@ -1,5 +1,5 @@
@@ -1,5 +1,5 @@
/**********************************************************************
* Copyright ( c ) 2013 , 2014 Pieter Wuille *
* Copyright ( c ) 2013 , 2014 , 2015 Pieter Wuille , Gregory Maxwell *
* Distributed under the MIT software license , see the accompanying *
* file COPYING or http : //www.opensource.org/licenses/mit-license.php.*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
@ -24,6 +24,7 @@
@@ -24,6 +24,7 @@
# endif
static int count = 64 ;
static secp256k1_context_t * ctx = NULL ;
void random_field_element_test ( secp256k1_fe_t * fe ) {
do {
@ -55,8 +56,9 @@ void random_group_element_test(secp256k1_ge_t *ge) {
@@ -55,8 +56,9 @@ void random_group_element_test(secp256k1_ge_t *ge) {
secp256k1_fe_t fe ;
do {
random_field_element_test ( & fe ) ;
if ( secp256k1_ge_set_xo_var ( ge , & fe , secp256k1_rand32 ( ) & 1 ) )
if ( secp256k1_ge_set_xo_var ( ge , & fe , secp256k1_rand32 ( ) & 1 ) ) {
break ;
}
} while ( 1 ) ;
}
@ -81,8 +83,9 @@ void random_scalar_order_test(secp256k1_scalar_t *num) {
@@ -81,8 +83,9 @@ void random_scalar_order_test(secp256k1_scalar_t *num) {
int overflow = 0 ;
secp256k1_rand256_test ( b32 ) ;
secp256k1_scalar_set_b32 ( num , b32 , & overflow ) ;
if ( overflow | | secp256k1_scalar_is_zero ( num ) )
if ( overflow | | secp256k1_scalar_is_zero ( num ) ) {
continue ;
}
break ;
} while ( 1 ) ;
}
@ -93,12 +96,60 @@ void random_scalar_order(secp256k1_scalar_t *num) {
@@ -93,12 +96,60 @@ void random_scalar_order(secp256k1_scalar_t *num) {
int overflow = 0 ;
secp256k1_rand256 ( b32 ) ;
secp256k1_scalar_set_b32 ( num , b32 , & overflow ) ;
if ( overflow | | secp256k1_scalar_is_zero ( num ) )
if ( overflow | | secp256k1_scalar_is_zero ( num ) ) {
continue ;
}
break ;
} while ( 1 ) ;
}
void run_context_tests ( void ) {
secp256k1_context_t * none = secp256k1_context_create ( 0 ) ;
secp256k1_context_t * sign = secp256k1_context_create ( SECP256K1_CONTEXT_SIGN ) ;
secp256k1_context_t * vrfy = secp256k1_context_create ( SECP256K1_CONTEXT_VERIFY ) ;
secp256k1_context_t * both = secp256k1_context_create ( SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY ) ;
secp256k1_gej_t pubj ;
secp256k1_ge_t pub ;
secp256k1_scalar_t msg , key , nonce ;
secp256k1_ecdsa_sig_t sig ;
/*** clone and destroy all of them to make sure cloning was complete ***/
{
secp256k1_context_t * ctx_tmp ;
ctx_tmp = none ; none = secp256k1_context_clone ( none ) ; secp256k1_context_destroy ( ctx_tmp ) ;
ctx_tmp = sign ; sign = secp256k1_context_clone ( sign ) ; secp256k1_context_destroy ( ctx_tmp ) ;
ctx_tmp = vrfy ; vrfy = secp256k1_context_clone ( vrfy ) ; secp256k1_context_destroy ( ctx_tmp ) ;
ctx_tmp = both ; both = secp256k1_context_clone ( both ) ; secp256k1_context_destroy ( ctx_tmp ) ;
}
/*** attempt to use them ***/
random_scalar_order_test ( & msg ) ;
random_scalar_order_test ( & key ) ;
secp256k1_ecmult_gen ( & both - > ecmult_gen_ctx , & pubj , & key ) ;
secp256k1_ge_set_gej ( & pub , & pubj ) ;
/* obtain a working nonce */
do {
random_scalar_order_test ( & nonce ) ;
} while ( ! secp256k1_ecdsa_sig_sign ( & both - > ecmult_gen_ctx , & sig , & key , & msg , & nonce , NULL ) ) ;
/* try signing */
CHECK ( secp256k1_ecdsa_sig_sign ( & sign - > ecmult_gen_ctx , & sig , & key , & msg , & nonce , NULL ) ) ;
CHECK ( secp256k1_ecdsa_sig_sign ( & both - > ecmult_gen_ctx , & sig , & key , & msg , & nonce , NULL ) ) ;
/* try verifying */
CHECK ( secp256k1_ecdsa_sig_verify ( & vrfy - > ecmult_ctx , & sig , & pub , & msg ) ) ;
CHECK ( secp256k1_ecdsa_sig_verify ( & both - > ecmult_ctx , & sig , & pub , & msg ) ) ;
/* cleanup */
secp256k1_context_destroy ( none ) ;
secp256k1_context_destroy ( sign ) ;
secp256k1_context_destroy ( vrfy ) ;
secp256k1_context_destroy ( both ) ;
}
/***** HASH TESTS *****/
void run_sha256_tests ( void ) {
@ -229,8 +280,9 @@ void run_rfc6979_hmac_sha256_tests(void) {
@@ -229,8 +280,9 @@ void run_rfc6979_hmac_sha256_tests(void) {
# ifndef USE_NUM_NONE
void random_num_negate ( secp256k1_num_t * num ) {
if ( secp256k1_rand32 ( ) & 1 )
if ( secp256k1_rand32 ( ) & 1 ) {
secp256k1_num_negate ( num ) ;
}
}
void random_num_order_test ( secp256k1_num_t * num ) {
@ -624,9 +676,10 @@ void random_fe_non_zero(secp256k1_fe_t *nz) {
@@ -624,9 +676,10 @@ void random_fe_non_zero(secp256k1_fe_t *nz) {
while ( - - tries > = 0 ) {
random_fe ( nz ) ;
secp256k1_fe_normalize ( nz ) ;
if ( ! secp256k1_fe_is_zero ( nz ) )
if ( ! secp256k1_fe_is_zero ( nz ) ) {
break ;
}
}
/* Infinitesimal probability of spurious failure here */
CHECK ( tries > = 0 ) ;
}
@ -700,12 +753,22 @@ void run_field_misc(void) {
@@ -700,12 +753,22 @@ void run_field_misc(void) {
CHECK ( secp256k1_fe_equal_var ( & x , & x ) ) ;
z = x ;
secp256k1_fe_add ( & z , & y ) ;
secp256k1_fe_normalize ( & z ) ;
/* Test fe conditional move; z is not normalized here. */
q = x ;
secp256k1_fe_cmov ( & x , & z , 0 ) ;
secp256k1_fe_cmov ( & x , & x , 1 ) ;
CHECK ( memcmp ( & x , & z , sizeof ( x ) ) ! = 0 ) ;
CHECK ( memcmp ( & x , & q , sizeof ( x ) ) = = 0 ) ;
secp256k1_fe_cmov ( & q , & z , 1 ) ;
CHECK ( memcmp ( & q , & z , sizeof ( q ) ) = = 0 ) ;
/* Test storage conversion and conditional moves. */
secp256k1_fe_normalize ( & z ) ;
CHECK ( ! secp256k1_fe_equal_var ( & x , & z ) ) ;
secp256k1_fe_to_storage ( & xs , & x ) ;
secp256k1_fe_to_storage ( & ys , & y ) ;
secp256k1_fe_to_storage ( & zs , & z ) ;
secp256k1_fe_storage_cmov ( & zs , & xs , 0 ) ;
secp256k1_fe_storage_cmov ( & zs , & zs , 1 ) ;
CHECK ( memcmp ( & xs , & zs , sizeof ( xs ) ) ! = 0 ) ;
secp256k1_fe_storage_cmov ( & ys , & xs , 1 ) ;
CHECK ( memcmp ( & xs , & ys , sizeof ( xs ) ) = = 0 ) ;
@ -765,15 +828,18 @@ void run_field_inv_all_var(void) {
@@ -765,15 +828,18 @@ void run_field_inv_all_var(void) {
for ( i = 0 ; i < count ; i + + ) {
size_t j ;
size_t len = ( secp256k1_rand32 ( ) & 15 ) + 1 ;
for ( j = 0 ; j < len ; j + + )
for ( j = 0 ; j < len ; j + + ) {
random_fe_non_zero ( & x [ j ] ) ;
}
secp256k1_fe_inv_all_var ( len , xi , x ) ;
for ( j = 0 ; j < len ; j + + )
for ( j = 0 ; j < len ; j + + ) {
CHECK ( check_fe_inverse ( & x [ j ] , & xi [ j ] ) ) ;
}
secp256k1_fe_inv_all_var ( len , xii , xi ) ;
for ( j = 0 ; j < len ; j + + )
for ( j = 0 ; j < len ; j + + ) {
CHECK ( check_fe_equal ( & x [ j ] , & xii [ j ] ) ) ;
}
}
}
void run_sqr ( void ) {
@ -844,18 +910,42 @@ void run_sqrt(void) {
@@ -844,18 +910,42 @@ void run_sqrt(void) {
void ge_equals_ge ( const secp256k1_ge_t * a , const secp256k1_ge_t * b ) {
CHECK ( a - > infinity = = b - > infinity ) ;
if ( a - > infinity )
if ( a - > infinity ) {
return ;
}
CHECK ( secp256k1_fe_equal_var ( & a - > x , & b - > x ) ) ;
CHECK ( secp256k1_fe_equal_var ( & b - > y , & b - > y ) ) ;
}
/* This compares jacobian points including their Z, not just their geometric meaning. */
int gej_xyz_equals_gej ( const secp256k1_gej_t * a , const secp256k1_gej_t * b ) {
secp256k1_gej_t a2 ;
secp256k1_gej_t b2 ;
int ret = 1 ;
ret & = a - > infinity = = b - > infinity ;
if ( ret & & ! a - > infinity ) {
a2 = * a ;
b2 = * b ;
secp256k1_fe_normalize ( & a2 . x ) ;
secp256k1_fe_normalize ( & a2 . y ) ;
secp256k1_fe_normalize ( & a2 . z ) ;
secp256k1_fe_normalize ( & b2 . x ) ;
secp256k1_fe_normalize ( & b2 . y ) ;
secp256k1_fe_normalize ( & b2 . z ) ;
ret & = secp256k1_fe_cmp_var ( & a2 . x , & b2 . x ) = = 0 ;
ret & = secp256k1_fe_cmp_var ( & a2 . y , & b2 . y ) = = 0 ;
ret & = secp256k1_fe_cmp_var ( & a2 . z , & b2 . z ) = = 0 ;
}
return ret ;
}
void ge_equals_gej ( const secp256k1_ge_t * a , const secp256k1_gej_t * b ) {
secp256k1_fe_t z2s ;
secp256k1_fe_t u1 , u2 , s1 , s2 ;
CHECK ( a - > infinity = = b - > infinity ) ;
if ( a - > infinity )
if ( a - > infinity ) {
return ;
}
/* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
secp256k1_fe_sqr ( & z2s , & b - > z ) ;
secp256k1_fe_mul ( & u1 , & a - > x , & z2s ) ;
@ -874,8 +964,8 @@ void test_ge(void) {
@@ -874,8 +964,8 @@ void test_ge(void) {
* All magnitudes are randomized .
* All 17 * 17 combinations of points are added to eachother , using all applicable methods .
*/
secp256k1_ge_t * ge = malloc ( sizeof ( secp256k1_ge_t ) * ( 1 + 4 * runs ) ) ;
secp256k1_gej_t * gej = malloc ( sizeof ( secp256k1_gej_t ) * ( 1 + 4 * runs ) ) ;
secp256k1_ge_t * ge = ( secp256k1_ge_t * ) malloc ( sizeof ( secp256k1_ge_t ) * ( 1 + 4 * runs ) ) ;
secp256k1_gej_t * gej = ( secp256k1_gej_t * ) malloc ( sizeof ( secp256k1_gej_t ) * ( 1 + 4 * runs ) ) ;
secp256k1_gej_set_infinity ( & gej [ 0 ] ) ;
secp256k1_ge_clear ( & ge [ 0 ] ) ;
secp256k1_ge_set_gej_var ( & ge [ 0 ] , & gej [ 0 ] ) ;
@ -951,7 +1041,7 @@ void test_ge(void) {
@@ -951,7 +1041,7 @@ void test_ge(void) {
/* Test adding all points together in random order equals infinity. */
{
secp256k1_gej_t sum = SECP256K1_GEJ_CONST_INFINITY ;
secp256k1_gej_t * gej_shuffled = malloc ( ( 4 * runs + 1 ) * sizeof ( secp256k1_gej_t ) ) ;
secp256k1_gej_t * gej_shuffled = ( secp256k1_gej_t * ) malloc ( ( 4 * runs + 1 ) * sizeof ( secp256k1_gej_t ) ) ;
for ( i = 0 ; i < 4 * runs + 1 ; i + + ) {
gej_shuffled [ i ] = gej [ i ] ;
}
@ -972,9 +1062,12 @@ void test_ge(void) {
@@ -972,9 +1062,12 @@ void test_ge(void) {
/* Test batch gej -> ge conversion. */
{
secp256k1_ge_t * ge_set_all = malloc ( ( 4 * runs + 1 ) * sizeof ( secp256k1_ge_t ) ) ;
secp256k1_ge_t * ge_set_all = ( secp256k1_ge_t * ) malloc ( ( 4 * runs + 1 ) * sizeof ( secp256k1_ge_t ) ) ;
secp256k1_ge_set_all_gej_var ( 4 * runs + 1 , ge_set_all , gej ) ;
for ( i = 0 ; i < 4 * runs + 1 ; i + + ) {
secp256k1_fe_t s ;
random_fe_non_zero ( & s ) ;
secp256k1_gej_rescale ( & gej [ i ] , & s ) ;
ge_equals_gej ( & ge_set_all [ i ] , & gej [ i ] ) ;
}
free ( ge_set_all ) ;
@ -1025,7 +1118,7 @@ void run_ecmult_chain(void) {
@@ -1025,7 +1118,7 @@ void run_ecmult_chain(void) {
x = a ;
for ( i = 0 ; i < 200 * count ; i + + ) {
/* in each iteration, compute X = xn*X + gn*G; */
secp256k1_ecmult ( & x , & x , & xn , & gn ) ;
secp256k1_ecmult ( & ctx - > ecmult_ctx , & x , & x , & xn , & gn ) ;
/* also compute ae and ge: the actual accumulated factors for A and G */
/* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
secp256k1_scalar_mul ( & ae , & ae , & xn ) ;
@ -1051,7 +1144,7 @@ void run_ecmult_chain(void) {
@@ -1051,7 +1144,7 @@ void run_ecmult_chain(void) {
}
}
/* redo the computation, but directly with the resulting ae and ge coefficients: */
secp256k1_ecmult ( & x2 , & a , & ae , & ge ) ;
secp256k1_ecmult ( & ctx - > ecmult_ctx , & x2 , & a , & ae , & ge ) ;
secp256k1_gej_neg ( & x2 , & x2 ) ;
secp256k1_gej_add_var ( & x2 , & x2 , & x ) ;
CHECK ( secp256k1_gej_is_infinity ( & x2 ) ) ;
@ -1067,8 +1160,8 @@ void test_point_times_order(const secp256k1_gej_t *point) {
@@ -1067,8 +1160,8 @@ void test_point_times_order(const secp256k1_gej_t *point) {
int psize = 65 ;
random_scalar_order_test ( & x ) ;
secp256k1_scalar_negate ( & nx , & x ) ;
secp256k1_ecmult ( & res1 , point , & x , & x ) ; /* calc res1 = x * point + x * G; */
secp256k1_ecmult ( & res2 , point , & nx , & nx ) ; /* calc res2 = (order - x) * point + (order - x) * G; */
secp256k1_ecmult ( & ctx - > ecmult_ctx , & res1 , point , & x , & x ) ; /* calc res1 = x * point + x * G; */
secp256k1_ecmult ( & ctx - > ecmult_ctx , & res2 , point , & nx , & nx ) ; /* calc res2 = (order - x) * point + (order - x) * G; */
secp256k1_gej_add_var ( & res1 , & res1 , & res2 ) ;
CHECK ( secp256k1_gej_is_infinity ( & res1 ) ) ;
CHECK ( secp256k1_gej_is_valid_var ( & res1 ) = = 0 ) ;
@ -1141,17 +1234,96 @@ void run_wnaf(void) {
@@ -1141,17 +1234,96 @@ void run_wnaf(void) {
secp256k1_scalar_t n ;
for ( i = 0 ; i < count ; i + + ) {
random_scalar_order ( & n ) ;
if ( i % 1 )
secp256k1_scalar_negate ( & n , & n ) ;
test_wnaf ( & n , 4 + ( i % 10 ) ) ;
}
}
void test_ecmult_constants ( void ) {
/* Test ecmult_gen() for [0..36) and [order-36..0). */
secp256k1_scalar_t x ;
secp256k1_gej_t r ;
secp256k1_ge_t ng ;
int i ;
int j ;
secp256k1_ge_neg ( & ng , & secp256k1_ge_const_g ) ;
for ( i = 0 ; i < 36 ; i + + ) {
secp256k1_scalar_set_int ( & x , i ) ;
secp256k1_ecmult_gen ( & ctx - > ecmult_gen_ctx , & r , & x ) ;
for ( j = 0 ; j < i ; j + + ) {
if ( j = = i - 1 ) {
ge_equals_gej ( & secp256k1_ge_const_g , & r ) ;
}
secp256k1_gej_add_ge ( & r , & r , & ng ) ;
}
CHECK ( secp256k1_gej_is_infinity ( & r ) ) ;
}
for ( i = 1 ; i < = 36 ; i + + ) {
secp256k1_scalar_set_int ( & x , i ) ;
secp256k1_scalar_negate ( & x , & x ) ;
secp256k1_ecmult_gen ( & ctx - > ecmult_gen_ctx , & r , & x ) ;
for ( j = 0 ; j < i ; j + + ) {
if ( j = = i - 1 ) {
ge_equals_gej ( & ng , & r ) ;
}
secp256k1_gej_add_ge ( & r , & r , & secp256k1_ge_const_g ) ;
}
CHECK ( secp256k1_gej_is_infinity ( & r ) ) ;
}
}
void run_ecmult_constants ( void ) {
test_ecmult_constants ( ) ;
}
void test_ecmult_gen_blind ( void ) {
/* Test ecmult_gen() blinding and confirm that the blinding changes, the affline points match, and the z's don't match. */
secp256k1_scalar_t key ;
secp256k1_scalar_t b ;
unsigned char seed32 [ 32 ] ;
secp256k1_gej_t pgej ;
secp256k1_gej_t pgej2 ;
secp256k1_gej_t i ;
secp256k1_ge_t pge ;
random_scalar_order_test ( & key ) ;
secp256k1_ecmult_gen ( & ctx - > ecmult_gen_ctx , & pgej , & key ) ;
secp256k1_rand256 ( seed32 ) ;
b = ctx - > ecmult_gen_ctx . blind ;
i = ctx - > ecmult_gen_ctx . initial ;
secp256k1_ecmult_gen_blind ( & ctx - > ecmult_gen_ctx , seed32 ) ;
CHECK ( ! secp256k1_scalar_eq ( & b , & ctx - > ecmult_gen_ctx . blind ) ) ;
secp256k1_ecmult_gen ( & ctx - > ecmult_gen_ctx , & pgej2 , & key ) ;
CHECK ( ! gej_xyz_equals_gej ( & pgej , & pgej2 ) ) ;
CHECK ( ! gej_xyz_equals_gej ( & i , & ctx - > ecmult_gen_ctx . initial ) ) ;
secp256k1_ge_set_gej ( & pge , & pgej ) ;
ge_equals_gej ( & pge , & pgej2 ) ;
}
void test_ecmult_gen_blind_reset ( void ) {
/* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
secp256k1_scalar_t b ;
secp256k1_gej_t initial ;
secp256k1_ecmult_gen_blind ( & ctx - > ecmult_gen_ctx , 0 ) ;
b = ctx - > ecmult_gen_ctx . blind ;
initial = ctx - > ecmult_gen_ctx . initial ;
secp256k1_ecmult_gen_blind ( & ctx - > ecmult_gen_ctx , 0 ) ;
CHECK ( secp256k1_scalar_eq ( & b , & ctx - > ecmult_gen_ctx . blind ) ) ;
CHECK ( gej_xyz_equals_gej ( & initial , & ctx - > ecmult_gen_ctx . initial ) ) ;
}
void run_ecmult_gen_blind ( void ) {
int i ;
test_ecmult_gen_blind_reset ( ) ;
for ( i = 0 ; i < 10 ; i + + ) {
test_ecmult_gen_blind ( ) ;
}
}
void random_sign ( secp256k1_ecdsa_sig_t * sig , const secp256k1_scalar_t * key , const secp256k1_scalar_t * msg , int * recid ) {
secp256k1_scalar_t nonce ;
do {
random_scalar_order_test ( & nonce ) ;
} while ( ! secp256k1_ecdsa_sig_sign ( sig , key , msg , & nonce , recid ) ) ;
} while ( ! secp256k1_ecdsa_sig_sign ( & ctx - > ecmult_gen_ctx , sig , key , msg , & nonce , recid ) ) ;
}
void test_ecdsa_sign_verify ( void ) {
@ -1164,15 +1336,17 @@ void test_ecdsa_sign_verify(void) {
@@ -1164,15 +1336,17 @@ void test_ecdsa_sign_verify(void) {
int getrec ;
random_scalar_order_test ( & msg ) ;
random_scalar_order_test ( & key ) ;
secp256k1_ecmult_gen ( & pubj , & key ) ;
secp256k1_ecmult_gen ( & ctx - > ecmult_gen_ctx , & pubj , & key ) ;
secp256k1_ge_set_gej ( & pub , & pubj ) ;
getrec = secp256k1_rand32 ( ) & 1 ;
random_sign ( & sig , & key , & msg , getrec ? & recid : NULL ) ;
if ( getrec ) CHECK ( recid > = 0 & & recid < 4 ) ;
CHECK ( secp256k1_ecdsa_sig_verify ( & sig , & pub , & msg ) ) ;
if ( getrec ) {
CHECK ( recid > = 0 & & recid < 4 ) ;
}
CHECK ( secp256k1_ecdsa_sig_verify ( & ctx - > ecmult_ctx , & sig , & pub , & msg ) ) ;
secp256k1_scalar_set_int ( & one , 1 ) ;
secp256k1_scalar_add ( & msg , & msg , & one ) ;
CHECK ( ! secp256k1_ecdsa_sig_verify ( & sig , & pub , & msg ) ) ;
CHECK ( ! secp256k1_ecdsa_sig_verify ( & ctx - > ecmult_ctx , & sig , & pub , & msg ) ) ;
}
void run_ecdsa_sign_verify ( void ) {
@ -1192,7 +1366,9 @@ static int precomputed_nonce_function(unsigned char *nonce32, const unsigned cha
@@ -1192,7 +1366,9 @@ static int precomputed_nonce_function(unsigned char *nonce32, const unsigned cha
static int nonce_function_test_fail ( unsigned char * nonce32 , const unsigned char * msg32 , const unsigned char * key32 , unsigned int counter , const void * data ) {
/* Dummy nonce generator that has a fatal error on the first counter value. */
if ( counter = = 0 ) return 0 ;
if ( counter = = 0 ) {
return 0 ;
}
return nonce_function_rfc6979 ( nonce32 , msg32 , key32 , counter - 1 , data ) ;
}
@ -1200,7 +1376,9 @@ static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char
@@ -1200,7 +1376,9 @@ static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char
/* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
if ( counter < 3 ) {
memset ( nonce32 , counter = = 0 ? 0 : 255 , 32 ) ;
if ( counter = = 2 ) nonce32 [ 31 ] - - ;
if ( counter = = 2 ) {
nonce32 [ 31 ] - - ;
}
return 1 ;
}
if ( counter < 5 ) {
@ -1211,12 +1389,16 @@ static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char
@@ -1211,12 +1389,16 @@ static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char
0xBF , 0xD2 , 0x5E , 0x8C , 0xD0 , 0x36 , 0x41 , 0x41
} ;
memcpy ( nonce32 , order , 32 ) ;
if ( counter = = 4 ) nonce32 [ 31 ] + + ;
if ( counter = = 4 ) {
nonce32 [ 31 ] + + ;
}
return 1 ;
}
/* Retry rate of 6979 is negligible esp. as we only call this in determinstic tests. */
/* If someone does fine a case where it retries for secp256k1, we'd like to know. */
if ( counter > 5 ) return 0 ;
if ( counter > 5 ) {
return 0 ;
}
return nonce_function_rfc6979 ( nonce32 , msg32 , key32 , counter - 5 , data ) ;
}
@ -1257,16 +1439,16 @@ void test_ecdsa_end_to_end(void) {
@@ -1257,16 +1439,16 @@ void test_ecdsa_end_to_end(void) {
}
/* Construct and verify corresponding public key. */
CHECK ( secp256k1_ec_seckey_verify ( privkey ) = = 1 ) ;
CHECK ( secp256k1_ec_pubkey_create ( pubkey , & pubkeylen , privkey , ( secp256k1_rand32 ( ) & 3 ) ! = 0 ) = = 1 ) ;
CHECK ( secp256k1_ec_seckey_verify ( ctx , privkey ) = = 1 ) ;
CHECK ( secp256k1_ec_pubkey_create ( ctx , pubkey , & pubkeylen , privkey , ( secp256k1_rand32 ( ) & 3 ) ! = 0 ) = = 1 ) ;
if ( secp256k1_rand32 ( ) & 1 ) {
CHECK ( secp256k1_ec_pubkey_decompress ( pubkey , & pubkeylen ) ) ;
CHECK ( secp256k1_ec_pubkey_decompress ( ctx , pubkey , & pubkeylen ) ) ;
}
CHECK ( secp256k1_ec_pubkey_verify ( pubkey , pubkeylen ) ) ;
CHECK ( secp256k1_ec_pubkey_verify ( ctx , pubkey , pubkeylen ) ) ;
/* Verify private key import and export. */
CHECK ( secp256k1_ec_privkey_export ( privkey , seckey , & seckeylen , secp256k1_rand32 ( ) % 2 ) = = 1 ) ;
CHECK ( secp256k1_ec_privkey_import ( privkey2 , seckey , seckeylen ) = = 1 ) ;
CHECK ( secp256k1_ec_privkey_export ( ctx , privkey , seckey , & seckeylen , secp256k1_rand32 ( ) % 2 ) = = 1 ) ;
CHECK ( secp256k1_ec_privkey_import ( ctx , privkey2 , seckey , seckeylen ) = = 1 ) ;
CHECK ( memcmp ( privkey , privkey2 , 32 ) = = 0 ) ;
/* Optionally tweak the keys using addition. */
@ -1277,11 +1459,13 @@ void test_ecdsa_end_to_end(void) {
@@ -1277,11 +1459,13 @@ void test_ecdsa_end_to_end(void) {
unsigned char pubkey2 [ 65 ] ;
int pubkeylen2 = 65 ;
secp256k1_rand256_test ( rnd ) ;
ret1 = secp256k1_ec_privkey_tweak_add ( privkey , rnd ) ;
ret2 = secp256k1_ec_pubkey_tweak_add ( pubkey , pubkeylen , rnd ) ;
ret1 = secp256k1_ec_privkey_tweak_add ( ctx , privkey , rnd ) ;
ret2 = secp256k1_ec_pubkey_tweak_add ( ctx , pubkey , pubkeylen , rnd ) ;
CHECK ( ret1 = = ret2 ) ;
if ( ret1 = = 0 ) return ;
CHECK ( secp256k1_ec_pubkey_create ( pubkey2 , & pubkeylen2 , privkey , pubkeylen = = 33 ) = = 1 ) ;
if ( ret1 = = 0 ) {
return ;
}
CHECK ( secp256k1_ec_pubkey_create ( ctx , pubkey2 , & pubkeylen2 , privkey , pubkeylen = = 33 ) = = 1 ) ;
CHECK ( memcmp ( pubkey , pubkey2 , pubkeylen ) = = 0 ) ;
}
@ -1293,25 +1477,27 @@ void test_ecdsa_end_to_end(void) {
@@ -1293,25 +1477,27 @@ void test_ecdsa_end_to_end(void) {
unsigned char pubkey2 [ 65 ] ;
int pubkeylen2 = 65 ;
secp256k1_rand256_test ( rnd ) ;
ret1 = secp256k1_ec_privkey_tweak_mul ( privkey , rnd ) ;
ret2 = secp256k1_ec_pubkey_tweak_mul ( pubkey , pubkeylen , rnd ) ;
ret1 = secp256k1_ec_privkey_tweak_mul ( ctx , privkey , rnd ) ;
ret2 = secp256k1_ec_pubkey_tweak_mul ( ctx , pubkey , pubkeylen , rnd ) ;
CHECK ( ret1 = = ret2 ) ;
if ( ret1 = = 0 ) return ;
CHECK ( secp256k1_ec_pubkey_create ( pubkey2 , & pubkeylen2 , privkey , pubkeylen = = 33 ) = = 1 ) ;
if ( ret1 = = 0 ) {
return ;
}
CHECK ( secp256k1_ec_pubkey_create ( ctx , pubkey2 , & pubkeylen2 , privkey , pubkeylen = = 33 ) = = 1 ) ;
CHECK ( memcmp ( pubkey , pubkey2 , pubkeylen ) = = 0 ) ;
}
/* Sign. */
CHECK ( secp256k1_ecdsa_sign ( message , signature , & signaturelen , privkey , NULL , NULL ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , message , signature , & signaturelen , privkey , NULL , NULL ) = = 1 ) ;
CHECK ( signaturelen > 0 ) ;
CHECK ( secp256k1_ecdsa_sign ( message , signature2 , & signaturelen2 , privkey , NULL , extra ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , message , signature2 , & signaturelen2 , privkey , NULL , extra ) = = 1 ) ;
CHECK ( signaturelen2 > 0 ) ;
extra [ 31 ] = 1 ;
CHECK ( secp256k1_ecdsa_sign ( message , signature3 , & signaturelen3 , privkey , NULL , extra ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , message , signature3 , & signaturelen3 , privkey , NULL , extra ) = = 1 ) ;
CHECK ( signaturelen3 > 0 ) ;
extra [ 31 ] = 0 ;
extra [ 0 ] = 1 ;
CHECK ( secp256k1_ecdsa_sign ( message , signature4 , & signaturelen4 , privkey , NULL , extra ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , message , signature4 , & signaturelen4 , privkey , NULL , extra ) = = 1 ) ;
CHECK ( signaturelen3 > 0 ) ;
CHECK ( ( signaturelen ! = signaturelen2 ) | | ( memcmp ( signature , signature2 , signaturelen ) ! = 0 ) ) ;
CHECK ( ( signaturelen ! = signaturelen3 ) | | ( memcmp ( signature , signature3 , signaturelen ) ! = 0 ) ) ;
@ -1320,24 +1506,24 @@ void test_ecdsa_end_to_end(void) {
@@ -1320,24 +1506,24 @@ void test_ecdsa_end_to_end(void) {
CHECK ( ( signaturelen4 ! = signaturelen2 ) | | ( memcmp ( signature4 , signature2 , signaturelen4 ) ! = 0 ) ) ;
CHECK ( ( signaturelen4 ! = signaturelen ) | | ( memcmp ( signature4 , signature , signaturelen4 ) ! = 0 ) ) ;
/* Verify. */
CHECK ( secp256k1_ecdsa_verify ( message , signature , signaturelen , pubkey , pubkeylen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( message , signature2 , signaturelen2 , pubkey , pubkeylen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( message , signature3 , signaturelen3 , pubkey , pubkeylen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( message , signature4 , signaturelen4 , pubkey , pubkeylen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , message , signature , signaturelen , pubkey , pubkeylen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , message , signature2 , signaturelen2 , pubkey , pubkeylen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , message , signature3 , signaturelen3 , pubkey , pubkeylen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , message , signature4 , signaturelen4 , pubkey , pubkeylen ) = = 1 ) ;
/* Destroy signature and verify again. */
signature [ signaturelen - 1 - secp256k1_rand32 ( ) % 20 ] + = 1 + ( secp256k1_rand32 ( ) % 255 ) ;
CHECK ( secp256k1_ecdsa_verify ( message , signature , signaturelen , pubkey , pubkeylen ) ! = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , message , signature , signaturelen , pubkey , pubkeylen ) ! = 1 ) ;
/* Compact sign. */
CHECK ( secp256k1_ecdsa_sign_compact ( message , csignature , privkey , NULL , NULL , & recid ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign_compact ( ctx , message , csignature , privkey , NULL , NULL , & recid ) = = 1 ) ;
CHECK ( ! is_empty_compact_signature ( csignature ) ) ;
/* Recover. */
CHECK ( secp256k1_ecdsa_recover_compact ( message , csignature , recpubkey , & recpubkeylen , pubkeylen = = 33 , recid ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_recover_compact ( ctx , message , csignature , recpubkey , & recpubkeylen , pubkeylen = = 33 , recid ) = = 1 ) ;
CHECK ( recpubkeylen = = pubkeylen ) ;
CHECK ( memcmp ( pubkey , recpubkey , pubkeylen ) = = 0 ) ;
/* Destroy signature and verify again. */
csignature [ secp256k1_rand32 ( ) % 64 ] + = 1 + ( secp256k1_rand32 ( ) % 255 ) ;
CHECK ( secp256k1_ecdsa_recover_compact ( message , csignature , recpubkey , & recpubkeylen , pubkeylen = = 33 , recid ) ! = 1 | |
CHECK ( secp256k1_ecdsa_recover_compact ( ctx , message , csignature , recpubkey , & recpubkeylen , pubkeylen = = 33 , recid ) ! = 1 | |
memcmp ( pubkey , recpubkey , pubkeylen ) ! = 0 ) ;
CHECK ( recpubkeylen = = pubkeylen ) ;
@ -1351,7 +1537,9 @@ void test_random_pubkeys(void) {
@@ -1351,7 +1537,9 @@ void test_random_pubkeys(void) {
uint32_t r = secp256k1_rand32 ( ) ;
int len = ( r & 3 ) = = 0 ? 65 : 33 ;
r > > = 2 ;
if ( ( r & 3 ) = = 0 ) len = ( r & 252 ) > > 3 ;
if ( ( r & 3 ) = = 0 ) {
len = ( r & 252 ) > > 3 ;
}
r > > = 8 ;
if ( len = = 65 ) {
in [ 0 ] = ( r & 2 ) ? 4 : ( r & 1 ? 6 : 7 ) ;
@ -1359,10 +1547,16 @@ void test_random_pubkeys(void) {
@@ -1359,10 +1547,16 @@ void test_random_pubkeys(void) {
in [ 0 ] = ( r & 1 ) ? 2 : 3 ;
}
r > > = 2 ;
if ( ( r & 7 ) = = 0 ) in [ 0 ] = ( r & 2040 ) > > 3 ;
if ( ( r & 7 ) = = 0 ) {
in [ 0 ] = ( r & 2040 ) > > 3 ;
}
r > > = 11 ;
if ( len > 1 ) secp256k1_rand256 ( & in [ 1 ] ) ;
if ( len > 33 ) secp256k1_rand256 ( & in [ 33 ] ) ;
if ( len > 1 ) {
secp256k1_rand256 ( & in [ 1 ] ) ;
}
if ( len > 33 ) {
secp256k1_rand256 ( & in [ 33 ] ) ;
}
if ( secp256k1_eckey_pubkey_parse ( & elem , in , len ) ) {
unsigned char out [ 65 ] ;
unsigned char firstb ;
@ -1374,7 +1568,9 @@ void test_random_pubkeys(void) {
@@ -1374,7 +1568,9 @@ void test_random_pubkeys(void) {
CHECK ( size = = len ) ;
CHECK ( memcmp ( & in [ 1 ] , & out [ 1 ] , len - 1 ) = = 0 ) ;
/* ... except for the type of hybrid inputs. */
if ( ( in [ 0 ] ! = 6 ) & & ( in [ 0 ] ! = 7 ) ) CHECK ( in [ 0 ] = = out [ 0 ] ) ;
if ( ( in [ 0 ] ! = 6 ) & & ( in [ 0 ] ! = 7 ) ) {
CHECK ( in [ 0 ] = = out [ 0 ] ) ;
}
size = 65 ;
CHECK ( secp256k1_eckey_pubkey_serialize ( & elem , in , & size , 0 ) ) ;
CHECK ( size = = 65 ) ;
@ -1384,8 +1580,11 @@ void test_random_pubkeys(void) {
@@ -1384,8 +1580,11 @@ void test_random_pubkeys(void) {
in [ 0 ] = ( r & 1 ) ? 6 : 7 ;
res = secp256k1_eckey_pubkey_parse ( & elem2 , in , size ) ;
if ( firstb = = 2 | | firstb = = 3 ) {
if ( in [ 0 ] = = firstb + 4 ) CHECK ( res ) ;
else CHECK ( ! res ) ;
if ( in [ 0 ] = = firstb + 4 ) {
CHECK ( res ) ;
} else {
CHECK ( ! res ) ;
}
}
if ( res ) {
ge_equals_ge ( & elem , & elem2 ) ;
@ -1447,10 +1646,10 @@ void test_ecdsa_edge_cases(void) {
@@ -1447,10 +1646,10 @@ void test_ecdsa_edge_cases(void) {
int pubkeyblen = 33 ;
int recid ;
CHECK ( ! secp256k1_ecdsa_recover_compact ( msg32 , sig64 , pubkey , & pubkeylen , 0 , 0 ) ) ;
CHECK ( secp256k1_ecdsa_recover_compact ( msg32 , sig64 , pubkey , & pubkeylen , 0 , 1 ) ) ;
CHECK ( ! secp256k1_ecdsa_recover_compact ( msg32 , sig64 , pubkey , & pubkeylen , 0 , 2 ) ) ;
CHECK ( ! secp256k1_ecdsa_recover_compact ( msg32 , sig64 , pubkey , & pubkeylen , 0 , 3 ) ) ;
CHECK ( ! secp256k1_ecdsa_recover_compact ( ctx , msg32 , sig64 , pubkey , & pubkeylen , 0 , 0 ) ) ;
CHECK ( secp256k1_ecdsa_recover_compact ( ctx , msg32 , sig64 , pubkey , & pubkeylen , 0 , 1 ) ) ;
CHECK ( ! secp256k1_ecdsa_recover_compact ( ctx , msg32 , sig64 , pubkey , & pubkeylen , 0 , 2 ) ) ;
CHECK ( ! secp256k1_ecdsa_recover_compact ( ctx , msg32 , sig64 , pubkey , & pubkeylen , 0 , 3 ) ) ;
for ( recid = 0 ; recid < 4 ; recid + + ) {
int i ;
@ -1495,42 +1694,44 @@ void test_ecdsa_edge_cases(void) {
@@ -1495,42 +1694,44 @@ void test_ecdsa_edge_cases(void) {
0xE6 , 0xAF , 0x48 , 0xA0 , 0x3B , 0xBF , 0xD2 , 0x5E ,
0x8C , 0xD0 , 0x36 , 0x41 , 0x45 , 0x02 , 0x01 , 0x04
} ;
CHECK ( secp256k1_ecdsa_recover_compact ( msg32 , sigb64 , pubkeyb , & pubkeyblen , 1 , recid ) ) ;
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigbder , sizeof ( sigbder ) , pubkeyb , pubkeyblen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_recover_compact ( ctx , msg32 , sigb64 , pubkeyb , & pubkeyblen , 1 , recid ) ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigbder , sizeof ( sigbder ) , pubkeyb , pubkeyblen ) = = 1 ) ;
for ( recid2 = 0 ; recid2 < 4 ; recid2 + + ) {
unsigned char pubkey2b [ 33 ] ;
int pubkey2blen = 33 ;
CHECK ( secp256k1_ecdsa_recover_compact ( msg32 , sigb64 , pubkey2b , & pubkey2blen , 1 , recid2 ) ) ;
CHECK ( secp256k1_ecdsa_recover_compact ( ctx , msg32 , sigb64 , pubkey2b , & pubkey2blen , 1 , recid2 ) ) ;
/* Verifying with (order + r,4) should always fail. */
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigbderlong , sizeof ( sigbderlong ) , pubkey2b , pubkey2blen ) ! = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigbderlong , sizeof ( sigbderlong ) , pubkey2b , pubkey2blen ) ! = 1 ) ;
}
/* DER parsing tests. */
/* Zero length r/s. */
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigcder_zr , sizeof ( sigcder_zr ) , pubkeyb , pubkeyblen ) = = - 2 ) ;
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigcder_zs , sizeof ( sigcder_zs ) , pubkeyb , pubkeyblen ) = = - 2 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigcder_zr , sizeof ( sigcder_zr ) , pubkeyb , pubkeyblen ) = = - 2 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigcder_zs , sizeof ( sigcder_zs ) , pubkeyb , pubkeyblen ) = = - 2 ) ;
/* Leading zeros. */
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigbderalt1 , sizeof ( sigbderalt1 ) , pubkeyb , pubkeyblen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigbderalt2 , sizeof ( sigbderalt2 ) , pubkeyb , pubkeyblen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigbderalt3 , sizeof ( sigbderalt3 ) , pubkeyb , pubkeyblen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigbderalt4 , sizeof ( sigbderalt4 ) , pubkeyb , pubkeyblen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigbderalt1 , sizeof ( sigbderalt1 ) , pubkeyb , pubkeyblen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigbderalt2 , sizeof ( sigbderalt2 ) , pubkeyb , pubkeyblen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigbderalt3 , sizeof ( sigbderalt3 ) , pubkeyb , pubkeyblen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigbderalt4 , sizeof ( sigbderalt4 ) , pubkeyb , pubkeyblen ) = = 1 ) ;
sigbderalt3 [ 4 ] = 1 ;
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigbderalt3 , sizeof ( sigbderalt3 ) , pubkeyb , pubkeyblen ) = = - 2 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigbderalt3 , sizeof ( sigbderalt3 ) , pubkeyb , pubkeyblen ) = = - 2 ) ;
sigbderalt4 [ 7 ] = 1 ;
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigbderalt4 , sizeof ( sigbderalt4 ) , pubkeyb , pubkeyblen ) = = - 2 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigbderalt4 , sizeof ( sigbderalt4 ) , pubkeyb , pubkeyblen ) = = - 2 ) ;
/* Damage signature. */
sigbder [ 7 ] + + ;
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigbder , sizeof ( sigbder ) , pubkeyb , pubkeyblen ) = = 0 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigbder , sizeof ( sigbder ) , pubkeyb , pubkeyblen ) = = 0 ) ;
sigbder [ 7 ] - - ;
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigbder , 6 , pubkeyb , pubkeyblen ) = = - 2 ) ;
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigbder , sizeof ( sigbder ) - 1 , pubkeyb , pubkeyblen ) = = - 2 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigbder , 6 , pubkeyb , pubkeyblen ) = = - 2 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigbder , sizeof ( sigbder ) - 1 , pubkeyb , pubkeyblen ) = = - 2 ) ;
for ( i = 0 ; i < 8 ; i + + ) {
int c ;
unsigned char orig = sigbder [ i ] ;
/*Try every single-byte change.*/
for ( c = 0 ; c < 256 ; c + + ) {
if ( c = = orig ) continue ;
if ( c = = orig ) {
continue ;
}
sigbder [ i ] = c ;
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigbder , sizeof ( sigbder ) , pubkeyb , pubkeyblen ) = =
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigbder , sizeof ( sigbder ) , pubkeyb , pubkeyblen ) = =
( i = = 4 | | i = = 7 ) ? 0 : - 2 ) ;
}
sigbder [ i ] = orig ;
@ -1547,10 +1748,10 @@ void test_ecdsa_edge_cases(void) {
@@ -1547,10 +1748,10 @@ void test_ecdsa_edge_cases(void) {
secp256k1_scalar_negate ( & sig . s , & sig . s ) ;
secp256k1_scalar_inverse ( & sig . s , & sig . s ) ;
secp256k1_scalar_set_int ( & sig . r , 1 ) ;
secp256k1_ecmult_gen ( & keyj , & sig . r ) ;
secp256k1_ecmult_gen ( & ctx - > ecmult_gen_ctx , & keyj , & sig . r ) ;
secp256k1_ge_set_gej ( & key , & keyj ) ;
msg = sig . s ;
CHECK ( secp256k1_ecdsa_sig_verify ( & sig , & key , & msg ) = = 0 ) ;
CHECK ( secp256k1_ecdsa_sig_verify ( & ctx - > ecmult_ctx , & sig , & key , & msg ) = = 0 ) ;
}
/* Test r/s equal to zero */
@ -1569,18 +1770,18 @@ void test_ecdsa_edge_cases(void) {
@@ -1569,18 +1770,18 @@ void test_ecdsa_edge_cases(void) {
} ;
unsigned char pubkeyc [ 65 ] ;
int pubkeyclen = 65 ;
CHECK ( secp256k1_ecdsa_recover_compact ( msg32 , sigc64 , pubkeyc , & pubkeyclen , 0 , 0 ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigcder , sizeof ( sigcder ) , pubkeyc , pubkeyclen ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_recover_compact ( ctx , msg32 , sigc64 , pubkeyc , & pubkeyclen , 0 , 0 ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigcder , sizeof ( sigcder ) , pubkeyc , pubkeyclen ) = = 1 ) ;
sigcder [ 4 ] = 0 ;
sigc64 [ 31 ] = 0 ;
CHECK ( secp256k1_ecdsa_recover_compact ( msg32 , sigc64 , pubkeyb , & pubkeyblen , 1 , 0 ) = = 0 ) ;
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigcder , sizeof ( sigcder ) , pubkeyc , pubkeyclen ) = = 0 ) ;
CHECK ( secp256k1_ecdsa_recover_compact ( ctx , msg32 , sigc64 , pubkeyb , & pubkeyblen , 1 , 0 ) = = 0 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigcder , sizeof ( sigcder ) , pubkeyc , pubkeyclen ) = = 0 ) ;
sigcder [ 4 ] = 1 ;
sigcder [ 7 ] = 0 ;
sigc64 [ 31 ] = 1 ;
sigc64 [ 63 ] = 0 ;
CHECK ( secp256k1_ecdsa_recover_compact ( msg32 , sigc64 , pubkeyb , & pubkeyblen , 1 , 0 ) = = 0 ) ;
CHECK ( secp256k1_ecdsa_verify ( msg32 , sigcder , sizeof ( sigcder ) , pubkeyc , pubkeyclen ) = = 0 ) ;
CHECK ( secp256k1_ecdsa_recover_compact ( ctx , msg32 , sigc64 , pubkeyb , & pubkeyblen , 1 , 0 ) = = 0 ) ;
CHECK ( secp256k1_ecdsa_verify ( ctx , msg32 , sigcder , sizeof ( sigcder ) , pubkeyc , pubkeyclen ) = = 0 ) ;
}
/*Signature where s would be zero.*/
@ -1611,18 +1812,18 @@ void test_ecdsa_edge_cases(void) {
@@ -1611,18 +1812,18 @@ void test_ecdsa_edge_cases(void) {
} ;
unsigned char sig [ 72 ] ;
int siglen = 72 ;
CHECK ( secp256k1_ecdsa_sign ( msg , sig , & siglen , key , precomputed_nonce_function , nonce ) = = 0 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , msg , sig , & siglen , key , precomputed_nonce_function , nonce ) = = 0 ) ;
CHECK ( siglen = = 0 ) ;
CHECK ( secp256k1_ecdsa_sign ( msg , sig , & siglen , key , precomputed_nonce_function , nonce2 ) = = 0 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , msg , sig , & siglen , key , precomputed_nonce_function , nonce2 ) = = 0 ) ;
CHECK ( siglen = = 0 ) ;
msg [ 31 ] = 0xaa ;
siglen = 72 ;
CHECK ( secp256k1_ecdsa_sign ( msg , sig , & siglen , key , precomputed_nonce_function , nonce ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , msg , sig , & siglen , key , precomputed_nonce_function , nonce ) = = 1 ) ;
CHECK ( siglen > 0 ) ;
CHECK ( secp256k1_ecdsa_sign ( msg , sig , & siglen , key , precomputed_nonce_function , nonce2 ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , msg , sig , & siglen , key , precomputed_nonce_function , nonce2 ) = = 1 ) ;
CHECK ( siglen > 0 ) ;
siglen = 10 ;
CHECK ( secp256k1_ecdsa_sign ( msg , sig , & siglen , key , precomputed_nonce_function , nonce ) ! = 1 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , msg , sig , & siglen , key , precomputed_nonce_function , nonce ) ! = 1 ) ;
CHECK ( siglen = = 0 ) ;
}
@ -1644,41 +1845,41 @@ void test_ecdsa_edge_cases(void) {
@@ -1644,41 +1845,41 @@ void test_ecdsa_edge_cases(void) {
msg [ 31 ] = 1 ;
/* High key results in signature failure. */
memset ( key , 0xFF , 32 ) ;
CHECK ( secp256k1_ecdsa_sign ( msg , sig , & siglen , key , NULL , extra ) = = 0 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , msg , sig , & siglen , key , NULL , extra ) = = 0 ) ;
CHECK ( siglen = = 0 ) ;
/* Zero key results in signature failure. */
memset ( key , 0 , 32 ) ;
CHECK ( secp256k1_ecdsa_sign ( msg , sig , & siglen , key , NULL , extra ) = = 0 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , msg , sig , & siglen , key , NULL , extra ) = = 0 ) ;
CHECK ( siglen = = 0 ) ;
/* Nonce function failure results in signature failure. */
key [ 31 ] = 1 ;
CHECK ( secp256k1_ecdsa_sign ( msg , sig , & siglen , key , nonce_function_test_fail , extra ) = = 0 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , msg , sig , & siglen , key , nonce_function_test_fail , extra ) = = 0 ) ;
CHECK ( siglen = = 0 ) ;
CHECK ( secp256k1_ecdsa_sign_compact ( msg , sig , key , nonce_function_test_fail , extra , & recid ) = = 0 ) ;
CHECK ( secp256k1_ecdsa_sign_compact ( ctx , msg , sig , key , nonce_function_test_fail , extra , & recid ) = = 0 ) ;
CHECK ( is_empty_compact_signature ( sig ) ) ;
/* The retry loop successfully makes its way to the first good value. */
siglen = 72 ;
CHECK ( secp256k1_ecdsa_sign ( msg , sig , & siglen , key , nonce_function_test_retry , extra ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , msg , sig , & siglen , key , nonce_function_test_retry , extra ) = = 1 ) ;
CHECK ( siglen > 0 ) ;
CHECK ( secp256k1_ecdsa_sign ( msg , sig2 , & siglen2 , key , nonce_function_rfc6979 , extra ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , msg , sig2 , & siglen2 , key , nonce_function_rfc6979 , extra ) = = 1 ) ;
CHECK ( siglen > 0 ) ;
CHECK ( ( siglen = = siglen2 ) & & ( memcmp ( sig , sig2 , siglen ) = = 0 ) ) ;
CHECK ( secp256k1_ecdsa_sign_compact ( msg , sig , key , nonce_function_test_retry , extra , & recid ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign_compact ( ctx , msg , sig , key , nonce_function_test_retry , extra , & recid ) = = 1 ) ;
CHECK ( ! is_empty_compact_signature ( sig ) ) ;
CHECK ( secp256k1_ecdsa_sign_compact ( msg , sig2 , key , nonce_function_rfc6979 , extra , & recid2 ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign_compact ( ctx , msg , sig2 , key , nonce_function_rfc6979 , extra , & recid2 ) = = 1 ) ;
CHECK ( ! is_empty_compact_signature ( sig2 ) ) ;
CHECK ( ( recid = = recid2 ) & & ( memcmp ( sig , sig2 , 64 ) = = 0 ) ) ;
/* The default nonce function is determinstic. */
siglen = 72 ;
siglen2 = 72 ;
CHECK ( secp256k1_ecdsa_sign ( msg , sig , & siglen , key , NULL , extra ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , msg , sig , & siglen , key , NULL , extra ) = = 1 ) ;
CHECK ( siglen > 0 ) ;
CHECK ( secp256k1_ecdsa_sign ( msg , sig2 , & siglen2 , key , NULL , extra ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , msg , sig2 , & siglen2 , key , NULL , extra ) = = 1 ) ;
CHECK ( siglen2 > 0 ) ;
CHECK ( ( siglen = = siglen2 ) & & ( memcmp ( sig , sig2 , siglen ) = = 0 ) ) ;
CHECK ( secp256k1_ecdsa_sign_compact ( msg , sig , key , NULL , extra , & recid ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign_compact ( ctx , msg , sig , key , NULL , extra , & recid ) = = 1 ) ;
CHECK ( ! is_empty_compact_signature ( sig ) ) ;
CHECK ( secp256k1_ecdsa_sign_compact ( msg , sig2 , key , NULL , extra , & recid2 ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign_compact ( ctx , msg , sig2 , key , NULL , extra , & recid2 ) = = 1 ) ;
CHECK ( ! is_empty_compact_signature ( sig ) ) ;
CHECK ( ( recid = = recid2 ) & & ( memcmp ( sig , sig2 , 64 ) = = 0 ) ) ;
/* The default nonce function changes output with different messages. */
@ -1686,7 +1887,7 @@ void test_ecdsa_edge_cases(void) {
@@ -1686,7 +1887,7 @@ void test_ecdsa_edge_cases(void) {
int j ;
siglen2 = 72 ;
msg [ 0 ] = i ;
CHECK ( secp256k1_ecdsa_sign ( msg , sig2 , & siglen2 , key , NULL , extra ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , msg , sig2 , & siglen2 , key , NULL , extra ) = = 1 ) ;
CHECK ( ! is_empty_compact_signature ( sig ) ) ;
CHECK ( secp256k1_ecdsa_sig_parse ( & s [ i ] , sig2 , siglen2 ) ) ;
for ( j = 0 ; j < i ; j + + ) {
@ -1700,7 +1901,7 @@ void test_ecdsa_edge_cases(void) {
@@ -1700,7 +1901,7 @@ void test_ecdsa_edge_cases(void) {
int j ;
siglen2 = 72 ;
key [ 0 ] = i - 256 ;
CHECK ( secp256k1_ecdsa_sign ( msg , sig2 , & siglen2 , key , NULL , extra ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sign ( ctx , msg , sig2 , & siglen2 , key , NULL , extra ) = = 1 ) ;
CHECK ( secp256k1_ecdsa_sig_parse ( & s [ i ] , sig2 , siglen2 ) ) ;
for ( j = 0 ; j < i ; j + + ) {
CHECK ( ! secp256k1_scalar_eq ( & s [ i ] . r , & s [ j ] . r ) ) ;
@ -1719,8 +1920,8 @@ void test_ecdsa_edge_cases(void) {
@@ -1719,8 +1920,8 @@ void test_ecdsa_edge_cases(void) {
0xbf , 0xd2 , 0x5e , 0x8c , 0xd0 , 0x36 , 0x41 , 0x41 ,
} ;
int outlen = 300 ;
CHECK ( ! secp256k1_ec_privkey_export ( seckey , privkey , & outlen , 0 ) ) ;
CHECK ( ! secp256k1_ec_privkey_export ( seckey , privkey , & outlen , 1 ) ) ;
CHECK ( ! secp256k1_ec_privkey_export ( ctx , seckey , privkey , & outlen , 0 ) ) ;
CHECK ( ! secp256k1_ec_privkey_export ( ctx , seckey , privkey , & outlen , 1 ) ) ;
}
}
@ -1735,7 +1936,7 @@ EC_KEY *get_openssl_key(const secp256k1_scalar_t *key) {
@@ -1735,7 +1936,7 @@ EC_KEY *get_openssl_key(const secp256k1_scalar_t *key) {
const unsigned char * pbegin = privkey ;
int compr = secp256k1_rand32 ( ) & 1 ;
EC_KEY * ec_key = EC_KEY_new_by_curve_name ( NID_secp256k1 ) ;
CHECK ( secp256k1_eckey_privkey_serialize ( privkey , & privkeylen , key , compr ) ) ;
CHECK ( secp256k1_eckey_privkey_serialize ( & ctx - > ecmult_gen_ctx , privkey , & privkeylen , key , compr ) ) ;
CHECK ( d2i_ECPrivateKey ( & ec_key , & pbegin , privkeylen ) ) ;
CHECK ( EC_KEY_check_key ( ec_key ) ) ;
return ec_key ;
@ -1756,16 +1957,16 @@ void test_ecdsa_openssl(void) {
@@ -1756,16 +1957,16 @@ void test_ecdsa_openssl(void) {
secp256k1_rand256_test ( message ) ;
secp256k1_scalar_set_b32 ( & msg , message , NULL ) ;
random_scalar_order_test ( & key ) ;
secp256k1_ecmult_gen ( & qj , & key ) ;
secp256k1_ecmult_gen ( & ctx - > ecmult_gen_ctx , & qj , & key ) ;
secp256k1_ge_set_gej ( & q , & qj ) ;
ec_key = get_openssl_key ( & key ) ;
CHECK ( ec_key ) ;
CHECK ( ECDSA_sign ( 0 , message , sizeof ( message ) , signature , & sigsize , ec_key ) ) ;
CHECK ( secp256k1_ecdsa_sig_parse ( & sig , signature , sigsize ) ) ;
CHECK ( secp256k1_ecdsa_sig_verify ( & sig , & q , & msg ) ) ;
CHECK ( secp256k1_ecdsa_sig_verify ( & ctx - > ecmult_ctx , & sig , & q , & msg ) ) ;
secp256k1_scalar_set_int ( & one , 1 ) ;
secp256k1_scalar_add ( & msg2 , & msg , & one ) ;
CHECK ( ! secp256k1_ecdsa_sig_verify ( & sig , & q , & msg2 ) ) ;
CHECK ( ! secp256k1_ecdsa_sig_verify ( & ctx - > ecmult_ctx , & sig , & q , & msg2 ) ) ;
random_sign ( & sig , & key , & msg , NULL ) ;
CHECK ( secp256k1_ecdsa_sig_serialize ( signature , & secp_sigsize , & sig ) ) ;
@ -1825,10 +2026,13 @@ int main(int argc, char **argv) {
@@ -1825,10 +2026,13 @@ int main(int argc, char **argv) {
printf ( " random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x \n " , seed16 [ 0 ] , seed16 [ 1 ] , seed16 [ 2 ] , seed16 [ 3 ] , seed16 [ 4 ] , seed16 [ 5 ] , seed16 [ 6 ] , seed16 [ 7 ] , seed16 [ 8 ] , seed16 [ 9 ] , seed16 [ 10 ] , seed16 [ 11 ] , seed16 [ 12 ] , seed16 [ 13 ] , seed16 [ 14 ] , seed16 [ 15 ] ) ;
/* initialize */
secp256k1_start ( SECP256K1_START_SIGN | SECP256K1_START_VERIFY ) ;
run_context_tests ( ) ;
ctx = secp256k1_context_create ( SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY ) ;
/* initializing a second time shouldn't cause any harm or memory leaks. */
secp256k1_start ( SECP256K1_START_SIGN | SECP256K1_START_VERIFY ) ;
if ( secp256k1_rand32 ( ) & 1 ) {
secp256k1_rand256 ( run32 ) ;
CHECK ( secp256k1_context_randomize ( ctx , secp256k1_rand32 ( ) & 1 ? run32 : NULL ) ) ;
}
run_sha256_tests ( ) ;
run_hmac_sha256_tests ( ) ;
@ -1858,6 +2062,8 @@ int main(int argc, char **argv) {
@@ -1858,6 +2062,8 @@ int main(int argc, char **argv) {
run_wnaf ( ) ;
run_point_times_order ( ) ;
run_ecmult_chain ( ) ;
run_ecmult_constants ( ) ;
run_ecmult_gen_blind ( ) ;
/* ecdsa tests */
run_random_pubkeys ( ) ;
@ -1872,9 +2078,6 @@ int main(int argc, char **argv) {
@@ -1872,9 +2078,6 @@ int main(int argc, char **argv) {
printf ( " random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x \n " , run32 [ 0 ] , run32 [ 1 ] , run32 [ 2 ] , run32 [ 3 ] , run32 [ 4 ] , run32 [ 5 ] , run32 [ 6 ] , run32 [ 7 ] , run32 [ 8 ] , run32 [ 9 ] , run32 [ 10 ] , run32 [ 11 ] , run32 [ 12 ] , run32 [ 13 ] , run32 [ 14 ] , run32 [ 15 ] ) ;
/* shutdown */
secp256k1_stop ( ) ;
/* shutting down twice shouldn't cause any double frees. */
secp256k1_stop ( ) ;
secp256k1_context_destroy ( ctx ) ;
return 0 ;
}