecp256k1_v0_1_0_fe x, n, d, r; 4565 int res; 4566 haskellsecp256k1_v0_1_0_scalar q; 4567 random_scalar_order_test(&q); 4568 /* Generate random X coordinate not on the curve. */ 4569 do { 4570 random_fe_test(&x); 4571 } while (haskellsecp256k1_v0_1_0_ge_x_on_curve_var(&x)); 4572 /* If i is odd, n=d*x for random non-zero d. */ 4573 if (i & 1) { 4574 random_fe_non_zero_test(&d); 4575 haskellsecp256k1_v0_1_0_fe_mul(&n, &x, &d); 4576 } else { 4577 n = x; 4578 } 4579 res = haskellsecp256k1_v0_1_0_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0); 4580 CHECK(res == 0); 4581 } 4582 } 4583 4584 static void ecmult_const_chain_multiply(void) { 4585 /* Check known result (randomly generated test problem from sage) */ 4586 const haskellsecp256k1_v0_1_0_scalar scalar = SECP256K1_SCALAR_CONST( 4587 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d, 4588 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b 4589 ); 4590 const haskellsecp256k1_v0_1_0_gej expected_point = SECP256K1_GEJ_CONST( 4591 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd, 4592 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f, 4593 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196, 4594 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435 4595 ); 4596 haskellsecp256k1_v0_1_0_gej point; 4597 haskellsecp256k1_v0_1_0_ge res; 4598 int i; 4599 4600 haskellsecp256k1_v0_1_0_gej_set_ge(&point, &haskellsecp256k1_v0_1_0_ge_const_g); 4601 for (i = 0; i < 100; ++i) { 4602 haskellsecp256k1_v0_1_0_ge tmp; 4603 haskellsecp256k1_v0_1_0_ge_set_gej(&tmp, &point); 4604 haskellsecp256k1_v0_1_0_ecmult_const(&point, &tmp, &scalar); 4605 } 4606 haskellsecp256k1_v0_1_0_ge_set_gej(&res, &point); 4607 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&expected_point, &res)); 4608 } 4609 4610 static void run_ecmult_const_tests(void) { 4611 ecmult_const_mult_zero_one(); 4612 ecmult_const_edges(); 4613 ecmult_const_random_mult(); 4614 ecmult_const_commutativity(); 4615 ecmult_const_chain_multiply(); 4616 ecmult_const_mult_xonly(); 4617 } 4618 4619 typedef struct { 4620 haskellsecp256k1_v0_1_0_scalar *sc; 4621 haskellsecp256k1_v0_1_0_ge *pt; 4622 } ecmult_multi_data; 4623 4624 static int ecmult_multi_callback(haskellsecp256k1_v0_1_0_scalar *sc, haskellsecp256k1_v0_1_0_ge *pt, size_t idx, void *cbdata) { 4625 ecmult_multi_data *data = (ecmult_multi_data*) cbdata; 4626 *sc = data->sc[idx]; 4627 *pt = data->pt[idx]; 4628 return 1; 4629 } 4630 4631 static int ecmult_multi_false_callback(haskellsecp256k1_v0_1_0_scalar *sc, haskellsecp256k1_v0_1_0_ge *pt, size_t idx, void *cbdata) { 4632 (void)sc; 4633 (void)pt; 4634 (void)idx; 4635 (void)cbdata; 4636 return 0; 4637 } 4638 4639 static void test_ecmult_multi(haskellsecp256k1_v0_1_0_scratch *scratch, haskellsecp256k1_v0_1_0_ecmult_multi_func ecmult_multi) { 4640 int ncount; 4641 haskellsecp256k1_v0_1_0_scalar sc[32]; 4642 haskellsecp256k1_v0_1_0_ge pt[32]; 4643 haskellsecp256k1_v0_1_0_gej r; 4644 haskellsecp256k1_v0_1_0_gej r2; 4645 ecmult_multi_data data; 4646 4647 data.sc = sc; 4648 data.pt = pt; 4649 4650 /* No points to multiply */ 4651 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0)); 4652 4653 /* Check 1- and 2-point multiplies against ecmult */ 4654 for (ncount = 0; ncount < COUNT; ncount++) { 4655 haskellsecp256k1_v0_1_0_ge ptg; 4656 haskellsecp256k1_v0_1_0_gej ptgj; 4657 random_scalar_order(&sc[0]); 4658 random_scalar_order(&sc[1]); 4659 4660 random_group_element_test(&ptg); 4661 haskellsecp256k1_v0_1_0_gej_set_ge(&ptgj, &ptg); 4662 pt[0] = ptg; 4663 pt[1] = haskellsecp256k1_v0_1_0_ge_const_g; 4664 4665 /* only G scalar */ 4666 haskellsecp256k1_v0_1_0_ecmult(&r2, &ptgj, &haskellsecp256k1_v0_1_0_scalar_zero, &sc[0]); 4667 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0)); 4668 CHECK(haskellsecp256k1_v0_1_0_gej_eq_var(&r, &r2)); 4669 4670 /* 1-point */ 4671 haskellsecp256k1_v0_1_0_ecmult(&r2, &ptgj, &sc[0], &haskellsecp256k1_v0_1_0_scalar_zero); 4672 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &haskellsecp256k1_v0_1_0_scalar_zero, ecmult_multi_callback, &data, 1)); 4673 CHECK(haskellsecp256k1_v0_1_0_gej_eq_var(&r, &r2)); 4674 4675 /* Try to multiply 1 point, but callback returns false */ 4676 CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &haskellsecp256k1_v0_1_0_scalar_zero, ecmult_multi_false_callback, &data, 1)); 4677 4678 /* 2-point */ 4679 haskellsecp256k1_v0_1_0_ecmult(&r2, &ptgj, &sc[0], &sc[1]); 4680 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &haskellsecp256k1_v0_1_0_scalar_zero, ecmult_multi_callback, &data, 2)); 4681 CHECK(haskellsecp256k1_v0_1_0_gej_eq_var(&r, &r2)); 4682 4683 /* 2-point with G scalar */ 4684 haskellsecp256k1_v0_1_0_ecmult(&r2, &ptgj, &sc[0], &sc[1]); 4685 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1)); 4686 CHECK(haskellsecp256k1_v0_1_0_gej_eq_var(&r, &r2)); 4687 } 4688 4689 /* Check infinite outputs of various forms */ 4690 for (ncount = 0; ncount < COUNT; ncount++) { 4691 haskellsecp256k1_v0_1_0_ge ptg; 4692 size_t i, j; 4693 size_t sizes[] = { 2, 10, 32 }; 4694 4695 for (j = 0; j < 3; j++) { 4696 for (i = 0; i < 32; i++) { 4697 random_scalar_order(&sc[i]); 4698 haskellsecp256k1_v0_1_0_ge_set_infinity(&pt[i]); 4699 } 4700 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &haskellsecp256k1_v0_1_0_scalar_zero, ecmult_multi_callback, &data, sizes[j])); 4701 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&r)); 4702 } 4703 4704 for (j = 0; j < 3; j++) { 4705 for (i = 0; i < 32; i++) { 4706 random_group_element_test(&ptg); 4707 pt[i] = ptg; 4708 haskellsecp256k1_v0_1_0_scalar_set_int(&sc[i], 0); 4709 } 4710 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &haskellsecp256k1_v0_1_0_scalar_zero, ecmult_multi_callback, &data, sizes[j])); 4711 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&r)); 4712 } 4713 4714 for (j = 0; j < 3; j++) { 4715 random_group_element_test(&ptg); 4716 for (i = 0; i < 16; i++) { 4717 random_scalar_order(&sc[2*i]); 4718 haskellsecp256k1_v0_1_0_scalar_negate(&sc[2*i + 1], &sc[2*i]); 4719 pt[2 * i] = ptg; 4720 pt[2 * i + 1] = ptg; 4721 } 4722 4723 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &haskellsecp256k1_v0_1_0_scalar_zero, ecmult_multi_callback, &data, sizes[j])); 4724 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&r)); 4725 4726 random_scalar_order(&sc[0]); 4727 for (i = 0; i < 16; i++) { 4728 random_group_element_test(&ptg); 4729 4730 sc[2*i] = sc[0]; 4731 sc[2*i+1] = sc[0]; 4732 pt[2 * i] = ptg; 4733 haskellsecp256k1_v0_1_0_ge_neg(&pt[2*i+1], &pt[2*i]); 4734 } 4735 4736 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &haskellsecp256k1_v0_1_0_scalar_zero, ecmult_multi_callback, &data, sizes[j])); 4737 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&r)); 4738 } 4739 4740 random_group_element_test(&ptg); 4741 haskellsecp256k1_v0_1_0_scalar_set_int(&sc[0], 0); 4742 pt[0] = ptg; 4743 for (i = 1; i < 32; i++) { 4744 pt[i] = ptg; 4745 4746 random_scalar_order(&sc[i]); 4747 haskellsecp256k1_v0_1_0_scalar_add(&sc[0], &sc[0], &sc[i]); 4748 haskellsecp256k1_v0_1_0_scalar_negate(&sc[i], &sc[i]); 4749 } 4750 4751 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &haskellsecp256k1_v0_1_0_scalar_zero, ecmult_multi_callback, &data, 32)); 4752 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&r)); 4753 } 4754 4755 /* Check random points, constant scalar */ 4756 for (ncount = 0; ncount < COUNT; ncount++) { 4757 size_t i; 4758 haskellsecp256k1_v0_1_0_gej_set_infinity(&r); 4759 4760 random_scalar_order(&sc[0]); 4761 for (i = 0; i < 20; i++) { 4762 haskellsecp256k1_v0_1_0_ge ptg; 4763 sc[i] = sc[0]; 4764 random_group_element_test(&ptg); 4765 pt[i] = ptg; 4766 haskellsecp256k1_v0_1_0_gej_add_ge_var(&r, &r, &pt[i], NULL); 4767 } 4768 4769 haskellsecp256k1_v0_1_0_ecmult(&r2, &r, &sc[0], &haskellsecp256k1_v0_1_0_scalar_zero); 4770 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &haskellsecp256k1_v0_1_0_scalar_zero, ecmult_multi_callback, &data, 20)); 4771 CHECK(haskellsecp256k1_v0_1_0_gej_eq_var(&r, &r2)); 4772 } 4773 4774 /* Check random scalars, constant point */ 4775 for (ncount = 0; ncount < COUNT; ncount++) { 4776 size_t i; 4777 haskellsecp256k1_v0_1_0_ge ptg; 4778 haskellsecp256k1_v0_1_0_gej p0j; 4779 haskellsecp256k1_v0_1_0_scalar rs; 4780 haskellsecp256k1_v0_1_0_scalar_set_int(&rs, 0); 4781 4782 random_group_element_test(&ptg); 4783 for (i = 0; i < 20; i++) { 4784 random_scalar_order(&sc[i]); 4785 pt[i] = ptg; 4786 haskellsecp256k1_v0_1_0_scalar_add(&rs, &rs, &sc[i]); 4787 } 4788 4789 haskellsecp256k1_v0_1_0_gej_set_ge(&p0j, &pt[0]); 4790 haskellsecp256k1_v0_1_0_ecmult(&r2, &p0j, &rs, &haskellsecp256k1_v0_1_0_scalar_zero); 4791 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &haskellsecp256k1_v0_1_0_scalar_zero, ecmult_multi_callback, &data, 20)); 4792 CHECK(haskellsecp256k1_v0_1_0_gej_eq_var(&r, &r2)); 4793 } 4794 4795 /* Sanity check that zero scalars don't cause problems */ 4796 for (ncount = 0; ncount < 20; ncount++) { 4797 random_scalar_order(&sc[ncount]); 4798 random_group_element_test(&pt[ncount]); 4799 } 4800 4801 haskellsecp256k1_v0_1_0_scalar_clear(&sc[0]); 4802 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &haskellsecp256k1_v0_1_0_scalar_zero, ecmult_multi_callback, &data, 20)); 4803 haskellsecp256k1_v0_1_0_scalar_clear(&sc[1]); 4804 haskellsecp256k1_v0_1_0_scalar_clear(&sc[2]); 4805 haskellsecp256k1_v0_1_0_scalar_clear(&sc[3]); 4806 haskellsecp256k1_v0_1_0_scalar_clear(&sc[4]); 4807 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &haskellsecp256k1_v0_1_0_scalar_zero, ecmult_multi_callback, &data, 6)); 4808 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &haskellsecp256k1_v0_1_0_scalar_zero, ecmult_multi_callback, &data, 5)); 4809 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&r)); 4810 4811 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */ 4812 { 4813 const size_t TOP = 8; 4814 size_t s0i, s1i; 4815 size_t t0i, t1i; 4816 haskellsecp256k1_v0_1_0_ge ptg; 4817 haskellsecp256k1_v0_1_0_gej ptgj; 4818 4819 random_group_element_test(&ptg); 4820 haskellsecp256k1_v0_1_0_gej_set_ge(&ptgj, &ptg); 4821 4822 for(t0i = 0; t0i < TOP; t0i++) { 4823 for(t1i = 0; t1i < TOP; t1i++) { 4824 haskellsecp256k1_v0_1_0_gej t0p, t1p; 4825 haskellsecp256k1_v0_1_0_scalar t0, t1; 4826 4827 haskellsecp256k1_v0_1_0_scalar_set_int(&t0, (t0i + 1) / 2); 4828 haskellsecp256k1_v0_1_0_scalar_cond_negate(&t0, t0i & 1); 4829 haskellsecp256k1_v0_1_0_scalar_set_int(&t1, (t1i + 1) / 2); 4830 haskellsecp256k1_v0_1_0_scalar_cond_negate(&t1, t1i & 1); 4831 4832 haskellsecp256k1_v0_1_0_ecmult(&t0p, &ptgj, &t0, &haskellsecp256k1_v0_1_0_scalar_zero); 4833 haskellsecp256k1_v0_1_0_ecmult(&t1p, &ptgj, &t1, &haskellsecp256k1_v0_1_0_scalar_zero); 4834 4835 for(s0i = 0; s0i < TOP; s0i++) { 4836 for(s1i = 0; s1i < TOP; s1i++) { 4837 haskellsecp256k1_v0_1_0_scalar tmp1, tmp2; 4838 haskellsecp256k1_v0_1_0_gej expected, actual; 4839 4840 haskellsecp256k1_v0_1_0_ge_set_gej(&pt[0], &t0p); 4841 haskellsecp256k1_v0_1_0_ge_set_gej(&pt[1], &t1p); 4842 4843 haskellsecp256k1_v0_1_0_scalar_set_int(&sc[0], (s0i + 1) / 2); 4844 haskellsecp256k1_v0_1_0_scalar_cond_negate(&sc[0], s0i & 1); 4845 haskellsecp256k1_v0_1_0_scalar_set_int(&sc[1], (s1i + 1) / 2); 4846 haskellsecp256k1_v0_1_0_scalar_cond_negate(&sc[1], s1i & 1); 4847 4848 haskellsecp256k1_v0_1_0_scalar_mul(&tmp1, &t0, &sc[0]); 4849 haskellsecp256k1_v0_1_0_scalar_mul(&tmp2, &t1, &sc[1]); 4850 haskellsecp256k1_v0_1_0_scalar_add(&tmp1, &tmp1, &tmp2); 4851 4852 haskellsecp256k1_v0_1_0_ecmult(&expected, &ptgj, &tmp1, &haskellsecp256k1_v0_1_0_scalar_zero); 4853 CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &haskellsecp256k1_v0_1_0_scalar_zero, ecmult_multi_callback, &data, 2)); 4854 CHECK(haskellsecp256k1_v0_1_0_gej_eq_var(&actual, &expected)); 4855 } 4856 } 4857 } 4858 } 4859 } 4860 } 4861 4862 static int test_ecmult_multi_random(haskellsecp256k1_v0_1_0_scratch *scratch) { 4863 /* Large random test for ecmult_multi_* functions which exercises: 4864 * - Few or many inputs (0 up to 128, roughly exponentially distributed). 4865 * - Few or many 0*P or a*INF inputs (roughly uniformly distributed). 4866 * - Including or excluding an nonzero a*G term (or such a term at all). 4867 * - Final expected result equal to infinity or not (roughly 50%). 4868 * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch 4869 */ 4870 4871 /* These 4 variables define the eventual input to the ecmult_multi function. 4872 * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and 4873 * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points 4874 * which form its normal inputs. */ 4875 int filled = 0; 4876 haskellsecp256k1_v0_1_0_scalar g_scalar = haskellsecp256k1_v0_1_0_scalar_zero; 4877 haskellsecp256k1_v0_1_0_scalar scalars[128]; 4878 haskellsecp256k1_v0_1_0_gej gejs[128]; 4879 /* The expected result, and the computed result. */ 4880 haskellsecp256k1_v0_1_0_gej expected, computed; 4881 /* Temporaries. */ 4882 haskellsecp256k1_v0_1_0_scalar sc_tmp; 4883 haskellsecp256k1_v0_1_0_ge ge_tmp; 4884 /* Variables needed for the actual input to ecmult_multi. */ 4885 haskellsecp256k1_v0_1_0_ge ges[128]; 4886 ecmult_multi_data data; 4887 4888 int i; 4889 /* Which multiplication function to use */ 4890 int fn = haskellsecp256k1_v0_1_0_testrand_int(3); 4891 haskellsecp256k1_v0_1_0_ecmult_multi_func ecmult_multi = fn == 0 ? haskellsecp256k1_v0_1_0_ecmult_multi_var : 4892 fn == 1 ? haskellsecp256k1_v0_1_0_ecmult_strauss_batch_single : 4893 haskellsecp256k1_v0_1_0_ecmult_pippenger_batch_single; 4894 /* Simulate exponentially distributed num. */ 4895 int num_bits = 2 + haskellsecp256k1_v0_1_0_testrand_int(6); 4896 /* Number of (scalar, point) inputs (excluding g). */ 4897 int num = haskellsecp256k1_v0_1_0_testrand_int((1 << num_bits) + 1); 4898 /* Number of those which are nonzero. */ 4899 int num_nonzero = haskellsecp256k1_v0_1_0_testrand_int(num + 1); 4900 /* Whether we're aiming to create an input with nonzero expected result. */ 4901 int nonzero_result = haskellsecp256k1_v0_1_0_testrand_bits(1); 4902 /* Whether we will provide nonzero g multiplicand. In some cases our hand 4903 * is forced here based on num_nonzero and nonzero_result. */ 4904 int g_nonzero = num_nonzero == 0 ? nonzero_result : 4905 num_nonzero == 1 && !nonzero_result ? 1 : 4906 (int)haskellsecp256k1_v0_1_0_testrand_bits(1); 4907 /* Which g_scalar pointer to pass into ecmult_multi(). */ 4908 const haskellsecp256k1_v0_1_0_scalar* g_scalar_ptr = (g_nonzero || haskellsecp256k1_v0_1_0_testrand_bits(1)) ? &g_scalar : NULL; 4909 /* How many EC multiplications were performed in this function. */ 4910 int mults = 0; 4911 /* How many randomization steps to apply to the input list. */ 4912 int rands = (int)haskellsecp256k1_v0_1_0_testrand_bits(3); 4913 if (rands > num_nonzero) rands = num_nonzero; 4914 4915 haskellsecp256k1_v0_1_0_gej_set_infinity(&expected); 4916 haskellsecp256k1_v0_1_0_gej_set_infinity(&gejs[0]); 4917 haskellsecp256k1_v0_1_0_scalar_set_int(&scalars[0], 0); 4918 4919 if (g_nonzero) { 4920 /* If g_nonzero, set g_scalar to nonzero value r. */ 4921 random_scalar_order_test(&g_scalar); 4922 if (!nonzero_result) { 4923 /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */ 4924 CHECK(num_nonzero > filled); 4925 random_scalar_order_test(&sc_tmp); 4926 haskellsecp256k1_v0_1_0_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar); 4927 haskellsecp256k1_v0_1_0_scalar_inverse_var(&sc_tmp, &sc_tmp); 4928 haskellsecp256k1_v0_1_0_scalar_negate(&sc_tmp, &sc_tmp); 4929 haskellsecp256k1_v0_1_0_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp); 4930 ++filled; 4931 ++mults; 4932 } 4933 } 4934 4935 if (nonzero_result && filled < num_nonzero) { 4936 /* If a nonzero result is desired, and there is space, add a random nonzero term. */ 4937 random_scalar_order_test(&scalars[filled]); 4938 random_group_element_test(&ge_tmp); 4939 haskellsecp256k1_v0_1_0_gej_set_ge(&gejs[filled], &ge_tmp); 4940 ++filled; 4941 } 4942 4943 if (nonzero_result) { 4944 /* Compute the expected result using normal ecmult. */ 4945 CHECK(filled <= 1); 4946 haskellsecp256k1_v0_1_0_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar); 4947 mults += filled + g_nonzero; 4948 } 4949 4950 /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */ 4951 CHECK(filled <= 1 + !nonzero_result); 4952 CHECK(filled <= num_nonzero); 4953 4954 /* Add entries to scalars,gejs so that there are num of them. All the added entries 4955 * either have scalar=0 or point=infinity, so these do not change the expected result. */ 4956 while (filled < num) { 4957 if (haskellsecp256k1_v0_1_0_testrand_bits(1)) { 4958 haskellsecp256k1_v0_1_0_gej_set_infinity(&gejs[filled]); 4959 random_scalar_order_test(&scalars[filled]); 4960 } else { 4961 haskellsecp256k1_v0_1_0_scalar_set_int(&scalars[filled], 0); 4962 random_group_element_test(&ge_tmp); 4963 haskellsecp256k1_v0_1_0_gej_set_ge(&gejs[filled], &ge_tmp); 4964 } 4965 ++filled; 4966 } 4967 4968 /* Now perform cheapish transformations on gejs and scalars, for indices 4969 * 0..num_nonzero-1, which do not change the expected result, but may 4970 * convert some of them to be both non-0-scalar and non-infinity-point. */ 4971 for (i = 0; i < rands; ++i) { 4972 int j; 4973 haskellsecp256k1_v0_1_0_scalar v, iv; 4974 /* Shuffle the entries. */ 4975 for (j = 0; j < num_nonzero; ++j) { 4976 int k = haskellsecp256k1_v0_1_0_testrand_int(num_nonzero - j); 4977 if (k != 0) { 4978 haskellsecp256k1_v0_1_0_gej gej = gejs[j]; 4979 haskellsecp256k1_v0_1_0_scalar sc = scalars[j]; 4980 gejs[j] = gejs[j + k]; 4981 scalars[j] = scalars[j + k]; 4982 gejs[j + k] = gej; 4983 scalars[j + k] = sc; 4984 } 4985 } 4986 /* Perturb all consecutive pairs of inputs: 4987 * a*P + b*Q -> (a+b)*P + b*(Q-P). */ 4988 for (j = 0; j + 1 < num_nonzero; j += 2) { 4989 haskellsecp256k1_v0_1_0_gej gej; 4990 haskellsecp256k1_v0_1_0_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]); 4991 haskellsecp256k1_v0_1_0_gej_neg(&gej, &gejs[j]); 4992 haskellsecp256k1_v0_1_0_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL); 4993 } 4994 /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */ 4995 CHECK(num_nonzero >= 1); 4996 random_scalar_order_test(&v); 4997 haskellsecp256k1_v0_1_0_scalar_inverse(&iv, &v); 4998 haskellsecp256k1_v0_1_0_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v); 4999 haskellsecp256k1_v0_1_0_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL); 5000 ++mults; 5001 } 5002 5003 /* Shuffle all entries (0..num-1). */ 5004 for (i = 0; i < num; ++i) { 5005 int j = haskellsecp256k1_v0_1_0_testrand_int(num - i); 5006 if (j != 0) { 5007 haskellsecp256k1_v0_1_0_gej gej = gejs[i]; 5008 haskellsecp256k1_v0_1_0_scalar sc = scalars[i]; 5009 gejs[i] = gejs[i + j]; 5010 scalars[i] = scalars[i + j]; 5011 gejs[i + j] = gej; 5012 scalars[i + j] = sc; 5013 } 5014 } 5015 5016 /* Compute affine versions of all inputs. */ 5017 haskellsecp256k1_v0_1_0_ge_set_all_gej_var(ges, gejs, filled); 5018 /* Invoke ecmult_multi code. */ 5019 data.sc = scalars; 5020 data.pt = ges; 5021 CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled)); 5022 mults += num_nonzero + g_nonzero; 5023 /* Compare with expected result. */ 5024 CHECK(haskellsecp256k1_v0_1_0_gej_eq_var(&computed, &expected)); 5025 return mults; 5026 } 5027 5028 static void test_ecmult_multi_batch_single(haskellsecp256k1_v0_1_0_ecmult_multi_func ecmult_multi) { 5029 haskellsecp256k1_v0_1_0_scalar sc; 5030 haskellsecp256k1_v0_1_0_ge pt; 5031 haskellsecp256k1_v0_1_0_gej r; 5032 ecmult_multi_data data; 5033 haskellsecp256k1_v0_1_0_scratch *scratch_empty; 5034 5035 random_group_element_test(&pt); 5036 random_scalar_order(&sc); 5037 data.sc = ≻ 5038 data.pt = &pt; 5039 5040 /* Try to multiply 1 point, but scratch space is empty.*/ 5041 scratch_empty = haskellsecp256k1_v0_1_0_scratch_create(&CTX->error_callback, 0); 5042 CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &haskellsecp256k1_v0_1_0_scalar_zero, ecmult_multi_callback, &data, 1)); 5043 haskellsecp256k1_v0_1_0_scratch_destroy(&CTX->error_callback, scratch_empty); 5044 } 5045 5046 static void test_haskellsecp256k1_v0_1_0_pippenger_bucket_window_inv(void) { 5047 int i; 5048 5049 CHECK(haskellsecp256k1_v0_1_0_pippenger_bucket_window_inv(0) == 0); 5050 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) { 5051 /* Bucket_window of 8 is not used with endo */ 5052 if (i == 8) { 5053 continue; 5054 } 5055 CHECK(haskellsecp256k1_v0_1_0_pippenger_bucket_window(haskellsecp256k1_v0_1_0_pippenger_bucket_window_inv(i)) == i); 5056 if (i != PIPPENGER_MAX_BUCKET_WINDOW) { 5057 CHECK(haskellsecp256k1_v0_1_0_pippenger_bucket_window(haskellsecp256k1_v0_1_0_pippenger_bucket_window_inv(i)+1) > i); 5058 } 5059 } 5060 } 5061 5062 /** 5063 * Probabilistically test the function returning the maximum number of possible points 5064 * for a given scratch space. 5065 */ 5066 static void test_ecmult_multi_pippenger_max_points(void) { 5067 size_t scratch_size = haskellsecp256k1_v0_1_0_testrand_bits(8); 5068 size_t max_size = haskellsecp256k1_v0_1_0_pippenger_scratch_size(haskellsecp256k1_v0_1_0_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12); 5069 haskellsecp256k1_v0_1_0_scratch *scratch; 5070 size_t n_points_supported; 5071 int bucket_window = 0; 5072 5073 for(; scratch_size < max_size; scratch_size+=256) { 5074 size_t i; 5075 size_t total_alloc; 5076 size_t checkpoint; 5077 scratch = haskellsecp256k1_v0_1_0_scratch_create(&CTX->error_callback, scratch_size); 5078 CHECK(scratch != NULL); 5079 checkpoint = haskellsecp256k1_v0_1_0_scratch_checkpoint(&CTX->error_callback, scratch); 5080 n_points_supported = haskellsecp256k1_v0_1_0_pippenger_max_points(&CTX->error_callback, scratch); 5081 if (n_points_supported == 0) { 5082 haskellsecp256k1_v0_1_0_scratch_destroy(&CTX->error_callback, scratch); 5083 continue; 5084 } 5085 bucket_window = haskellsecp256k1_v0_1_0_pippenger_bucket_window(n_points_supported); 5086 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */ 5087 total_alloc = haskellsecp256k1_v0_1_0_pippenger_scratch_size(n_points_supported, bucket_window); 5088 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) { 5089 CHECK(haskellsecp256k1_v0_1_0_scratch_alloc(&CTX->error_callback, scratch, 1)); 5090 total_alloc--; 5091 } 5092 CHECK(haskellsecp256k1_v0_1_0_scratch_alloc(&CTX->error_callback, scratch, total_alloc)); 5093 haskellsecp256k1_v0_1_0_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint); 5094 haskellsecp256k1_v0_1_0_scratch_destroy(&CTX->error_callback, scratch); 5095 } 5096 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW); 5097 } 5098 5099 static void test_ecmult_multi_batch_size_helper(void) { 5100 size_t n_batches, n_batch_points, max_n_batch_points, n; 5101 5102 max_n_batch_points = 0; 5103 n = 1; 5104 CHECK(haskellsecp256k1_v0_1_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0); 5105 5106 max_n_batch_points = 1; 5107 n = 0; 5108 CHECK(haskellsecp256k1_v0_1_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5109 CHECK(n_batches == 0); 5110 CHECK(n_batch_points == 0); 5111 5112 max_n_batch_points = 2; 5113 n = 5; 5114 CHECK(haskellsecp256k1_v0_1_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5115 CHECK(n_batches == 3); 5116 CHECK(n_batch_points == 2); 5117 5118 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH; 5119 n = ECMULT_MAX_POINTS_PER_BATCH; 5120 CHECK(haskellsecp256k1_v0_1_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5121 CHECK(n_batches == 1); 5122 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH); 5123 5124 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1; 5125 n = ECMULT_MAX_POINTS_PER_BATCH + 1; 5126 CHECK(haskellsecp256k1_v0_1_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5127 CHECK(n_batches == 2); 5128 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1); 5129 5130 max_n_batch_points = 1; 5131 n = SIZE_MAX; 5132 CHECK(haskellsecp256k1_v0_1_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5133 CHECK(n_batches == SIZE_MAX); 5134 CHECK(n_batch_points == 1); 5135 5136 max_n_batch_points = 2; 5137 n = SIZE_MAX; 5138 CHECK(haskellsecp256k1_v0_1_0_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); 5139 CHECK(n_batches == SIZE_MAX/2 + 1); 5140 CHECK(n_batch_points == 2); 5141 } 5142 5143 /** 5144 * Run haskellsecp256k1_v0_1_0_ecmult_multi_var with num points and a scratch space restricted to 5145 * 1 <= i <= num points. 5146 */ 5147 static void test_ecmult_multi_batching(void) { 5148 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD; 5149 haskellsecp256k1_v0_1_0_scalar scG; 5150 haskellsecp256k1_v0_1_0_scalar *sc = (haskellsecp256k1_v0_1_0_scalar *)checked_malloc(&CTX->error_callback, sizeof(haskellsecp256k1_v0_1_0_scalar) * n_points); 5151 haskellsecp256k1_v0_1_0_ge *pt = (haskellsecp256k1_v0_1_0_ge *)checked_malloc(&CTX->error_callback, sizeof(haskellsecp256k1_v0_1_0_ge) * n_points); 5152 haskellsecp256k1_v0_1_0_gej r; 5153 haskellsecp256k1_v0_1_0_gej r2; 5154 ecmult_multi_data data; 5155 int i; 5156 haskellsecp256k1_v0_1_0_scratch *scratch; 5157 5158 haskellsecp256k1_v0_1_0_gej_set_infinity(&r2); 5159 5160 /* Get random scalars and group elements and compute result */ 5161 random_scalar_order(&scG); 5162 haskellsecp256k1_v0_1_0_ecmult(&r2, &r2, &haskellsecp256k1_v0_1_0_scalar_zero, &scG); 5163 for(i = 0; i < n_points; i++) { 5164 haskellsecp256k1_v0_1_0_ge ptg; 5165 haskellsecp256k1_v0_1_0_gej ptgj; 5166 random_group_element_test(&ptg); 5167 haskellsecp256k1_v0_1_0_gej_set_ge(&ptgj, &ptg); 5168 pt[i] = ptg; 5169 random_scalar_order(&sc[i]); 5170 haskellsecp256k1_v0_1_0_ecmult(&ptgj, &ptgj, &sc[i], NULL); 5171 haskellsecp256k1_v0_1_0_gej_add_var(&r2, &r2, &ptgj, NULL); 5172 } 5173 data.sc = sc; 5174 data.pt = pt; 5175 haskellsecp256k1_v0_1_0_gej_neg(&r2, &r2); 5176 5177 /* Test with empty scratch space. It should compute the correct result using 5178 * ecmult_mult_simple algorithm which doesn't require a scratch space. */ 5179 scratch = haskellsecp256k1_v0_1_0_scratch_create(&CTX->error_callback, 0); 5180 CHECK(haskellsecp256k1_v0_1_0_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); 5181 haskellsecp256k1_v0_1_0_gej_add_var(&r, &r, &r2, NULL); 5182 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&r)); 5183 haskellsecp256k1_v0_1_0_scratch_destroy(&CTX->error_callback, scratch); 5184 5185 /* Test with space for 1 point in pippenger. That's not enough because 5186 * ecmult_multi selects strauss which requires more memory. It should 5187 * therefore select the simple algorithm. */ 5188 scratch = haskellsecp256k1_v0_1_0_scratch_create(&CTX->error_callback, haskellsecp256k1_v0_1_0_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); 5189 CHECK(haskellsecp256k1_v0_1_0_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); 5190 haskellsecp256k1_v0_1_0_gej_add_var(&r, &r, &r2, NULL); 5191 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&r)); 5192 haskellsecp256k1_v0_1_0_scratch_destroy(&CTX->error_callback, scratch); 5193 5194 for(i = 1; i <= n_points; i++) { 5195 if (i > ECMULT_PIPPENGER_THRESHOLD) { 5196 int bucket_window = haskellsecp256k1_v0_1_0_pippenger_bucket_window(i); 5197 size_t scratch_size = haskellsecp256k1_v0_1_0_pippenger_scratch_size(i, bucket_window); 5198 scratch = haskellsecp256k1_v0_1_0_scratch_create(&CTX->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); 5199 } else { 5200 size_t scratch_size = haskellsecp256k1_v0_1_0_strauss_scratch_size(i); 5201 scratch = haskellsecp256k1_v0_1_0_scratch_create(&CTX->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); 5202 } 5203 CHECK(haskellsecp256k1_v0_1_0_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); 5204 haskellsecp256k1_v0_1_0_gej_add_var(&r, &r, &r2, NULL); 5205 CHECK(haskellsecp256k1_v0_1_0_gej_is_infinity(&r)); 5206 haskellsecp256k1_v0_1_0_scratch_destroy(&CTX->error_callback, scratch); 5207 } 5208 free(sc); 5209 free(pt); 5210 } 5211 5212 static void run_ecmult_multi_tests(void) { 5213 haskellsecp256k1_v0_1_0_scratch *scratch; 5214 int64_t todo = (int64_t)320 * COUNT; 5215 5216 test_haskellsecp256k1_v0_1_0_pippenger_bucket_window_inv(); 5217 test_ecmult_multi_pippenger_max_points(); 5218 scratch = haskellsecp256k1_v0_1_0_scratch_create(&CTX->error_callback, 819200); 5219 test_ecmult_multi(scratch, haskellsecp256k1_v0_1_0_ecmult_multi_var); 5220 test_ecmult_multi(NULL, haskellsecp256k1_v0_1_0_ecmult_multi_var); 5221 test_ecmult_multi(scratch, haskellsecp256k1_v0_1_0_ecmult_pippenger_batch_single); 5222 test_ecmult_multi_batch_single(haskellsecp256k1_v0_1_0_ecmult_pippenger_batch_single); 5223 test_ecmult_multi(scratch, haskellsecp256k1_v0_1_0_ecmult_strauss_batch_single); 5224 test_ecmult_multi_batch_single(haskellsecp256k1_v0_1_0_ecmult_strauss_batch_single); 5225 while (todo > 0) { 5226 todo -= test_ecmult_multi_random(scratch); 5227 } 5228 haskellsecp256k1_v0_1_0_scratch_destroy(&CTX->error_callback, scratch); 5229 5230 /* Run test_ecmult_multi with space for exactly one point */ 5231 scratch = haskellsecp256k1_v0_1_0_scratch_create(&CTX->error_callback, haskellsecp256k1_v0_1_0_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); 5232 test_ecmult_multi(scratch, haskellsecp256k1_v0_1_0_ecmult_multi_var); 5233 haskellsecp256k1_v0_1_0_scratch_destroy(&CTX->error_callback, scratch); 5234 5235 test_ecmult_multi_batch_size_helper(); 5236 test_ecmult_multi_batching(); 5237 } 5238 5239 static void test_wnaf(const haskellsecp256k1_v0_1_0_scalar *number, int w) { 5240 haskellsecp256k1_v0_1_0_scalar x, two, t; 5241 int wnaf[256]; 5242 int zeroes = -1; 5243 int i; 5244 int bits; 5245 haskellsecp256k1_v0_1_0_scalar_set_int(&x, 0); 5246 haskellsecp256k1_v0_1_0_scalar_set_int(&two, 2); 5247 bits = haskellsecp256k1_v0_1_0_ecmult_wnaf(wnaf, 256, number, w); 5248 CHECK(bits <= 256); 5249 for (i = bits-1; i >= 0; i--) { 5250 int v = wnaf[i]; 5251 haskellsecp256k1_v0_1_0_scalar_mul(&x, &x, &two); 5252 if (v) { 5253 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */ 5254 zeroes=0; 5255 CHECK((v & 1) == 1); /* check non-zero elements are odd */ 5256 CHECK(v <= (1 << (w-1)) - 1); /* check range below */ 5257 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */ 5258 } else { 5259 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */ 5260 zeroes++; 5261 } 5262 if (v >= 0) { 5263 haskellsecp256k1_v0_1_0_scalar_set_int(&t, v); 5264 } else { 5265 haskellsecp256k1_v0_1_0_scalar_set_int(&t, -v); 5266 haskellsecp256k1_v0_1_0_scalar_negate(&t, &t); 5267 } 5268 haskellsecp256k1_v0_1_0_scalar_add(&x, &x, &t); 5269 } 5270 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&x, number)); /* check that wnaf represents number */ 5271 } 5272 5273 static void test_fixed_wnaf(const haskellsecp256k1_v0_1_0_scalar *number, int w) { 5274 haskellsecp256k1_v0_1_0_scalar x, shift; 5275 int wnaf[256] = {0}; 5276 int i; 5277 int skew; 5278 haskellsecp256k1_v0_1_0_scalar num, unused; 5279 5280 haskellsecp256k1_v0_1_0_scalar_set_int(&x, 0); 5281 haskellsecp256k1_v0_1_0_scalar_set_int(&shift, 1 << w); 5282 /* Make num a 128-bit scalar. */ 5283 haskellsecp256k1_v0_1_0_scalar_split_128(&num, &unused, number); 5284 skew = haskellsecp256k1_v0_1_0_wnaf_fixed(wnaf, &num, w); 5285 5286 for (i = WNAF_SIZE(w)-1; i >= 0; --i) { 5287 haskellsecp256k1_v0_1_0_scalar t; 5288 int v = wnaf[i]; 5289 CHECK(v == 0 || v & 1); /* check parity */ 5290 CHECK(v > -(1 << w)); /* check range above */ 5291 CHECK(v < (1 << w)); /* check range below */ 5292 5293 haskellsecp256k1_v0_1_0_scalar_mul(&x, &x, &shift); 5294 if (v >= 0) { 5295 haskellsecp256k1_v0_1_0_scalar_set_int(&t, v); 5296 } else { 5297 haskellsecp256k1_v0_1_0_scalar_set_int(&t, -v); 5298 haskellsecp256k1_v0_1_0_scalar_negate(&t, &t); 5299 } 5300 haskellsecp256k1_v0_1_0_scalar_add(&x, &x, &t); 5301 } 5302 /* If skew is 1 then add 1 to num */ 5303 haskellsecp256k1_v0_1_0_scalar_cadd_bit(&num, 0, skew == 1); 5304 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&x, &num)); 5305 } 5306 5307 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the 5308 * rest is 0.*/ 5309 static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) { 5310 int i; 5311 for (i = WNAF_SIZE(w)-1; i >= 8; --i) { 5312 CHECK(wnaf[i] == 0); 5313 } 5314 for (i = 7; i >= 0; --i) { 5315 CHECK(wnaf[i] == wnaf_expected[i]); 5316 } 5317 } 5318 5319 static void test_fixed_wnaf_small(void) { 5320 int w = 4; 5321 int wnaf[256] = {0}; 5322 int i; 5323 int skew; 5324 haskellsecp256k1_v0_1_0_scalar num; 5325 5326 haskellsecp256k1_v0_1_0_scalar_set_int(&num, 0); 5327 skew = haskellsecp256k1_v0_1_0_wnaf_fixed(wnaf, &num, w); 5328 for (i = WNAF_SIZE(w)-1; i >= 0; --i) { 5329 int v = wnaf[i]; 5330 CHECK(v == 0); 5331 } 5332 CHECK(skew == 0); 5333 5334 haskellsecp256k1_v0_1_0_scalar_set_int(&num, 1); 5335 skew = haskellsecp256k1_v0_1_0_wnaf_fixed(wnaf, &num, w); 5336 for (i = WNAF_SIZE(w)-1; i >= 1; --i) { 5337 int v = wnaf[i]; 5338 CHECK(v == 0); 5339 } 5340 CHECK(wnaf[0] == 1); 5341 CHECK(skew == 0); 5342 5343 { 5344 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf }; 5345 haskellsecp256k1_v0_1_0_scalar_set_int(&num, 0xffffffff); 5346 skew = haskellsecp256k1_v0_1_0_wnaf_fixed(wnaf, &num, w); 5347 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 5348 CHECK(skew == 0); 5349 } 5350 { 5351 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf }; 5352 haskellsecp256k1_v0_1_0_scalar_set_int(&num, 0xeeeeeeee); 5353 skew = haskellsecp256k1_v0_1_0_wnaf_fixed(wnaf, &num, w); 5354 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 5355 CHECK(skew == 1); 5356 } 5357 { 5358 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 }; 5359 haskellsecp256k1_v0_1_0_scalar_set_int(&num, 0x01010101); 5360 skew = haskellsecp256k1_v0_1_0_wnaf_fixed(wnaf, &num, w); 5361 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 5362 CHECK(skew == 0); 5363 } 5364 { 5365 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 }; 5366 haskellsecp256k1_v0_1_0_scalar_set_int(&num, 0x01ef1ef1); 5367 skew = haskellsecp256k1_v0_1_0_wnaf_fixed(wnaf, &num, w); 5368 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); 5369 CHECK(skew == 0); 5370 } 5371 } 5372 5373 static void run_wnaf(void) { 5374 int i; 5375 haskellsecp256k1_v0_1_0_scalar n; 5376 5377 /* Test 0 for fixed wnaf */ 5378 test_fixed_wnaf_small(); 5379 /* Random tests */ 5380 for (i = 0; i < COUNT; i++) { 5381 random_scalar_order(&n); 5382 test_wnaf(&n, 4+(i%10)); 5383 test_fixed_wnaf(&n, 4 + (i % 10)); 5384 } 5385 haskellsecp256k1_v0_1_0_scalar_set_int(&n, 0); 5386 CHECK(haskellsecp256k1_v0_1_0_scalar_cond_negate(&n, 1) == -1); 5387 CHECK(haskellsecp256k1_v0_1_0_scalar_is_zero(&n)); 5388 CHECK(haskellsecp256k1_v0_1_0_scalar_cond_negate(&n, 0) == 1); 5389 CHECK(haskellsecp256k1_v0_1_0_scalar_is_zero(&n)); 5390 } 5391 5392 static int test_ecmult_accumulate_cb(haskellsecp256k1_v0_1_0_scalar* sc, haskellsecp256k1_v0_1_0_ge* pt, size_t idx, void* data) { 5393 const haskellsecp256k1_v0_1_0_scalar* indata = (const haskellsecp256k1_v0_1_0_scalar*)data; 5394 *sc = *indata; 5395 *pt = haskellsecp256k1_v0_1_0_ge_const_g; 5396 CHECK(idx == 0); 5397 return 1; 5398 } 5399 5400 static void test_ecmult_accumulate(haskellsecp256k1_v0_1_0_sha256* acc, const haskellsecp256k1_v0_1_0_scalar* x, haskellsecp256k1_v0_1_0_scratch* scratch) { 5401 /* Compute x*G in 6 different ways, serialize it uncompressed, and feed it into acc. */ 5402 haskellsecp256k1_v0_1_0_gej rj1, rj2, rj3, rj4, rj5, rj6, gj, infj; 5403 haskellsecp256k1_v0_1_0_ge r; 5404 unsigned char bytes[65]; 5405 size_t size = 65; 5406 haskellsecp256k1_v0_1_0_gej_set_ge(&gj, &haskellsecp256k1_v0_1_0_ge_const_g); 5407 haskellsecp256k1_v0_1_0_gej_set_infinity(&infj); 5408 haskellsecp256k1_v0_1_0_ecmult_gen(&CTX->ecmult_gen_ctx, &rj1, x); 5409 haskellsecp256k1_v0_1_0_ecmult(&rj2, &gj, x, &haskellsecp256k1_v0_1_0_scalar_zero); 5410 haskellsecp256k1_v0_1_0_ecmult(&rj3, &infj, &haskellsecp256k1_v0_1_0_scalar_zero, x); 5411 haskellsecp256k1_v0_1_0_ecmult_multi_var(NULL, scratch, &rj4, x, NULL, NULL, 0); 5412 haskellsecp256k1_v0_1_0_ecmult_multi_var(NULL, scratch, &rj5, &haskellsecp256k1_v0_1_0_scalar_zero, test_ecmult_accumulate_cb, (void*)x, 1); 5413 haskellsecp256k1_v0_1_0_ecmult_const(&rj6, &haskellsecp256k1_v0_1_0_ge_const_g, x); 5414 haskellsecp256k1_v0_1_0_ge_set_gej_var(&r, &rj1); 5415 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&rj2, &r)); 5416 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&rj3, &r)); 5417 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&rj4, &r)); 5418 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&rj5, &r)); 5419 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&rj6, &r)); 5420 if (haskellsecp256k1_v0_1_0_ge_is_infinity(&r)) { 5421 /* Store infinity as 0x00 */ 5422 const unsigned char zerobyte[1] = {0}; 5423 haskellsecp256k1_v0_1_0_sha256_write(acc, zerobyte, 1); 5424 } else { 5425 /* Store other points using their uncompressed serialization. */ 5426 haskellsecp256k1_v0_1_0_eckey_pubkey_serialize(&r, bytes, &size, 0); 5427 CHECK(size == 65); 5428 haskellsecp256k1_v0_1_0_sha256_write(acc, bytes, size); 5429 } 5430 } 5431 5432 static void test_ecmult_constants_2bit(void) { 5433 /* Using test_ecmult_accumulate, test ecmult for: 5434 * - For i in 0..36: 5435 * - Key i 5436 * - Key -i 5437 * - For i in 0..255: 5438 * - For j in 1..255 (only odd values): 5439 * - Key (j*2^i) mod order 5440 */ 5441 haskellsecp256k1_v0_1_0_scalar x; 5442 haskellsecp256k1_v0_1_0_sha256 acc; 5443 unsigned char b32[32]; 5444 int i, j; 5445 haskellsecp256k1_v0_1_0_scratch_space *scratch = haskellsecp256k1_v0_1_0_scratch_space_create(CTX, 65536); 5446 5447 /* Expected hash of all the computed points; created with an independent 5448 * implementation. */ 5449 static const unsigned char expected32[32] = { 5450 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48, 5451 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14, 5452 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60, 5453 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4 5454 }; 5455 haskellsecp256k1_v0_1_0_sha256_initialize(&acc); 5456 for (i = 0; i <= 36; ++i) { 5457 haskellsecp256k1_v0_1_0_scalar_set_int(&x, i); 5458 test_ecmult_accumulate(&acc, &x, scratch); 5459 haskellsecp256k1_v0_1_0_scalar_negate(&x, &x); 5460 test_ecmult_accumulate(&acc, &x, scratch); 5461 }; 5462 for (i = 0; i < 256; ++i) { 5463 for (j = 1; j < 256; j += 2) { 5464 int k; 5465 haskellsecp256k1_v0_1_0_scalar_set_int(&x, j); 5466 for (k = 0; k < i; ++k) haskellsecp256k1_v0_1_0_scalar_add(&x, &x, &x); 5467 test_ecmult_accumulate(&acc, &x, scratch); 5468 } 5469 } 5470 haskellsecp256k1_v0_1_0_sha256_finalize(&acc, b32); 5471 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(b32, expected32, 32) == 0); 5472 5473 haskellsecp256k1_v0_1_0_scratch_space_destroy(CTX, scratch); 5474 } 5475 5476 static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) { 5477 /* Using test_ecmult_accumulate, test ecmult for: 5478 * - Key 0 5479 * - Key 1 5480 * - Key -1 5481 * - For i in range(iter): 5482 * - Key SHA256(LE32(prefix) || LE16(i)) 5483 */ 5484 haskellsecp256k1_v0_1_0_scalar x; 5485 haskellsecp256k1_v0_1_0_sha256 acc; 5486 unsigned char b32[32]; 5487 unsigned char inp[6]; 5488 size_t i; 5489 haskellsecp256k1_v0_1_0_scratch_space *scratch = haskellsecp256k1_v0_1_0_scratch_space_create(CTX, 65536); 5490 5491 inp[0] = prefix & 0xFF; 5492 inp[1] = (prefix >> 8) & 0xFF; 5493 inp[2] = (prefix >> 16) & 0xFF; 5494 inp[3] = (prefix >> 24) & 0xFF; 5495 haskellsecp256k1_v0_1_0_sha256_initialize(&acc); 5496 haskellsecp256k1_v0_1_0_scalar_set_int(&x, 0); 5497 test_ecmult_accumulate(&acc, &x, scratch); 5498 haskellsecp256k1_v0_1_0_scalar_set_int(&x, 1); 5499 test_ecmult_accumulate(&acc, &x, scratch); 5500 haskellsecp256k1_v0_1_0_scalar_negate(&x, &x); 5501 test_ecmult_accumulate(&acc, &x, scratch); 5502 5503 for (i = 0; i < iter; ++i) { 5504 haskellsecp256k1_v0_1_0_sha256 gen; 5505 inp[4] = i & 0xff; 5506 inp[5] = (i >> 8) & 0xff; 5507 haskellsecp256k1_v0_1_0_sha256_initialize(&gen); 5508 haskellsecp256k1_v0_1_0_sha256_write(&gen, inp, sizeof(inp)); 5509 haskellsecp256k1_v0_1_0_sha256_finalize(&gen, b32); 5510 haskellsecp256k1_v0_1_0_scalar_set_b32(&x, b32, NULL); 5511 test_ecmult_accumulate(&acc, &x, scratch); 5512 } 5513 haskellsecp256k1_v0_1_0_sha256_finalize(&acc, b32); 5514 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(b32, expected32, 32) == 0); 5515 5516 haskellsecp256k1_v0_1_0_scratch_space_destroy(CTX, scratch); 5517 } 5518 5519 static void run_ecmult_constants(void) { 5520 /* Expected hashes of all points in the tests below. Computed using an 5521 * independent implementation. */ 5522 static const unsigned char expected32_6bit20[32] = { 5523 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f, 5524 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e, 5525 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e, 5526 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e 5527 }; 5528 static const unsigned char expected32_8bit8[32] = { 5529 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95, 5530 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec, 5531 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12, 5532 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6 5533 }; 5534 /* For every combination of 6 bit positions out of 256, restricted to 5535 * 20-bit windows (i.e., the first and last bit position are no more than 5536 * 19 bits apart), all 64 bit patterns occur in the input scalars used in 5537 * this test. */ 5538 CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") { 5539 test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20); 5540 } 5541 5542 /* For every combination of 8 consecutive bit positions, all 256 bit 5543 * patterns occur in the input scalars used in this test. */ 5544 CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") { 5545 test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8); 5546 } 5547 5548 CONDITIONAL_TEST(35, "test_ecmult_constants_2bit") { 5549 test_ecmult_constants_2bit(); 5550 } 5551 } 5552 5553 static void test_ecmult_gen_blind(void) { 5554 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */ 5555 haskellsecp256k1_v0_1_0_scalar key; 5556 haskellsecp256k1_v0_1_0_scalar b; 5557 unsigned char seed32[32]; 5558 haskellsecp256k1_v0_1_0_gej pgej; 5559 haskellsecp256k1_v0_1_0_gej pgej2; 5560 haskellsecp256k1_v0_1_0_gej i; 5561 haskellsecp256k1_v0_1_0_ge pge; 5562 random_scalar_order_test(&key); 5563 haskellsecp256k1_v0_1_0_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej, &key); 5564 haskellsecp256k1_v0_1_0_testrand256(seed32); 5565 b = CTX->ecmult_gen_ctx.blind; 5566 i = CTX->ecmult_gen_ctx.initial; 5567 haskellsecp256k1_v0_1_0_ecmult_gen_blind(&CTX->ecmult_gen_ctx, seed32); 5568 CHECK(!haskellsecp256k1_v0_1_0_scalar_eq(&b, &CTX->ecmult_gen_ctx.blind)); 5569 haskellsecp256k1_v0_1_0_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej2, &key); 5570 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2)); 5571 CHECK(!gej_xyz_equals_gej(&i, &CTX->ecmult_gen_ctx.initial)); 5572 haskellsecp256k1_v0_1_0_ge_set_gej(&pge, &pgej); 5573 CHECK(haskellsecp256k1_v0_1_0_gej_eq_ge_var(&pgej2, &pge)); 5574 } 5575 5576 static void test_ecmult_gen_blind_reset(void) { 5577 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */ 5578 haskellsecp256k1_v0_1_0_scalar b; 5579 haskellsecp256k1_v0_1_0_gej initial; 5580 haskellsecp256k1_v0_1_0_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0); 5581 b = CTX->ecmult_gen_ctx.blind; 5582 initial = CTX->ecmult_gen_ctx.initial; 5583 haskellsecp256k1_v0_1_0_ecmult_gen_blind(&CTX->ecmult_gen_ctx, 0); 5584 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&b, &CTX->ecmult_gen_ctx.blind)); 5585 CHECK(gej_xyz_equals_gej(&initial, &CTX->ecmult_gen_ctx.initial)); 5586 } 5587 5588 static void run_ecmult_gen_blind(void) { 5589 int i; 5590 test_ecmult_gen_blind_reset(); 5591 for (i = 0; i < 10; i++) { 5592 test_ecmult_gen_blind(); 5593 } 5594 } 5595 5596 /***** ENDOMORPHISH TESTS *****/ 5597 static void test_scalar_split(const haskellsecp256k1_v0_1_0_scalar* full) { 5598 haskellsecp256k1_v0_1_0_scalar s, s1, slam; 5599 const unsigned char zero[32] = {0}; 5600 unsigned char tmp[32]; 5601 5602 haskellsecp256k1_v0_1_0_scalar_split_lambda(&s1, &slam, full); 5603 5604 /* check slam*lambda + s1 == full */ 5605 haskellsecp256k1_v0_1_0_scalar_mul(&s, &haskellsecp256k1_v0_1_0_const_lambda, &slam); 5606 haskellsecp256k1_v0_1_0_scalar_add(&s, &s, &s1); 5607 CHECK(haskellsecp256k1_v0_1_0_scalar_eq(&s, full)); 5608 5609 /* check that both are <= 128 bits in size */ 5610 if (haskellsecp256k1_v0_1_0_scalar_is_high(&s1)) { 5611 haskellsecp256k1_v0_1_0_scalar_negate(&s1, &s1); 5612 } 5613 if (haskellsecp256k1_v0_1_0_scalar_is_high(&slam)) { 5614 haskellsecp256k1_v0_1_0_scalar_negate(&slam, &slam); 5615 } 5616 5617 haskellsecp256k1_v0_1_0_scalar_get_b32(tmp, &s1); 5618 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(zero, tmp, 16) == 0); 5619 haskellsecp256k1_v0_1_0_scalar_get_b32(tmp, &slam); 5620 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(zero, tmp, 16) == 0); 5621 } 5622 5623 5624 static void run_endomorphism_tests(void) { 5625 unsigned i; 5626 static haskellsecp256k1_v0_1_0_scalar s; 5627 test_scalar_split(&haskellsecp256k1_v0_1_0_scalar_zero); 5628 test_scalar_split(&haskellsecp256k1_v0_1_0_scalar_one); 5629 haskellsecp256k1_v0_1_0_scalar_negate(&s,&haskellsecp256k1_v0_1_0_scalar_one); 5630 test_scalar_split(&s); 5631 test_scalar_split(&haskellsecp256k1_v0_1_0_const_lambda); 5632 haskellsecp256k1_v0_1_0_scalar_add(&s, &haskellsecp256k1_v0_1_0_const_lambda, &haskellsecp256k1_v0_1_0_scalar_one); 5633 test_scalar_split(&s); 5634 5635 for (i = 0; i < 100U * COUNT; ++i) { 5636 haskellsecp256k1_v0_1_0_scalar full; 5637 random_scalar_order_test(&full); 5638 test_scalar_split(&full); 5639 } 5640 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) { 5641 test_scalar_split(&scalars_near_split_bounds[i]); 5642 } 5643 } 5644 5645 static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) { 5646 unsigned char pubkeyc[65]; 5647 haskellsecp256k1_v0_1_0_pubkey pubkey; 5648 haskellsecp256k1_v0_1_0_ge ge; 5649 size_t pubkeyclen; 5650 5651 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) { 5652 /* Smaller sizes are tested exhaustively elsewhere. */ 5653 int32_t i; 5654 memcpy(&pubkeyc[1], input, 64); 5655 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[pubkeyclen], 65 - pubkeyclen); 5656 for (i = 0; i < 256; i++) { 5657 /* Try all type bytes. */ 5658 int xpass; 5659 int ypass; 5660 int ysign; 5661 pubkeyc[0] = i; 5662 /* What sign does this point have? */ 5663 ysign = (input[63] & 1) + 2; 5664 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */ 5665 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2); 5666 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */ 5667 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) && 5668 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65)); 5669 if (xpass || ypass) { 5670 /* These cases must parse. */ 5671 unsigned char pubkeyo[65]; 5672 size_t outl; 5673 memset(&pubkey, 0, sizeof(pubkey)); 5674 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5675 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1); 5676 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5677 outl = 65; 5678 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65); 5679 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1); 5680 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl); 5681 CHECK(outl == 33); 5682 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0); 5683 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0])); 5684 if (ypass) { 5685 /* This test isn't always done because we decode with alternative signs, so the y won't match. */ 5686 CHECK(pubkeyo[0] == ysign); 5687 CHECK(haskellsecp256k1_v0_1_0_pubkey_load(CTX, &ge, &pubkey) == 1); 5688 memset(&pubkey, 0, sizeof(pubkey)); 5689 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5690 haskellsecp256k1_v0_1_0_pubkey_save(&pubkey, &ge); 5691 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5692 outl = 65; 5693 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65); 5694 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); 5695 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl); 5696 CHECK(outl == 65); 5697 CHECK(pubkeyo[0] == 4); 5698 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkeyo[1], input, 64) == 0); 5699 } 5700 } else { 5701 /* These cases must fail to parse. */ 5702 memset(&pubkey, 0xfe, sizeof(pubkey)); 5703 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5704 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 0); 5705 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5706 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_pubkey_load(CTX, &ge, &pubkey)); 5707 } 5708 } 5709 } 5710 } 5711 5712 static void run_ec_pubkey_parse_test(void) { 5713 #define SECP256K1_EC_PARSE_TEST_NVALID (12) 5714 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = { 5715 { 5716 /* Point with leading and trailing zeros in x and y serialization. */ 5717 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52, 5718 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5719 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83, 5720 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00 5721 }, 5722 { 5723 /* Point with x equal to a 3rd root of unity.*/ 5724 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9, 5725 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee, 5726 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14, 5727 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee, 5728 }, 5729 { 5730 /* Point with largest x. (1/2) */ 5731 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5732 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c, 5733 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e, 5734 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d, 5735 }, 5736 { 5737 /* Point with largest x. (2/2) */ 5738 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5739 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c, 5740 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1, 5741 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2, 5742 }, 5743 { 5744 /* Point with smallest x. (1/2) */ 5745 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5746 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 5747 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14, 5748 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee, 5749 }, 5750 { 5751 /* Point with smallest x. (2/2) */ 5752 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5753 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 5754 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb, 5755 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41, 5756 }, 5757 { 5758 /* Point with largest y. (1/3) */ 5759 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6, 5760 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07, 5761 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5762 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 5763 }, 5764 { 5765 /* Point with largest y. (2/3) */ 5766 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c, 5767 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73, 5768 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5769 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 5770 }, 5771 { 5772 /* Point with largest y. (3/3) */ 5773 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc, 5774 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5, 5775 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5776 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 5777 }, 5778 { 5779 /* Point with smallest y. (1/3) */ 5780 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6, 5781 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07, 5782 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5783 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 5784 }, 5785 { 5786 /* Point with smallest y. (2/3) */ 5787 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c, 5788 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73, 5789 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5790 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 5791 }, 5792 { 5793 /* Point with smallest y. (3/3) */ 5794 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc, 5795 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5, 5796 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5797 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 5798 } 5799 }; 5800 #define SECP256K1_EC_PARSE_TEST_NXVALID (4) 5801 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = { 5802 { 5803 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */ 5804 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6, 5805 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07, 5806 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5807 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 5808 }, 5809 { 5810 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */ 5811 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c, 5812 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73, 5813 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5814 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 5815 }, 5816 { 5817 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/ 5818 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc, 5819 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5, 5820 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5821 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 5822 }, 5823 { 5824 /* x on curve, y is from y^2 = x^3 + 8. */ 5825 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5826 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 5827 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5828 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03 5829 } 5830 }; 5831 #define SECP256K1_EC_PARSE_TEST_NINVALID (7) 5832 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = { 5833 { 5834 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */ 5835 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c, 5836 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53, 5837 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5838 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 5839 }, 5840 { 5841 /* Valid if x overflow ignored (x = 1 mod p). */ 5842 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5843 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 5844 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14, 5845 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee, 5846 }, 5847 { 5848 /* Valid if x overflow ignored (x = 1 mod p). */ 5849 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5850 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30, 5851 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb, 5852 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41, 5853 }, 5854 { 5855 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */ 5856 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5857 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 5858 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f, 5859 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28, 5860 }, 5861 { 5862 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */ 5863 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 5864 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e, 5865 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0, 5866 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07, 5867 }, 5868 { 5869 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */ 5870 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5871 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5872 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d, 5873 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc, 5874 }, 5875 { 5876 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */ 5877 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5878 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 5879 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2, 5880 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53 5881 } 5882 }; 5883 const unsigned char pubkeyc[66] = { 5884 /* Serialization of G. */ 5885 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B, 5886 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 5887 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08, 5888 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4, 5889 0xB8, 0x00 5890 }; 5891 unsigned char sout[65]; 5892 unsigned char shortkey[2] = { 0 }; 5893 haskellsecp256k1_v0_1_0_ge ge; 5894 haskellsecp256k1_v0_1_0_pubkey pubkey; 5895 size_t len; 5896 int32_t i; 5897 5898 /* Nothing should be reading this far into pubkeyc. */ 5899 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[65], 1); 5900 /* Zero length claimed, fail, zeroize, no illegal arg error. */ 5901 memset(&pubkey, 0xfe, sizeof(pubkey)); 5902 SECP256K1_CHECKMEM_UNDEFINE(shortkey, 2); 5903 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5904 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, &pubkey, shortkey, 0) == 0); 5905 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5906 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_pubkey_load(CTX, &ge, &pubkey)); 5907 /* Length one claimed, fail, zeroize, no illegal arg error. */ 5908 for (i = 0; i < 256 ; i++) { 5909 memset(&pubkey, 0xfe, sizeof(pubkey)); 5910 shortkey[0] = i; 5911 SECP256K1_CHECKMEM_UNDEFINE(&shortkey[1], 1); 5912 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5913 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, &pubkey, shortkey, 1) == 0); 5914 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5915 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_pubkey_load(CTX, &ge, &pubkey)); 5916 } 5917 /* Length two claimed, fail, zeroize, no illegal arg error. */ 5918 for (i = 0; i < 65536 ; i++) { 5919 memset(&pubkey, 0xfe, sizeof(pubkey)); 5920 shortkey[0] = i & 255; 5921 shortkey[1] = i >> 8; 5922 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5923 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, &pubkey, shortkey, 2) == 0); 5924 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5925 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_pubkey_load(CTX, &ge, &pubkey)); 5926 } 5927 memset(&pubkey, 0xfe, sizeof(pubkey)); 5928 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5929 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */ 5930 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 33) == 0); 5931 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5932 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_pubkey_load(CTX, &ge, &pubkey)); 5933 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */ 5934 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, NULL, pubkeyc, 65)); 5935 /* NULL input string. Illegal arg and zeroize output. */ 5936 memset(&pubkey, 0xfe, sizeof(pubkey)); 5937 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5938 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, &pubkey, NULL, 65)); 5939 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5940 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_pubkey_load(CTX, &ge, &pubkey)); 5941 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */ 5942 memset(&pubkey, 0xfe, sizeof(pubkey)); 5943 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5944 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 64) == 0); 5945 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5946 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_pubkey_load(CTX, &ge, &pubkey)); 5947 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */ 5948 memset(&pubkey, 0xfe, sizeof(pubkey)); 5949 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5950 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 66) == 0); 5951 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5952 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_pubkey_load(CTX, &ge, &pubkey)); 5953 /* Valid parse. */ 5954 memset(&pubkey, 0, sizeof(pubkey)); 5955 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 5956 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 65) == 1); 5957 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_parse(haskellsecp256k1_v0_1_0_context_static, &pubkey, pubkeyc, 65) == 1); 5958 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 5959 SECP256K1_CHECKMEM_UNDEFINE(&ge, sizeof(ge)); 5960 CHECK(haskellsecp256k1_v0_1_0_pubkey_load(CTX, &ge, &pubkey) == 1); 5961 SECP256K1_CHECKMEM_CHECK(&ge.x, sizeof(ge.x)); 5962 SECP256K1_CHECKMEM_CHECK(&ge.y, sizeof(ge.y)); 5963 SECP256K1_CHECKMEM_CHECK(&ge.infinity, sizeof(ge.infinity)); 5964 CHECK(haskellsecp256k1_v0_1_0_ge_eq_var(&ge, &haskellsecp256k1_v0_1_0_ge_const_g)); 5965 /* haskellsecp256k1_v0_1_0_ec_pubkey_serialize illegal args. */ 5966 len = 65; 5967 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_serialize(CTX, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED)); 5968 CHECK(len == 0); 5969 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_serialize(CTX, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED)); 5970 len = 65; 5971 SECP256K1_CHECKMEM_UNDEFINE(sout, 65); 5972 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_serialize(CTX, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED)); 5973 SECP256K1_CHECKMEM_CHECK(sout, 65); 5974 CHECK(len == 0); 5975 len = 65; 5976 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_serialize(CTX, sout, &len, &pubkey, ~0)); 5977 CHECK(len == 0); 5978 len = 65; 5979 SECP256K1_CHECKMEM_UNDEFINE(sout, 65); 5980 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_serialize(CTX, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); 5981 SECP256K1_CHECKMEM_CHECK(sout, 65); 5982 CHECK(len == 65); 5983 /* Multiple illegal args. Should still set arg error only once. */ 5984 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, NULL, NULL, 65)); 5985 /* Try a bunch of prefabbed points with all possible encodings. */ 5986 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) { 5987 ec_pubkey_parse_pointtest(valid[i], 1, 1); 5988 } 5989 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) { 5990 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0); 5991 } 5992 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) { 5993 ec_pubkey_parse_pointtest(invalid[i], 0, 0); 5994 } 5995 } 5996 5997 static void run_eckey_edge_case_test(void) { 5998 const unsigned char orderc[32] = { 5999 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6000 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 6001 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 6002 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41 6003 }; 6004 const unsigned char zeros[sizeof(haskellsecp256k1_v0_1_0_pubkey)] = {0x00}; 6005 unsigned char ctmp[33]; 6006 unsigned char ctmp2[33]; 6007 haskellsecp256k1_v0_1_0_pubkey pubkey; 6008 haskellsecp256k1_v0_1_0_pubkey pubkey2; 6009 haskellsecp256k1_v0_1_0_pubkey pubkey_one; 6010 haskellsecp256k1_v0_1_0_pubkey pubkey_negone; 6011 const haskellsecp256k1_v0_1_0_pubkey *pubkeys[3]; 6012 size_t len; 6013 /* Group order is too large, reject. */ 6014 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_verify(CTX, orderc) == 0); 6015 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6016 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_create(CTX, &pubkey, orderc) == 0); 6017 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6018 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(haskellsecp256k1_v0_1_0_pubkey)) == 0); 6019 /* Maximum value is too large, reject. */ 6020 memset(ctmp, 255, 32); 6021 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_verify(CTX, ctmp) == 0); 6022 memset(&pubkey, 1, sizeof(pubkey)); 6023 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6024 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_create(CTX, &pubkey, ctmp) == 0); 6025 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6026 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(haskellsecp256k1_v0_1_0_pubkey)) == 0); 6027 /* Zero is too small, reject. */ 6028 memset(ctmp, 0, 32); 6029 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_verify(CTX, ctmp) == 0); 6030 memset(&pubkey, 1, sizeof(pubkey)); 6031 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6032 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_create(CTX, &pubkey, ctmp) == 0); 6033 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6034 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(haskellsecp256k1_v0_1_0_pubkey)) == 0); 6035 /* One must be accepted. */ 6036 ctmp[31] = 0x01; 6037 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_verify(CTX, ctmp) == 1); 6038 memset(&pubkey, 0, sizeof(pubkey)); 6039 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6040 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_create(CTX, &pubkey, ctmp) == 1); 6041 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6042 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(haskellsecp256k1_v0_1_0_pubkey)) > 0); 6043 pubkey_one = pubkey; 6044 /* Group order + 1 is too large, reject. */ 6045 memcpy(ctmp, orderc, 32); 6046 ctmp[31] = 0x42; 6047 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_verify(CTX, ctmp) == 0); 6048 memset(&pubkey, 1, sizeof(pubkey)); 6049 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6050 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_create(CTX, &pubkey, ctmp) == 0); 6051 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6052 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(haskellsecp256k1_v0_1_0_pubkey)) == 0); 6053 /* -1 must be accepted. */ 6054 ctmp[31] = 0x40; 6055 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_verify(CTX, ctmp) == 1); 6056 memset(&pubkey, 0, sizeof(pubkey)); 6057 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey)); 6058 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_create(CTX, &pubkey, ctmp) == 1); 6059 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey)); 6060 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(haskellsecp256k1_v0_1_0_pubkey)) > 0); 6061 pubkey_negone = pubkey; 6062 /* Tweak of zero leaves the value unchanged. */ 6063 memset(ctmp2, 0, 32); 6064 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 1); 6065 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40); 6066 memcpy(&pubkey2, &pubkey, sizeof(pubkey)); 6067 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1); 6068 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 6069 /* Multiply tweak of zero zeroizes the output. */ 6070 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0); 6071 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(zeros, ctmp, 32) == 0); 6072 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp2) == 0); 6073 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); 6074 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 6075 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing 6076 seckey, the seckey is zeroized. */ 6077 memcpy(ctmp, orderc, 32); 6078 memset(ctmp2, 0, 32); 6079 ctmp2[31] = 0x01; 6080 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_verify(CTX, ctmp2) == 1); 6081 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_verify(CTX, ctmp) == 0); 6082 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 0); 6083 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(zeros, ctmp, 32) == 0); 6084 memcpy(ctmp, orderc, 32); 6085 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0); 6086 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(zeros, ctmp, 32) == 0); 6087 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing 6088 tweak, the seckey is zeroized. */ 6089 memcpy(ctmp, orderc, 32); 6090 ctmp[31] = 0x40; 6091 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_tweak_add(CTX, ctmp, orderc) == 0); 6092 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(zeros, ctmp, 32) == 0); 6093 memcpy(ctmp, orderc, 32); 6094 ctmp[31] = 0x40; 6095 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_tweak_mul(CTX, ctmp, orderc) == 0); 6096 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(zeros, ctmp, 32) == 0); 6097 memcpy(ctmp, orderc, 32); 6098 ctmp[31] = 0x40; 6099 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing 6100 tweak, the pubkey is zeroized. */ 6101 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add(CTX, &pubkey, orderc) == 0); 6102 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); 6103 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 6104 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_tweak_mul(CTX, &pubkey, orderc) == 0); 6105 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); 6106 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 6107 /* If the resulting key in haskellsecp256k1_v0_1_0_ec_seckey_tweak_add and 6108 * haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add is 0 the functions fail and in the latter 6109 * case the pubkey is zeroized. */ 6110 memcpy(ctmp, orderc, 32); 6111 ctmp[31] = 0x40; 6112 memset(ctmp2, 0, 32); 6113 ctmp2[31] = 1; 6114 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 0); 6115 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(zeros, ctmp2, 32) == 0); 6116 ctmp2[31] = 1; 6117 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0); 6118 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); 6119 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 6120 /* Tweak computation wraps and results in a key of 1. */ 6121 ctmp2[31] = 2; 6122 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 1); 6123 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1); 6124 ctmp2[31] = 2; 6125 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1); 6126 ctmp2[31] = 1; 6127 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_create(CTX, &pubkey2, ctmp2) == 1); 6128 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 6129 /* Tweak mul * 2 = 1+1. */ 6130 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1); 6131 ctmp2[31] = 2; 6132 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 1); 6133 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 6134 /* Zeroize pubkey on parse error. */ 6135 memset(&pubkey, 0, 32); 6136 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2)); 6137 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0); 6138 memcpy(&pubkey, &pubkey2, sizeof(pubkey)); 6139 memset(&pubkey2, 0, 32); 6140 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2)); 6141 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0); 6142 /* Plain argument errors. */ 6143 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_verify(CTX, ctmp) == 1); 6144 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_seckey_verify(CTX, NULL)); 6145 memset(ctmp2, 0, 32); 6146 ctmp2[31] = 4; 6147 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add(CTX, NULL, ctmp2)); 6148 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add(CTX, &pubkey, NULL)); 6149 memset(ctmp2, 0, 32); 6150 ctmp2[31] = 4; 6151 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_tweak_mul(CTX, NULL, ctmp2)); 6152 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_tweak_mul(CTX, &pubkey, NULL)); 6153 memset(ctmp2, 0, 32); 6154 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_seckey_tweak_add(CTX, NULL, ctmp2)); 6155 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_seckey_tweak_add(CTX, ctmp, NULL)); 6156 memset(ctmp2, 0, 32); 6157 ctmp2[31] = 1; 6158 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_seckey_tweak_mul(CTX, NULL, ctmp2)); 6159 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_seckey_tweak_mul(CTX, ctmp, NULL)); 6160 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_create(CTX, NULL, ctmp)); 6161 memset(&pubkey, 1, sizeof(pubkey)); 6162 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_create(CTX, &pubkey, NULL)); 6163 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(haskellsecp256k1_v0_1_0_pubkey)) == 0); 6164 /* haskellsecp256k1_v0_1_0_ec_pubkey_combine tests. */ 6165 pubkeys[0] = &pubkey_one; 6166 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[0], sizeof(haskellsecp256k1_v0_1_0_pubkey *)); 6167 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[1], sizeof(haskellsecp256k1_v0_1_0_pubkey *)); 6168 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[2], sizeof(haskellsecp256k1_v0_1_0_pubkey *)); 6169 memset(&pubkey, 255, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6170 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6171 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_combine(CTX, &pubkey, pubkeys, 0)); 6172 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6173 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(haskellsecp256k1_v0_1_0_pubkey)) == 0); 6174 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_combine(CTX, NULL, pubkeys, 1)); 6175 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(haskellsecp256k1_v0_1_0_pubkey)) == 0); 6176 memset(&pubkey, 255, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6177 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6178 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_combine(CTX, &pubkey, NULL, 1)); 6179 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6180 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(haskellsecp256k1_v0_1_0_pubkey)) == 0); 6181 pubkeys[0] = &pubkey_negone; 6182 memset(&pubkey, 255, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6183 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6184 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_combine(CTX, &pubkey, pubkeys, 1) == 1); 6185 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6186 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(haskellsecp256k1_v0_1_0_pubkey)) > 0); 6187 len = 33; 6188 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); 6189 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1); 6190 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(ctmp, ctmp2, 33) == 0); 6191 /* Result is infinity. */ 6192 pubkeys[0] = &pubkey_one; 6193 pubkeys[1] = &pubkey_negone; 6194 memset(&pubkey, 255, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6195 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6196 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 0); 6197 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6198 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(haskellsecp256k1_v0_1_0_pubkey)) == 0); 6199 /* Passes through infinity but comes out one. */ 6200 pubkeys[2] = &pubkey_one; 6201 memset(&pubkey, 255, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6202 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6203 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_combine(CTX, &pubkey, pubkeys, 3) == 1); 6204 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6205 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(haskellsecp256k1_v0_1_0_pubkey)) > 0); 6206 len = 33; 6207 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); 6208 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1); 6209 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(ctmp, ctmp2, 33) == 0); 6210 /* Adds to two. */ 6211 pubkeys[1] = &pubkey_one; 6212 memset(&pubkey, 255, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6213 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6214 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 1); 6215 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(haskellsecp256k1_v0_1_0_pubkey)); 6216 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, zeros, sizeof(haskellsecp256k1_v0_1_0_pubkey)) > 0); 6217 } 6218 6219 static void run_eckey_negate_test(void) { 6220 unsigned char seckey[32]; 6221 unsigned char seckey_tmp[32]; 6222 6223 random_scalar_order_b32(seckey); 6224 memcpy(seckey_tmp, seckey, 32); 6225 6226 /* Verify negation changes the key and changes it back */ 6227 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_negate(CTX, seckey) == 1); 6228 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(seckey, seckey_tmp, 32) != 0); 6229 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_negate(CTX, seckey) == 1); 6230 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(seckey, seckey_tmp, 32) == 0); 6231 6232 /* Check that privkey alias gives same result */ 6233 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_negate(CTX, seckey) == 1); 6234 CHECK(haskellsecp256k1_v0_1_0_ec_privkey_negate(CTX, seckey_tmp) == 1); 6235 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(seckey, seckey_tmp, 32) == 0); 6236 6237 /* Negating all 0s fails */ 6238 memset(seckey, 0, 32); 6239 memset(seckey_tmp, 0, 32); 6240 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_negate(CTX, seckey) == 0); 6241 /* Check that seckey is not modified */ 6242 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(seckey, seckey_tmp, 32) == 0); 6243 6244 /* Negating an overflowing seckey fails and the seckey is zeroed. In this 6245 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate 6246 * doesn't just set seckey to a constant value in case of failure. */ 6247 random_scalar_order_b32(seckey); 6248 memset(seckey, 0xFF, 16); 6249 memset(seckey_tmp, 0, 32); 6250 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_negate(CTX, seckey) == 0); 6251 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(seckey, seckey_tmp, 32) == 0); 6252 } 6253 6254 static void random_sign(haskellsecp256k1_v0_1_0_scalar *sigr, haskellsecp256k1_v0_1_0_scalar *sigs, const haskellsecp256k1_v0_1_0_scalar *key, const haskellsecp256k1_v0_1_0_scalar *msg, int *recid) { 6255 haskellsecp256k1_v0_1_0_scalar nonce; 6256 do { 6257 random_scalar_order_test(&nonce); 6258 } while(!haskellsecp256k1_v0_1_0_ecdsa_sig_sign(&CTX->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid)); 6259 } 6260 6261 static void test_ecdsa_sign_verify(void) { 6262 haskellsecp256k1_v0_1_0_gej pubj; 6263 haskellsecp256k1_v0_1_0_ge pub; 6264 haskellsecp256k1_v0_1_0_scalar one; 6265 haskellsecp256k1_v0_1_0_scalar msg, key; 6266 haskellsecp256k1_v0_1_0_scalar sigr, sigs; 6267 int getrec; 6268 int recid; 6269 random_scalar_order_test(&msg); 6270 random_scalar_order_test(&key); 6271 haskellsecp256k1_v0_1_0_ecmult_gen(&CTX->ecmult_gen_ctx, &pubj, &key); 6272 haskellsecp256k1_v0_1_0_ge_set_gej(&pub, &pubj); 6273 getrec = haskellsecp256k1_v0_1_0_testrand_bits(1); 6274 /* The specific way in which this conditional is written sidesteps a potential bug in clang. 6275 See the commit messages of the commit that introduced this comment for details. */ 6276 if (getrec) { 6277 random_sign(&sigr, &sigs, &key, &msg, &recid); 6278 CHECK(recid >= 0 && recid < 4); 6279 } else { 6280 random_sign(&sigr, &sigs, &key, &msg, NULL); 6281 } 6282 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg)); 6283 haskellsecp256k1_v0_1_0_scalar_set_int(&one, 1); 6284 haskellsecp256k1_v0_1_0_scalar_add(&msg, &msg, &one); 6285 CHECK(!haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg)); 6286 } 6287 6288 static void run_ecdsa_sign_verify(void) { 6289 int i; 6290 for (i = 0; i < 10*COUNT; i++) { 6291 test_ecdsa_sign_verify(); 6292 } 6293 } 6294 6295 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */ 6296 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 6297 (void)msg32; 6298 (void)key32; 6299 (void)algo16; 6300 memcpy(nonce32, data, 32); 6301 return (counter == 0); 6302 } 6303 6304 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 6305 /* Dummy nonce generator that has a fatal error on the first counter value. */ 6306 if (counter == 0) { 6307 return 0; 6308 } 6309 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1); 6310 } 6311 6312 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 6313 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */ 6314 if (counter < 3) { 6315 memset(nonce32, counter==0 ? 0 : 255, 32); 6316 if (counter == 2) { 6317 nonce32[31]--; 6318 } 6319 return 1; 6320 } 6321 if (counter < 5) { 6322 static const unsigned char order[] = { 6323 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 6324 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE, 6325 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B, 6326 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41 6327 }; 6328 memcpy(nonce32, order, 32); 6329 if (counter == 4) { 6330 nonce32[31]++; 6331 } 6332 return 1; 6333 } 6334 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */ 6335 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */ 6336 if (counter > 5) { 6337 return 0; 6338 } 6339 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5); 6340 } 6341 6342 static int is_empty_signature(const haskellsecp256k1_v0_1_0_ecdsa_signature *sig) { 6343 static const unsigned char res[sizeof(haskellsecp256k1_v0_1_0_ecdsa_signature)] = {0}; 6344 return haskellsecp256k1_v0_1_0_memcmp_var(sig, res, sizeof(haskellsecp256k1_v0_1_0_ecdsa_signature)) == 0; 6345 } 6346 6347 static void test_ecdsa_end_to_end(void) { 6348 unsigned char extra[32] = {0x00}; 6349 unsigned char privkey[32]; 6350 unsigned char message[32]; 6351 unsigned char privkey2[32]; 6352 haskellsecp256k1_v0_1_0_ecdsa_signature signature[6]; 6353 haskellsecp256k1_v0_1_0_scalar r, s; 6354 unsigned char sig[74]; 6355 size_t siglen = 74; 6356 unsigned char pubkeyc[65]; 6357 size_t pubkeyclen = 65; 6358 haskellsecp256k1_v0_1_0_pubkey pubkey; 6359 haskellsecp256k1_v0_1_0_pubkey pubkey_tmp; 6360 unsigned char seckey[300]; 6361 size_t seckeylen = 300; 6362 6363 /* Generate a random key and message. */ 6364 { 6365 haskellsecp256k1_v0_1_0_scalar msg, key; 6366 random_scalar_order_test(&msg); 6367 random_scalar_order_test(&key); 6368 haskellsecp256k1_v0_1_0_scalar_get_b32(privkey, &key); 6369 haskellsecp256k1_v0_1_0_scalar_get_b32(message, &msg); 6370 } 6371 6372 /* Construct and verify corresponding public key. */ 6373 CHECK(haskellsecp256k1_v0_1_0_ec_seckey_verify(CTX, privkey) == 1); 6374 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_create(CTX, &pubkey, privkey) == 1); 6375 6376 /* Verify exporting and importing public key. */ 6377 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_serialize(CTX, pubkeyc, &pubkeyclen, &pubkey, haskellsecp256k1_v0_1_0_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED)); 6378 memset(&pubkey, 0, sizeof(pubkey)); 6379 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1); 6380 6381 /* Verify negation changes the key and changes it back */ 6382 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey)); 6383 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_negate(CTX, &pubkey_tmp) == 1); 6384 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0); 6385 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_negate(CTX, &pubkey_tmp) == 1); 6386 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0); 6387 6388 /* Verify private key import and export. */ 6389 CHECK(ec_privkey_export_der(CTX, seckey, &seckeylen, privkey, haskellsecp256k1_v0_1_0_testrand_bits(1) == 1)); 6390 CHECK(ec_privkey_import_der(CTX, privkey2, seckey, seckeylen) == 1); 6391 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(privkey, privkey2, 32) == 0); 6392 6393 /* Optionally tweak the keys using addition. */ 6394 if (haskellsecp256k1_v0_1_0_testrand_int(3) == 0) { 6395 int ret1; 6396 int ret2; 6397 int ret3; 6398 unsigned char rnd[32]; 6399 unsigned char privkey_tmp[32]; 6400 haskellsecp256k1_v0_1_0_pubkey pubkey2; 6401 haskellsecp256k1_v0_1_0_testrand256_test(rnd); 6402 memcpy(privkey_tmp, privkey, 32); 6403 ret1 = haskellsecp256k1_v0_1_0_ec_seckey_tweak_add(CTX, privkey, rnd); 6404 ret2 = haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add(CTX, &pubkey, rnd); 6405 /* Check that privkey alias gives same result */ 6406 ret3 = haskellsecp256k1_v0_1_0_ec_privkey_tweak_add(CTX, privkey_tmp, rnd); 6407 CHECK(ret1 == ret2); 6408 CHECK(ret2 == ret3); 6409 if (ret1 == 0) { 6410 return; 6411 } 6412 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(privkey, privkey_tmp, 32) == 0); 6413 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_create(CTX, &pubkey2, privkey) == 1); 6414 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 6415 } 6416 6417 /* Optionally tweak the keys using multiplication. */ 6418 if (haskellsecp256k1_v0_1_0_testrand_int(3) == 0) { 6419 int ret1; 6420 int ret2; 6421 int ret3; 6422 unsigned char rnd[32]; 6423 unsigned char privkey_tmp[32]; 6424 haskellsecp256k1_v0_1_0_pubkey pubkey2; 6425 haskellsecp256k1_v0_1_0_testrand256_test(rnd); 6426 memcpy(privkey_tmp, privkey, 32); 6427 ret1 = haskellsecp256k1_v0_1_0_ec_seckey_tweak_mul(CTX, privkey, rnd); 6428 ret2 = haskellsecp256k1_v0_1_0_ec_pubkey_tweak_mul(CTX, &pubkey, rnd); 6429 /* Check that privkey alias gives same result */ 6430 ret3 = haskellsecp256k1_v0_1_0_ec_privkey_tweak_mul(CTX, privkey_tmp, rnd); 6431 CHECK(ret1 == ret2); 6432 CHECK(ret2 == ret3); 6433 if (ret1 == 0) { 6434 return; 6435 } 6436 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(privkey, privkey_tmp, 32) == 0); 6437 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_create(CTX, &pubkey2, privkey) == 1); 6438 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0); 6439 } 6440 6441 /* Sign. */ 6442 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1); 6443 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &signature[4], message, privkey, NULL, NULL) == 1); 6444 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &signature[1], message, privkey, NULL, extra) == 1); 6445 extra[31] = 1; 6446 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &signature[2], message, privkey, NULL, extra) == 1); 6447 extra[31] = 0; 6448 extra[0] = 1; 6449 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &signature[3], message, privkey, NULL, extra) == 1); 6450 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0); 6451 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0); 6452 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0); 6453 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0); 6454 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0); 6455 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0); 6456 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0); 6457 /* Verify. */ 6458 CHECK(haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1); 6459 CHECK(haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, &signature[1], message, &pubkey) == 1); 6460 CHECK(haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, &signature[2], message, &pubkey) == 1); 6461 CHECK(haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, &signature[3], message, &pubkey) == 1); 6462 /* Test lower-S form, malleate, verify and fail, test again, malleate again */ 6463 CHECK(!haskellsecp256k1_v0_1_0_ecdsa_signature_normalize(CTX, NULL, &signature[0])); 6464 haskellsecp256k1_v0_1_0_ecdsa_signature_load(CTX, &r, &s, &signature[0]); 6465 haskellsecp256k1_v0_1_0_scalar_negate(&s, &s); 6466 haskellsecp256k1_v0_1_0_ecdsa_signature_save(&signature[5], &r, &s); 6467 CHECK(haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 0); 6468 CHECK(haskellsecp256k1_v0_1_0_ecdsa_signature_normalize(CTX, NULL, &signature[5])); 6469 CHECK(haskellsecp256k1_v0_1_0_ecdsa_signature_normalize(CTX, &signature[5], &signature[5])); 6470 CHECK(!haskellsecp256k1_v0_1_0_ecdsa_signature_normalize(CTX, NULL, &signature[5])); 6471 CHECK(!haskellsecp256k1_v0_1_0_ecdsa_signature_normalize(CTX, &signature[5], &signature[5])); 6472 CHECK(haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1); 6473 haskellsecp256k1_v0_1_0_scalar_negate(&s, &s); 6474 haskellsecp256k1_v0_1_0_ecdsa_signature_save(&signature[5], &r, &s); 6475 CHECK(!haskellsecp256k1_v0_1_0_ecdsa_signature_normalize(CTX, NULL, &signature[5])); 6476 CHECK(haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1); 6477 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&signature[5], &signature[0], 64) == 0); 6478 6479 /* Serialize/parse DER and verify again */ 6480 CHECK(haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1); 6481 memset(&signature[0], 0, sizeof(signature[0])); 6482 CHECK(haskellsecp256k1_v0_1_0_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 1); 6483 CHECK(haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1); 6484 /* Serialize/destroy/parse DER and verify again. */ 6485 siglen = 74; 6486 CHECK(haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1); 6487 sig[haskellsecp256k1_v0_1_0_testrand_int(siglen)] += 1 + haskellsecp256k1_v0_1_0_testrand_int(255); 6488 CHECK(haskellsecp256k1_v0_1_0_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 0 || 6489 haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 0); 6490 } 6491 6492 static void test_random_pubkeys(void) { 6493 haskellsecp256k1_v0_1_0_ge elem; 6494 haskellsecp256k1_v0_1_0_ge elem2; 6495 unsigned char in[65]; 6496 /* Generate some randomly sized pubkeys. */ 6497 size_t len = haskellsecp256k1_v0_1_0_testrand_bits(2) == 0 ? 65 : 33; 6498 if (haskellsecp256k1_v0_1_0_testrand_bits(2) == 0) { 6499 len = haskellsecp256k1_v0_1_0_testrand_bits(6); 6500 } 6501 if (len == 65) { 6502 in[0] = haskellsecp256k1_v0_1_0_testrand_bits(1) ? 4 : (haskellsecp256k1_v0_1_0_testrand_bits(1) ? 6 : 7); 6503 } else { 6504 in[0] = haskellsecp256k1_v0_1_0_testrand_bits(1) ? 2 : 3; 6505 } 6506 if (haskellsecp256k1_v0_1_0_testrand_bits(3) == 0) { 6507 in[0] = haskellsecp256k1_v0_1_0_testrand_bits(8); 6508 } 6509 if (len > 1) { 6510 haskellsecp256k1_v0_1_0_testrand256(&in[1]); 6511 } 6512 if (len > 33) { 6513 haskellsecp256k1_v0_1_0_testrand256(&in[33]); 6514 } 6515 if (haskellsecp256k1_v0_1_0_eckey_pubkey_parse(&elem, in, len)) { 6516 unsigned char out[65]; 6517 unsigned char firstb; 6518 int res; 6519 size_t size = len; 6520 firstb = in[0]; 6521 /* If the pubkey can be parsed, it should round-trip... */ 6522 CHECK(haskellsecp256k1_v0_1_0_eckey_pubkey_serialize(&elem, out, &size, len == 33)); 6523 CHECK(size == len); 6524 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&in[1], &out[1], len-1) == 0); 6525 /* ... except for the type of hybrid inputs. */ 6526 if ((in[0] != 6) && (in[0] != 7)) { 6527 CHECK(in[0] == out[0]); 6528 } 6529 size = 65; 6530 CHECK(haskellsecp256k1_v0_1_0_eckey_pubkey_serialize(&elem, in, &size, 0)); 6531 CHECK(size == 65); 6532 CHECK(haskellsecp256k1_v0_1_0_eckey_pubkey_parse(&elem2, in, size)); 6533 CHECK(haskellsecp256k1_v0_1_0_ge_eq_var(&elem2, &elem)); 6534 /* Check that the X9.62 hybrid type is checked. */ 6535 in[0] = haskellsecp256k1_v0_1_0_testrand_bits(1) ? 6 : 7; 6536 res = haskellsecp256k1_v0_1_0_eckey_pubkey_parse(&elem2, in, size); 6537 if (firstb == 2 || firstb == 3) { 6538 if (in[0] == firstb + 4) { 6539 CHECK(res); 6540 } else { 6541 CHECK(!res); 6542 } 6543 } 6544 if (res) { 6545 CHECK(haskellsecp256k1_v0_1_0_ge_eq_var(&elem, &elem2)); 6546 CHECK(haskellsecp256k1_v0_1_0_eckey_pubkey_serialize(&elem, out, &size, 0)); 6547 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&in[1], &out[1], 64) == 0); 6548 } 6549 } 6550 } 6551 6552 static void run_pubkey_comparison(void) { 6553 unsigned char pk1_ser[33] = { 6554 0x02, 6555 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11, 6556 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23 6557 }; 6558 const unsigned char pk2_ser[33] = { 6559 0x02, 6560 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d, 6561 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c 6562 }; 6563 haskellsecp256k1_v0_1_0_pubkey pk1; 6564 haskellsecp256k1_v0_1_0_pubkey pk2; 6565 6566 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1); 6567 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1); 6568 6569 CHECK_ILLEGAL_VOID(CTX, CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_cmp(CTX, NULL, &pk2) < 0)); 6570 CHECK_ILLEGAL_VOID(CTX, CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_cmp(CTX, &pk1, NULL) > 0)); 6571 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0); 6572 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0); 6573 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_cmp(CTX, &pk1, &pk1) == 0); 6574 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_cmp(CTX, &pk2, &pk2) == 0); 6575 { 6576 haskellsecp256k1_v0_1_0_pubkey pk_tmp; 6577 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */ 6578 CHECK_ILLEGAL_VOID(CTX, CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_cmp(CTX, &pk_tmp, &pk2) < 0)); 6579 { 6580 int32_t ecount = 0; 6581 haskellsecp256k1_v0_1_0_context_set_illegal_callback(CTX, counting_callback_fn, &ecount); 6582 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_cmp(CTX, &pk_tmp, &pk_tmp) == 0); 6583 CHECK(ecount == 2); 6584 haskellsecp256k1_v0_1_0_context_set_illegal_callback(CTX, NULL, NULL); 6585 } 6586 CHECK_ILLEGAL_VOID(CTX, CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_cmp(CTX, &pk2, &pk_tmp) > 0)); 6587 } 6588 6589 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in 6590 * an uncompressed encoding, these would have the opposite ordering */ 6591 pk1_ser[0] = 3; 6592 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, &pk2, pk1_ser, sizeof(pk1_ser)) == 1); 6593 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0); 6594 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0); 6595 } 6596 6597 static void run_random_pubkeys(void) { 6598 int i; 6599 for (i = 0; i < 10*COUNT; i++) { 6600 test_random_pubkeys(); 6601 } 6602 } 6603 6604 static void run_ecdsa_end_to_end(void) { 6605 int i; 6606 for (i = 0; i < 64*COUNT; i++) { 6607 test_ecdsa_end_to_end(); 6608 } 6609 } 6610 6611 static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) { 6612 static const unsigned char zeroes[32] = {0}; 6613 6614 int ret = 0; 6615 6616 haskellsecp256k1_v0_1_0_ecdsa_signature sig_der; 6617 unsigned char roundtrip_der[2048]; 6618 unsigned char compact_der[64]; 6619 size_t len_der = 2048; 6620 int parsed_der = 0, valid_der = 0, roundtrips_der = 0; 6621 6622 haskellsecp256k1_v0_1_0_ecdsa_signature sig_der_lax; 6623 unsigned char roundtrip_der_lax[2048]; 6624 unsigned char compact_der_lax[64]; 6625 size_t len_der_lax = 2048; 6626 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0; 6627 6628 parsed_der = haskellsecp256k1_v0_1_0_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen); 6629 if (parsed_der) { 6630 ret |= (!haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0; 6631 valid_der = (haskellsecp256k1_v0_1_0_memcmp_var(compact_der, zeroes, 32) != 0) && (haskellsecp256k1_v0_1_0_memcmp_var(compact_der + 32, zeroes, 32) != 0); 6632 } 6633 if (valid_der) { 6634 ret |= (!haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1; 6635 roundtrips_der = (len_der == siglen) && haskellsecp256k1_v0_1_0_memcmp_var(roundtrip_der, sig, siglen) == 0; 6636 } 6637 6638 parsed_der_lax = haskellsecp256k1_v0_1_0_ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen); 6639 if (parsed_der_lax) { 6640 ret |= (!haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10; 6641 valid_der_lax = (haskellsecp256k1_v0_1_0_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (haskellsecp256k1_v0_1_0_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0); 6642 } 6643 if (valid_der_lax) { 6644 ret |= (!haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11; 6645 roundtrips_der_lax = (len_der_lax == siglen) && haskellsecp256k1_v0_1_0_memcmp_var(roundtrip_der_lax, sig, siglen) == 0; 6646 } 6647 6648 if (certainly_der) { 6649 ret |= (!parsed_der) << 2; 6650 } 6651 if (certainly_not_der) { 6652 ret |= (parsed_der) << 17; 6653 } 6654 if (valid_der) { 6655 ret |= (!roundtrips_der) << 3; 6656 } 6657 6658 if (valid_der) { 6659 ret |= (!roundtrips_der_lax) << 12; 6660 ret |= (len_der != len_der_lax) << 13; 6661 ret |= ((len_der != len_der_lax) || (haskellsecp256k1_v0_1_0_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14; 6662 } 6663 ret |= (roundtrips_der != roundtrips_der_lax) << 15; 6664 if (parsed_der) { 6665 ret |= (!parsed_der_lax) << 16; 6666 } 6667 6668 return ret; 6669 } 6670 6671 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) { 6672 size_t i; 6673 for (i = 0; i < ptrlen; i++) { 6674 int shift = ptrlen - 1 - i; 6675 if (shift >= 4) { 6676 ptr[i] = 0; 6677 } else { 6678 ptr[i] = (val >> shift) & 0xFF; 6679 } 6680 } 6681 } 6682 6683 static void damage_array(unsigned char *sig, size_t *len) { 6684 int pos; 6685 int action = haskellsecp256k1_v0_1_0_testrand_bits(3); 6686 if (action < 1 && *len > 3) { 6687 /* Delete a byte. */ 6688 pos = haskellsecp256k1_v0_1_0_testrand_int(*len); 6689 memmove(sig + pos, sig + pos + 1, *len - pos - 1); 6690 (*len)--; 6691 return; 6692 } else if (action < 2 && *len < 2048) { 6693 /* Insert a byte. */ 6694 pos = haskellsecp256k1_v0_1_0_testrand_int(1 + *len); 6695 memmove(sig + pos + 1, sig + pos, *len - pos); 6696 sig[pos] = haskellsecp256k1_v0_1_0_testrand_bits(8); 6697 (*len)++; 6698 return; 6699 } else if (action < 4) { 6700 /* Modify a byte. */ 6701 sig[haskellsecp256k1_v0_1_0_testrand_int(*len)] += 1 + haskellsecp256k1_v0_1_0_testrand_int(255); 6702 return; 6703 } else { /* action < 8 */ 6704 /* Modify a bit. */ 6705 sig[haskellsecp256k1_v0_1_0_testrand_int(*len)] ^= 1 << haskellsecp256k1_v0_1_0_testrand_bits(3); 6706 return; 6707 } 6708 } 6709 6710 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) { 6711 int der; 6712 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2]; 6713 size_t tlen, elen, glen; 6714 int indet; 6715 int n; 6716 6717 *len = 0; 6718 der = haskellsecp256k1_v0_1_0_testrand_bits(2) == 0; 6719 *certainly_der = der; 6720 *certainly_not_der = 0; 6721 indet = der ? 0 : haskellsecp256k1_v0_1_0_testrand_int(10) == 0; 6722 6723 for (n = 0; n < 2; n++) { 6724 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */ 6725 nlow[n] = der ? 1 : (haskellsecp256k1_v0_1_0_testrand_bits(3) != 0); 6726 /* The length of the number in bytes (the first byte of which will always be nonzero) */ 6727 nlen[n] = nlow[n] ? haskellsecp256k1_v0_1_0_testrand_int(33) : 32 + haskellsecp256k1_v0_1_0_testrand_int(200) * haskellsecp256k1_v0_1_0_testrand_bits(3) / 8; 6728 CHECK(nlen[n] <= 232); 6729 /* The top bit of the number. */ 6730 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : haskellsecp256k1_v0_1_0_testrand_bits(1)); 6731 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */ 6732 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + haskellsecp256k1_v0_1_0_testrand_bits(7) : 1 + haskellsecp256k1_v0_1_0_testrand_int(127)); 6733 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */ 6734 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? haskellsecp256k1_v0_1_0_testrand_int(3) : haskellsecp256k1_v0_1_0_testrand_int(300 - nlen[n]) * haskellsecp256k1_v0_1_0_testrand_bits(3) / 8); 6735 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) { 6736 *certainly_not_der = 1; 6737 } 6738 CHECK(nlen[n] + nzlen[n] <= 300); 6739 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */ 6740 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2); 6741 if (!der) { 6742 /* nlenlen[n] max 127 bytes */ 6743 int add = haskellsecp256k1_v0_1_0_testrand_int(127 - nlenlen[n]) * haskellsecp256k1_v0_1_0_testrand_bits(4) * haskellsecp256k1_v0_1_0_testrand_bits(4) / 256; 6744 nlenlen[n] += add; 6745 if (add != 0) { 6746 *certainly_not_der = 1; 6747 } 6748 } 6749 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427); 6750 } 6751 6752 /* The total length of the data to go, so far */ 6753 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1]; 6754 CHECK(tlen <= 856); 6755 6756 /* The length of the garbage inside the tuple. */ 6757 elen = (der || indet) ? 0 : haskellsecp256k1_v0_1_0_testrand_int(980 - tlen) * haskellsecp256k1_v0_1_0_testrand_bits(3) / 8; 6758 if (elen != 0) { 6759 *certainly_not_der = 1; 6760 } 6761 tlen += elen; 6762 CHECK(tlen <= 980); 6763 6764 /* The length of the garbage after the end of the tuple. */ 6765 glen = der ? 0 : haskellsecp256k1_v0_1_0_testrand_int(990 - tlen) * haskellsecp256k1_v0_1_0_testrand_bits(3) / 8; 6766 if (glen != 0) { 6767 *certainly_not_der = 1; 6768 } 6769 CHECK(tlen + glen <= 990); 6770 6771 /* Write the tuple header. */ 6772 sig[(*len)++] = 0x30; 6773 if (indet) { 6774 /* Indeterminate length */ 6775 sig[(*len)++] = 0x80; 6776 *certainly_not_der = 1; 6777 } else { 6778 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2); 6779 if (!der) { 6780 int add = haskellsecp256k1_v0_1_0_testrand_int(127 - tlenlen) * haskellsecp256k1_v0_1_0_testrand_bits(4) * haskellsecp256k1_v0_1_0_testrand_bits(4) / 256; 6781 tlenlen += add; 6782 if (add != 0) { 6783 *certainly_not_der = 1; 6784 } 6785 } 6786 if (tlenlen == 0) { 6787 /* Short length notation */ 6788 sig[(*len)++] = tlen; 6789 } else { 6790 /* Long length notation */ 6791 sig[(*len)++] = 128 + tlenlen; 6792 assign_big_endian(sig + *len, tlenlen, tlen); 6793 *len += tlenlen; 6794 } 6795 tlen += tlenlen; 6796 } 6797 tlen += 2; 6798 CHECK(tlen + glen <= 1119); 6799 6800 for (n = 0; n < 2; n++) { 6801 /* Write the integer header. */ 6802 sig[(*len)++] = 0x02; 6803 if (nlenlen[n] == 0) { 6804 /* Short length notation */ 6805 sig[(*len)++] = nlen[n] + nzlen[n]; 6806 } else { 6807 /* Long length notation. */ 6808 sig[(*len)++] = 128 + nlenlen[n]; 6809 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]); 6810 *len += nlenlen[n]; 6811 } 6812 /* Write zero padding */ 6813 while (nzlen[n] > 0) { 6814 sig[(*len)++] = 0x00; 6815 nzlen[n]--; 6816 } 6817 if (nlen[n] == 32 && !nlow[n]) { 6818 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */ 6819 int i; 6820 for (i = 0; i < 16; i++) { 6821 sig[(*len)++] = 0xFF; 6822 } 6823 nlen[n] -= 16; 6824 } 6825 /* Write first byte of number */ 6826 if (nlen[n] > 0) { 6827 sig[(*len)++] = nhbyte[n]; 6828 nlen[n]--; 6829 } 6830 /* Generate remaining random bytes of number */ 6831 haskellsecp256k1_v0_1_0_testrand_bytes_test(sig + *len, nlen[n]); 6832 *len += nlen[n]; 6833 nlen[n] = 0; 6834 } 6835 6836 /* Generate random garbage inside tuple. */ 6837 haskellsecp256k1_v0_1_0_testrand_bytes_test(sig + *len, elen); 6838 *len += elen; 6839 6840 /* Generate end-of-contents bytes. */ 6841 if (indet) { 6842 sig[(*len)++] = 0; 6843 sig[(*len)++] = 0; 6844 tlen += 2; 6845 } 6846 CHECK(tlen + glen <= 1121); 6847 6848 /* Generate random garbage outside tuple. */ 6849 haskellsecp256k1_v0_1_0_testrand_bytes_test(sig + *len, glen); 6850 *len += glen; 6851 tlen += glen; 6852 CHECK(tlen <= 1121); 6853 CHECK(tlen == *len); 6854 } 6855 6856 static void run_ecdsa_der_parse(void) { 6857 int i,j; 6858 for (i = 0; i < 200 * COUNT; i++) { 6859 unsigned char buffer[2048]; 6860 size_t buflen = 0; 6861 int certainly_der = 0; 6862 int certainly_not_der = 0; 6863 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der); 6864 CHECK(buflen <= 2048); 6865 for (j = 0; j < 16; j++) { 6866 int ret = 0; 6867 if (j > 0) { 6868 damage_array(buffer, &buflen); 6869 /* We don't know anything anymore about the DERness of the result */ 6870 certainly_der = 0; 6871 certainly_not_der = 0; 6872 } 6873 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der); 6874 if (ret != 0) { 6875 size_t k; 6876 fprintf(stderr, "Failure %x on ", ret); 6877 for (k = 0; k < buflen; k++) { 6878 fprintf(stderr, "%02x ", buffer[k]); 6879 } 6880 fprintf(stderr, "\n"); 6881 } 6882 CHECK(ret == 0); 6883 } 6884 } 6885 } 6886 6887 /* Tests several edge cases. */ 6888 static void test_ecdsa_edge_cases(void) { 6889 int t; 6890 haskellsecp256k1_v0_1_0_ecdsa_signature sig; 6891 6892 /* Test the case where ECDSA recomputes a point that is infinity. */ 6893 { 6894 haskellsecp256k1_v0_1_0_gej keyj; 6895 haskellsecp256k1_v0_1_0_ge key; 6896 haskellsecp256k1_v0_1_0_scalar msg; 6897 haskellsecp256k1_v0_1_0_scalar sr, ss; 6898 haskellsecp256k1_v0_1_0_scalar_set_int(&ss, 1); 6899 haskellsecp256k1_v0_1_0_scalar_negate(&ss, &ss); 6900 haskellsecp256k1_v0_1_0_scalar_inverse(&ss, &ss); 6901 haskellsecp256k1_v0_1_0_scalar_set_int(&sr, 1); 6902 haskellsecp256k1_v0_1_0_ecmult_gen(&CTX->ecmult_gen_ctx, &keyj, &sr); 6903 haskellsecp256k1_v0_1_0_ge_set_gej(&key, &keyj); 6904 msg = ss; 6905 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); 6906 } 6907 6908 /* Verify signature with r of zero fails. */ 6909 { 6910 const unsigned char pubkey_mods_zero[33] = { 6911 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6912 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6913 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 6914 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 6915 0x41 6916 }; 6917 haskellsecp256k1_v0_1_0_ge key; 6918 haskellsecp256k1_v0_1_0_scalar msg; 6919 haskellsecp256k1_v0_1_0_scalar sr, ss; 6920 haskellsecp256k1_v0_1_0_scalar_set_int(&ss, 1); 6921 haskellsecp256k1_v0_1_0_scalar_set_int(&msg, 0); 6922 haskellsecp256k1_v0_1_0_scalar_set_int(&sr, 0); 6923 CHECK(haskellsecp256k1_v0_1_0_eckey_pubkey_parse(&key, pubkey_mods_zero, 33)); 6924 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0); 6925 } 6926 6927 /* Verify signature with s of zero fails. */ 6928 { 6929 const unsigned char pubkey[33] = { 6930 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6931 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6932 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6933 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6934 0x01 6935 }; 6936 haskellsecp256k1_v0_1_0_ge key; 6937 haskellsecp256k1_v0_1_0_scalar msg; 6938 haskellsecp256k1_v0_1_0_scalar sr, ss; 6939 haskellsecp256k1_v0_1_0_scalar_set_int(&ss, 0); 6940 haskellsecp256k1_v0_1_0_scalar_set_int(&msg, 0); 6941 haskellsecp256k1_v0_1_0_scalar_set_int(&sr, 1); 6942 CHECK(haskellsecp256k1_v0_1_0_eckey_pubkey_parse(&key, pubkey, 33)); 6943 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); 6944 } 6945 6946 /* Verify signature with message 0 passes. */ 6947 { 6948 const unsigned char pubkey[33] = { 6949 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6950 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6951 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6952 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6953 0x02 6954 }; 6955 const unsigned char pubkey2[33] = { 6956 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6957 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6958 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 6959 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 6960 0x43 6961 }; 6962 haskellsecp256k1_v0_1_0_ge key; 6963 haskellsecp256k1_v0_1_0_ge key2; 6964 haskellsecp256k1_v0_1_0_scalar msg; 6965 haskellsecp256k1_v0_1_0_scalar sr, ss; 6966 haskellsecp256k1_v0_1_0_scalar_set_int(&ss, 2); 6967 haskellsecp256k1_v0_1_0_scalar_set_int(&msg, 0); 6968 haskellsecp256k1_v0_1_0_scalar_set_int(&sr, 2); 6969 CHECK(haskellsecp256k1_v0_1_0_eckey_pubkey_parse(&key, pubkey, 33)); 6970 CHECK(haskellsecp256k1_v0_1_0_eckey_pubkey_parse(&key2, pubkey2, 33)); 6971 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 6972 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); 6973 haskellsecp256k1_v0_1_0_scalar_negate(&ss, &ss); 6974 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 6975 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); 6976 haskellsecp256k1_v0_1_0_scalar_set_int(&ss, 1); 6977 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); 6978 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0); 6979 } 6980 6981 /* Verify signature with message 1 passes. */ 6982 { 6983 const unsigned char pubkey[33] = { 6984 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22, 6985 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05, 6986 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c, 6987 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76, 6988 0x25 6989 }; 6990 const unsigned char pubkey2[33] = { 6991 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40, 6992 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae, 6993 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f, 6994 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10, 6995 0x62 6996 }; 6997 const unsigned char csr[32] = { 6998 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 6999 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 7000 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 7001 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb 7002 }; 7003 haskellsecp256k1_v0_1_0_ge key; 7004 haskellsecp256k1_v0_1_0_ge key2; 7005 haskellsecp256k1_v0_1_0_scalar msg; 7006 haskellsecp256k1_v0_1_0_scalar sr, ss; 7007 haskellsecp256k1_v0_1_0_scalar_set_int(&ss, 1); 7008 haskellsecp256k1_v0_1_0_scalar_set_int(&msg, 1); 7009 haskellsecp256k1_v0_1_0_scalar_set_b32(&sr, csr, NULL); 7010 CHECK(haskellsecp256k1_v0_1_0_eckey_pubkey_parse(&key, pubkey, 33)); 7011 CHECK(haskellsecp256k1_v0_1_0_eckey_pubkey_parse(&key2, pubkey2, 33)); 7012 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7013 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); 7014 haskellsecp256k1_v0_1_0_scalar_negate(&ss, &ss); 7015 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7016 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1); 7017 haskellsecp256k1_v0_1_0_scalar_set_int(&ss, 2); 7018 haskellsecp256k1_v0_1_0_scalar_inverse_var(&ss, &ss); 7019 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); 7020 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0); 7021 } 7022 7023 /* Verify signature with message -1 passes. */ 7024 { 7025 const unsigned char pubkey[33] = { 7026 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0, 7027 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52, 7028 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27, 7029 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20, 7030 0xf1 7031 }; 7032 const unsigned char csr[32] = { 7033 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7034 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 7035 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 7036 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee 7037 }; 7038 haskellsecp256k1_v0_1_0_ge key; 7039 haskellsecp256k1_v0_1_0_scalar msg; 7040 haskellsecp256k1_v0_1_0_scalar sr, ss; 7041 haskellsecp256k1_v0_1_0_scalar_set_int(&ss, 1); 7042 haskellsecp256k1_v0_1_0_scalar_set_int(&msg, 1); 7043 haskellsecp256k1_v0_1_0_scalar_negate(&msg, &msg); 7044 haskellsecp256k1_v0_1_0_scalar_set_b32(&sr, csr, NULL); 7045 CHECK(haskellsecp256k1_v0_1_0_eckey_pubkey_parse(&key, pubkey, 33)); 7046 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7047 haskellsecp256k1_v0_1_0_scalar_negate(&ss, &ss); 7048 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1); 7049 haskellsecp256k1_v0_1_0_scalar_set_int(&ss, 3); 7050 haskellsecp256k1_v0_1_0_scalar_inverse_var(&ss, &ss); 7051 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0); 7052 } 7053 7054 /* Signature where s would be zero. */ 7055 { 7056 haskellsecp256k1_v0_1_0_pubkey pubkey; 7057 size_t siglen; 7058 unsigned char signature[72]; 7059 static const unsigned char nonce[32] = { 7060 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7061 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7062 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7063 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 7064 }; 7065 static const unsigned char nonce2[32] = { 7066 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, 7067 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE, 7068 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B, 7069 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40 7070 }; 7071 const unsigned char key[32] = { 7072 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7073 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7074 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7075 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 7076 }; 7077 unsigned char msg[32] = { 7078 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53, 7079 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7, 7080 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62, 7081 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9, 7082 }; 7083 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 0); 7084 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 0); 7085 msg[31] = 0xaa; 7086 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 1); 7087 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, NULL, msg, key, precomputed_nonce_function, nonce2)); 7088 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &sig, NULL, key, precomputed_nonce_function, nonce2)); 7089 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &sig, msg, NULL, precomputed_nonce_function, nonce2)); 7090 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 1); 7091 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_create(CTX, &pubkey, key) == 1); 7092 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, NULL, msg, &pubkey)); 7093 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, &sig, NULL, &pubkey)); 7094 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, &sig, msg, NULL)); 7095 CHECK(haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1); 7096 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ec_pubkey_create(CTX, &pubkey, NULL)); 7097 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */ 7098 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, &sig, msg, &pubkey)); 7099 siglen = 72; 7100 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_der(CTX, NULL, &siglen, &sig)); 7101 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_der(CTX, signature, NULL, &sig)); 7102 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_der(CTX, signature, &siglen, NULL)); 7103 CHECK(haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 1); 7104 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_signature_parse_der(CTX, NULL, signature, siglen)); 7105 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_signature_parse_der(CTX, &sig, NULL, siglen)); 7106 CHECK(haskellsecp256k1_v0_1_0_ecdsa_signature_parse_der(CTX, &sig, signature, siglen) == 1); 7107 siglen = 10; 7108 /* Too little room for a signature does not fail via ARGCHECK. */ 7109 CHECK(haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 0); 7110 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_signature_normalize(CTX, NULL, NULL)); 7111 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_compact(CTX, NULL, &sig)); 7112 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_compact(CTX, signature, NULL)); 7113 CHECK(haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_compact(CTX, signature, &sig) == 1); 7114 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_signature_parse_compact(CTX, NULL, signature)); 7115 CHECK_ILLEGAL(CTX, haskellsecp256k1_v0_1_0_ecdsa_signature_parse_compact(CTX, &sig, NULL)); 7116 CHECK(haskellsecp256k1_v0_1_0_ecdsa_signature_parse_compact(CTX, &sig, signature) == 1); 7117 memset(signature, 255, 64); 7118 CHECK(haskellsecp256k1_v0_1_0_ecdsa_signature_parse_compact(CTX, &sig, signature) == 0); 7119 } 7120 7121 /* Nonce function corner cases. */ 7122 for (t = 0; t < 2; t++) { 7123 static const unsigned char zero[32] = {0x00}; 7124 int i; 7125 unsigned char key[32]; 7126 unsigned char msg[32]; 7127 haskellsecp256k1_v0_1_0_ecdsa_signature sig2; 7128 haskellsecp256k1_v0_1_0_scalar sr[512], ss; 7129 const unsigned char *extra; 7130 extra = t == 0 ? NULL : zero; 7131 memset(msg, 0, 32); 7132 msg[31] = 1; 7133 /* High key results in signature failure. */ 7134 memset(key, 0xFF, 32); 7135 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0); 7136 CHECK(is_empty_signature(&sig)); 7137 /* Zero key results in signature failure. */ 7138 memset(key, 0, 32); 7139 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0); 7140 CHECK(is_empty_signature(&sig)); 7141 /* Nonce function failure results in signature failure. */ 7142 key[31] = 1; 7143 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_fail, extra) == 0); 7144 CHECK(is_empty_signature(&sig)); 7145 /* The retry loop successfully makes its way to the first good value. */ 7146 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_retry, extra) == 1); 7147 CHECK(!is_empty_signature(&sig)); 7148 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &sig2, msg, key, nonce_function_rfc6979, extra) == 1); 7149 CHECK(!is_empty_signature(&sig2)); 7150 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&sig, &sig2, sizeof(sig)) == 0); 7151 /* The default nonce function is deterministic. */ 7152 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1); 7153 CHECK(!is_empty_signature(&sig2)); 7154 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&sig, &sig2, sizeof(sig)) == 0); 7155 /* The default nonce function changes output with different messages. */ 7156 for(i = 0; i < 256; i++) { 7157 int j; 7158 msg[0] = i; 7159 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1); 7160 CHECK(!is_empty_signature(&sig2)); 7161 haskellsecp256k1_v0_1_0_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2); 7162 for (j = 0; j < i; j++) { 7163 CHECK(!haskellsecp256k1_v0_1_0_scalar_eq(&sr[i], &sr[j])); 7164 } 7165 } 7166 msg[0] = 0; 7167 msg[31] = 2; 7168 /* The default nonce function changes output with different keys. */ 7169 for(i = 256; i < 512; i++) { 7170 int j; 7171 key[0] = i - 256; 7172 CHECK(haskellsecp256k1_v0_1_0_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1); 7173 CHECK(!is_empty_signature(&sig2)); 7174 haskellsecp256k1_v0_1_0_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2); 7175 for (j = 0; j < i; j++) { 7176 CHECK(!haskellsecp256k1_v0_1_0_scalar_eq(&sr[i], &sr[j])); 7177 } 7178 } 7179 key[0] = 0; 7180 } 7181 7182 { 7183 /* Check that optional nonce arguments do not have equivalent effect. */ 7184 const unsigned char zeros[32] = {0}; 7185 unsigned char nonce[32]; 7186 unsigned char nonce2[32]; 7187 unsigned char nonce3[32]; 7188 unsigned char nonce4[32]; 7189 SECP256K1_CHECKMEM_UNDEFINE(nonce,32); 7190 SECP256K1_CHECKMEM_UNDEFINE(nonce2,32); 7191 SECP256K1_CHECKMEM_UNDEFINE(nonce3,32); 7192 SECP256K1_CHECKMEM_UNDEFINE(nonce4,32); 7193 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1); 7194 SECP256K1_CHECKMEM_CHECK(nonce,32); 7195 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1); 7196 SECP256K1_CHECKMEM_CHECK(nonce2,32); 7197 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1); 7198 SECP256K1_CHECKMEM_CHECK(nonce3,32); 7199 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1); 7200 SECP256K1_CHECKMEM_CHECK(nonce4,32); 7201 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(nonce, nonce2, 32) != 0); 7202 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(nonce, nonce3, 32) != 0); 7203 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(nonce, nonce4, 32) != 0); 7204 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(nonce2, nonce3, 32) != 0); 7205 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(nonce2, nonce4, 32) != 0); 7206 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(nonce3, nonce4, 32) != 0); 7207 } 7208 7209 7210 /* Privkey export where pubkey is the point at infinity. */ 7211 { 7212 unsigned char privkey[300]; 7213 unsigned char seckey[32] = { 7214 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 7215 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 7216 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 7217 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41, 7218 }; 7219 size_t outlen = 300; 7220 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 0)); 7221 outlen = 300; 7222 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 1)); 7223 } 7224 } 7225 7226 static void run_ecdsa_edge_cases(void) { 7227 test_ecdsa_edge_cases(); 7228 } 7229 7230 /** Wycheproof tests 7231 7232 The tests check for known attacks (range checks in (r,s), arithmetic errors, malleability). 7233 */ 7234 static void test_ecdsa_wycheproof(void) { 7235 #include "wycheproof/ecdsa_haskellsecp256k1_v0_1_0_sha256_bitcoin_test.h" 7236 7237 int t; 7238 for (t = 0; t < SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS; t++) { 7239 haskellsecp256k1_v0_1_0_ecdsa_signature signature; 7240 haskellsecp256k1_v0_1_0_sha256 hasher; 7241 haskellsecp256k1_v0_1_0_pubkey pubkey; 7242 const unsigned char *msg, *sig, *pk; 7243 unsigned char out[32] = {0}; 7244 int actual_verify = 0; 7245 7246 memset(&pubkey, 0, sizeof(pubkey)); 7247 pk = &wycheproof_ecdsa_public_keys[testvectors[t].pk_offset]; 7248 CHECK(haskellsecp256k1_v0_1_0_ec_pubkey_parse(CTX, &pubkey, pk, 65) == 1); 7249 7250 haskellsecp256k1_v0_1_0_sha256_initialize(&hasher); 7251 msg = &wycheproof_ecdsa_messages[testvectors[t].msg_offset]; 7252 haskellsecp256k1_v0_1_0_sha256_write(&hasher, msg, testvectors[t].msg_len); 7253 haskellsecp256k1_v0_1_0_sha256_finalize(&hasher, out); 7254 7255 sig = &wycheproof_ecdsa_signatures[testvectors[t].sig_offset]; 7256 if (haskellsecp256k1_v0_1_0_ecdsa_signature_parse_der(CTX, &signature, sig, testvectors[t].sig_len) == 1) { 7257 actual_verify = haskellsecp256k1_v0_1_0_ecdsa_verify(CTX, (const haskellsecp256k1_v0_1_0_ecdsa_signature *)&signature, out, &pubkey); 7258 } 7259 CHECK(testvectors[t].expected_verify == actual_verify); 7260 } 7261 } 7262 7263 /* Tests cases from Wycheproof test suite. */ 7264 static void run_ecdsa_wycheproof(void) { 7265 test_ecdsa_wycheproof(); 7266 } 7267 7268 #ifdef ENABLE_MODULE_ECDH 7269 # include "modules/ecdh/tests_impl.h" 7270 #endif 7271 7272 #ifdef ENABLE_MODULE_RECOVERY 7273 # include "modules/recovery/tests_impl.h" 7274 #endif 7275 7276 #ifdef ENABLE_MODULE_EXTRAKEYS 7277 # include "modules/extrakeys/tests_impl.h" 7278 #endif 7279 7280 #ifdef ENABLE_MODULE_SCHNORRSIG 7281 # include "modules/schnorrsig/tests_impl.h" 7282 #endif 7283 7284 #ifdef ENABLE_MODULE_ELLSWIFT 7285 # include "modules/ellswift/tests_impl.h" 7286 #endif 7287 7288 static void run_haskellsecp256k1_v0_1_0_memczero_test(void) { 7289 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6}; 7290 unsigned char buf2[sizeof(buf1)]; 7291 7292 /* haskellsecp256k1_v0_1_0_memczero(..., ..., 0) is a noop. */ 7293 memcpy(buf2, buf1, sizeof(buf1)); 7294 haskellsecp256k1_v0_1_0_memczero(buf1, sizeof(buf1), 0); 7295 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(buf1, buf2, sizeof(buf1)) == 0); 7296 7297 /* haskellsecp256k1_v0_1_0_memczero(..., ..., 1) zeros the buffer. */ 7298 memset(buf2, 0, sizeof(buf2)); 7299 haskellsecp256k1_v0_1_0_memczero(buf1, sizeof(buf1) , 1); 7300 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(buf1, buf2, sizeof(buf1)) == 0); 7301 } 7302 7303 static void run_haskellsecp256k1_v0_1_0_byteorder_tests(void) { 7304 { 7305 const uint32_t x = 0xFF03AB45; 7306 const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45}; 7307 unsigned char buf[4]; 7308 uint32_t x_; 7309 7310 haskellsecp256k1_v0_1_0_write_be32(buf, x); 7311 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(buf, x_be, sizeof(buf)) == 0); 7312 7313 x_ = haskellsecp256k1_v0_1_0_read_be32(buf); 7314 CHECK(x == x_); 7315 } 7316 7317 { 7318 const uint64_t x = 0xCAFE0123BEEF4567; 7319 const unsigned char x_be[8] = {0xCA, 0xFE, 0x01, 0x23, 0xBE, 0xEF, 0x45, 0x67}; 7320 unsigned char buf[8]; 7321 uint64_t x_; 7322 7323 haskellsecp256k1_v0_1_0_write_be64(buf, x); 7324 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(buf, x_be, sizeof(buf)) == 0); 7325 7326 x_ = haskellsecp256k1_v0_1_0_read_be64(buf); 7327 CHECK(x == x_); 7328 } 7329 } 7330 7331 static void int_cmov_test(void) { 7332 int r = INT_MAX; 7333 int a = 0; 7334 7335 haskellsecp256k1_v0_1_0_int_cmov(&r, &a, 0); 7336 CHECK(r == INT_MAX); 7337 7338 r = 0; a = INT_MAX; 7339 haskellsecp256k1_v0_1_0_int_cmov(&r, &a, 1); 7340 CHECK(r == INT_MAX); 7341 7342 a = 0; 7343 haskellsecp256k1_v0_1_0_int_cmov(&r, &a, 1); 7344 CHECK(r == 0); 7345 7346 a = 1; 7347 haskellsecp256k1_v0_1_0_int_cmov(&r, &a, 1); 7348 CHECK(r == 1); 7349 7350 r = 1; a = 0; 7351 haskellsecp256k1_v0_1_0_int_cmov(&r, &a, 0); 7352 CHECK(r == 1); 7353 7354 } 7355 7356 static void fe_cmov_test(void) { 7357 static const haskellsecp256k1_v0_1_0_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0); 7358 static const haskellsecp256k1_v0_1_0_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); 7359 static const haskellsecp256k1_v0_1_0_fe max = SECP256K1_FE_CONST( 7360 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 7361 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL 7362 ); 7363 haskellsecp256k1_v0_1_0_fe r = max; 7364 haskellsecp256k1_v0_1_0_fe a = zero; 7365 7366 haskellsecp256k1_v0_1_0_fe_cmov(&r, &a, 0); 7367 CHECK(fe_identical(&r, &max)); 7368 7369 r = zero; a = max; 7370 haskellsecp256k1_v0_1_0_fe_cmov(&r, &a, 1); 7371 CHECK(fe_identical(&r, &max)); 7372 7373 a = zero; 7374 haskellsecp256k1_v0_1_0_fe_cmov(&r, &a, 1); 7375 CHECK(fe_identical(&r, &zero)); 7376 7377 a = one; 7378 haskellsecp256k1_v0_1_0_fe_cmov(&r, &a, 1); 7379 CHECK(fe_identical(&r, &one)); 7380 7381 r = one; a = zero; 7382 haskellsecp256k1_v0_1_0_fe_cmov(&r, &a, 0); 7383 CHECK(fe_identical(&r, &one)); 7384 } 7385 7386 static void fe_storage_cmov_test(void) { 7387 static const haskellsecp256k1_v0_1_0_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0); 7388 static const haskellsecp256k1_v0_1_0_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1); 7389 static const haskellsecp256k1_v0_1_0_fe_storage max = SECP256K1_FE_STORAGE_CONST( 7390 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 7391 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL 7392 ); 7393 haskellsecp256k1_v0_1_0_fe_storage r = max; 7394 haskellsecp256k1_v0_1_0_fe_storage a = zero; 7395 7396 haskellsecp256k1_v0_1_0_fe_storage_cmov(&r, &a, 0); 7397 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&r, &max, sizeof(r)) == 0); 7398 7399 r = zero; a = max; 7400 haskellsecp256k1_v0_1_0_fe_storage_cmov(&r, &a, 1); 7401 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&r, &max, sizeof(r)) == 0); 7402 7403 a = zero; 7404 haskellsecp256k1_v0_1_0_fe_storage_cmov(&r, &a, 1); 7405 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&r, &zero, sizeof(r)) == 0); 7406 7407 a = one; 7408 haskellsecp256k1_v0_1_0_fe_storage_cmov(&r, &a, 1); 7409 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&r, &one, sizeof(r)) == 0); 7410 7411 r = one; a = zero; 7412 haskellsecp256k1_v0_1_0_fe_storage_cmov(&r, &a, 0); 7413 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&r, &one, sizeof(r)) == 0); 7414 } 7415 7416 static void scalar_cmov_test(void) { 7417 static const haskellsecp256k1_v0_1_0_scalar max = SECP256K1_SCALAR_CONST( 7418 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL, 7419 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL 7420 ); 7421 haskellsecp256k1_v0_1_0_scalar r = max; 7422 haskellsecp256k1_v0_1_0_scalar a = haskellsecp256k1_v0_1_0_scalar_zero; 7423 7424 haskellsecp256k1_v0_1_0_scalar_cmov(&r, &a, 0); 7425 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&r, &max, sizeof(r)) == 0); 7426 7427 r = haskellsecp256k1_v0_1_0_scalar_zero; a = max; 7428 haskellsecp256k1_v0_1_0_scalar_cmov(&r, &a, 1); 7429 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&r, &max, sizeof(r)) == 0); 7430 7431 a = haskellsecp256k1_v0_1_0_scalar_zero; 7432 haskellsecp256k1_v0_1_0_scalar_cmov(&r, &a, 1); 7433 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&r, &haskellsecp256k1_v0_1_0_scalar_zero, sizeof(r)) == 0); 7434 7435 a = haskellsecp256k1_v0_1_0_scalar_one; 7436 haskellsecp256k1_v0_1_0_scalar_cmov(&r, &a, 1); 7437 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&r, &haskellsecp256k1_v0_1_0_scalar_one, sizeof(r)) == 0); 7438 7439 r = haskellsecp256k1_v0_1_0_scalar_one; a = haskellsecp256k1_v0_1_0_scalar_zero; 7440 haskellsecp256k1_v0_1_0_scalar_cmov(&r, &a, 0); 7441 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&r, &haskellsecp256k1_v0_1_0_scalar_one, sizeof(r)) == 0); 7442 } 7443 7444 static void ge_storage_cmov_test(void) { 7445 static const haskellsecp256k1_v0_1_0_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); 7446 static const haskellsecp256k1_v0_1_0_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1); 7447 static const haskellsecp256k1_v0_1_0_ge_storage max = SECP256K1_GE_STORAGE_CONST( 7448 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 7449 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 7450 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 7451 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL 7452 ); 7453 haskellsecp256k1_v0_1_0_ge_storage r = max; 7454 haskellsecp256k1_v0_1_0_ge_storage a = zero; 7455 7456 haskellsecp256k1_v0_1_0_ge_storage_cmov(&r, &a, 0); 7457 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&r, &max, sizeof(r)) == 0); 7458 7459 r = zero; a = max; 7460 haskellsecp256k1_v0_1_0_ge_storage_cmov(&r, &a, 1); 7461 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&r, &max, sizeof(r)) == 0); 7462 7463 a = zero; 7464 haskellsecp256k1_v0_1_0_ge_storage_cmov(&r, &a, 1); 7465 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&r, &zero, sizeof(r)) == 0); 7466 7467 a = one; 7468 haskellsecp256k1_v0_1_0_ge_storage_cmov(&r, &a, 1); 7469 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&r, &one, sizeof(r)) == 0); 7470 7471 r = one; a = zero; 7472 haskellsecp256k1_v0_1_0_ge_storage_cmov(&r, &a, 0); 7473 CHECK(haskellsecp256k1_v0_1_0_memcmp_var(&r, &one, sizeof(r)) == 0); 7474 } 7475 7476 static void run_cmov_tests(void) { 7477 int_cmov_test(); 7478 fe_cmov_test(); 7479 fe_storage_cmov_test(); 7480 scalar_cmov_test(); 7481 ge_storage_cmov_test(); 7482 } 7483 7484 int main(int argc, char **argv) { 7485 /* Disable buffering for stdout to improve reliability of getting 7486 * diagnostic information. Happens right at the start of main because 7487 * setbuf must be used before any other operation on the stream. */ 7488 setbuf(stdout, NULL); 7489 /* Also disable buffering for stderr because it's not guaranteed that it's 7490 * unbuffered on all systems. */ 7491 setbuf(stderr, NULL); 7492 7493 /* find iteration count */ 7494 if (argc > 1) { 7495 COUNT = strtol(argv[1], NULL, 0); 7496 } else { 7497 const char* env = getenv("SECP256K1_TEST_ITERS"); 7498 if (env && strlen(env) > 0) { 7499 COUNT = strtol(env, NULL, 0); 7500 } 7501 } 7502 if (COUNT <= 0) { 7503 fputs("An iteration count of 0 or less is not allowed.\n", stderr); 7504 return EXIT_FAILURE; 7505 } 7506 printf("test count = %i\n", COUNT); 7507 7508 /* run test RNG tests (must run before we really initialize the test RNG) */ 7509 run_xoshiro256pp_tests(); 7510 7511 /* find random seed */ 7512 haskellsecp256k1_v0_1_0_testrand_init(argc > 2 ? argv[2] : NULL); 7513 7514 /*** Setup test environment ***/ 7515 7516 /* Create a global context available to all tests */ 7517 CTX = haskellsecp256k1_v0_1_0_context_create(SECP256K1_CONTEXT_NONE); 7518 /* Randomize the context only with probability 15/16 7519 to make sure we test without context randomization from time to time. 7520 TODO Reconsider this when recalibrating the tests. */ 7521 if (haskellsecp256k1_v0_1_0_testrand_bits(4)) { 7522 unsigned char rand32[32]; 7523 haskellsecp256k1_v0_1_0_testrand256(rand32); 7524 CHECK(haskellsecp256k1_v0_1_0_context_randomize(CTX, rand32)); 7525 } 7526 /* Make a writable copy of haskellsecp256k1_v0_1_0_context_static in order to test the effect of API functions 7527 that write to the context. The API does not support cloning the static context, so we use 7528 memcpy instead. The user is not supposed to copy a context but we should still ensure that 7529 the API functions handle copies of the static context gracefully. */ 7530 STATIC_CTX = malloc(sizeof(*haskellsecp256k1_v0_1_0_context_static)); 7531 CHECK(STATIC_CTX != NULL); 7532 memcpy(STATIC_CTX, haskellsecp256k1_v0_1_0_context_static, sizeof(haskellsecp256k1_v0_1_0_context)); 7533 CHECK(!haskellsecp256k1_v0_1_0_context_is_proper(STATIC_CTX)); 7534 7535 /*** Run actual tests ***/ 7536 7537 /* selftest tests */ 7538 run_selftest_tests(); 7539 7540 /* context tests */ 7541 run_proper_context_tests(0); run_proper_context_tests(1); 7542 run_static_context_tests(0); run_static_context_tests(1); 7543 run_deprecated_context_flags_test(); 7544 7545 /* scratch tests */ 7546 run_scratch_tests(); 7547 7548 /* integer arithmetic tests */ 7549 #ifdef SECP256K1_WIDEMUL_INT128 7550 run_int128_tests(); 7551 #endif 7552 run_ctz_tests(); 7553 run_modinv_tests(); 7554 run_inverse_tests(); 7555 7556 /* hash tests */ 7557 run_sha256_known_output_tests(); 7558 run_sha256_counter_tests(); 7559 run_hmac_sha256_tests(); 7560 run_rfc6979_hmac_sha256_tests(); 7561 run_tagged_sha256_tests(); 7562 7563 /* scalar tests */ 7564 run_scalar_tests(); 7565 7566 /* field tests */ 7567 run_field_half(); 7568 run_field_misc(); 7569 run_field_convert(); 7570 run_field_be32_overflow(); 7571 run_fe_mul(); 7572 run_sqr(); 7573 run_sqrt(); 7574 7575 /* group tests */ 7576 run_ge(); 7577 run_gej(); 7578 run_group_decompress(); 7579 7580 /* ecmult tests */ 7581 run_ecmult_pre_g(); 7582 run_wnaf(); 7583 run_point_times_order(); 7584 run_ecmult_near_split_bound(); 7585 run_ecmult_chain(); 7586 run_ecmult_constants(); 7587 run_ecmult_gen_blind(); 7588 run_ecmult_const_tests(); 7589 run_ecmult_multi_tests(); 7590 run_ec_combine(); 7591 7592 /* endomorphism tests */ 7593 run_endomorphism_tests(); 7594 7595 /* EC point parser test */ 7596 run_ec_pubkey_parse_test(); 7597 7598 /* EC key edge cases */ 7599 run_eckey_edge_case_test(); 7600 7601 /* EC key arithmetic test */ 7602 run_eckey_negate_test(); 7603 7604 #ifdef ENABLE_MODULE_ECDH 7605 /* ecdh tests */ 7606 run_ecdh_tests(); 7607 #endif 7608 7609 /* ecdsa tests */ 7610 run_ec_illegal_argument_tests(); 7611 run_pubkey_comparison(); 7612 run_random_pubkeys(); 7613 run_ecdsa_der_parse(); 7614 run_ecdsa_sign_verify(); 7615 run_ecdsa_end_to_end(); 7616 run_ecdsa_edge_cases(); 7617 run_ecdsa_wycheproof(); 7618 7619 #ifdef ENABLE_MODULE_RECOVERY 7620 /* ECDSA pubkey recovery tests */ 7621 run_recovery_tests(); 7622 #endif 7623 7624 #ifdef ENABLE_MODULE_EXTRAKEYS 7625 run_extrakeys_tests(); 7626 #endif 7627 7628 #ifdef ENABLE_MODULE_SCHNORRSIG 7629 run_schnorrsig_tests(); 7630 #endif 7631 7632 #ifdef ENABLE_MODULE_ELLSWIFT 7633 run_ellswift_tests(); 7634 #endif 7635 7636 /* util tests */ 7637 run_haskellsecp256k1_v0_1_0_memczero_test(); 7638 run_haskellsecp256k1_v0_1_0_byteorder_tests(); 7639 7640 run_cmov_tests(); 7641 7642 /*** Tear down test environment ***/ 7643 free(STATIC_CTX); 7644 haskellsecp256k1_v0_1_0_context_destroy(CTX); 7645 7646 haskellsecp256k1_v0_1_0_testrand_finish(); 7647 7648 printf("no problems found\n"); 7649 return 0; 7650 }