bitcoin_secp256k1/tests.rs
1crate::ix!();
2
3//-------------------------------------------[.cpp/bitcoin/src/secp256k1/src/tests.c]
4
5#[cfg(ENABLE_OPENSSL_TESTS)]
6#[cfg(OPENSSL_VERSION_NUMBER_LT0x10100000)]
7pub fn ecdsa_sig_get0(
8 sig: *const ECDSA_SIG,
9 pr: *const *const BIGNUM,
10 ps: *const *const BIGNUM) {
11
12 todo!();
13 /*
14 *pr = sig->r; *ps = sig->s;
15 */
16}
17
18lazy_static!{
19 /*
20 #include "modinv32_impl.h"
21 #ifdef WIDEMUL_INT128
22 #include "modinv64_impl.h"
23 #endif
24 */
25}
26
27lazy_static!{
28 /*
29 static int count = 64;
30 static context *ctx = NULL;
31 */
32}
33
34pub fn counting_illegal_callback_fn(
35 str_: *const u8,
36 data: *mut c_void) {
37
38 todo!();
39 /*
40 /* Dummy callback function that just counts. */
41 int32_t *p;
42 (c_void)str;
43 p = data;
44 (*p)++;
45 */
46}
47
48pub fn uncounting_illegal_callback_fn(
49 str_: *const u8,
50 data: *mut c_void) {
51
52 todo!();
53 /*
54 /* Dummy callback function that just counts (backwards). */
55 int32_t *p;
56 (c_void)str;
57 p = data;
58 (*p)--;
59 */
60}
61
62pub fn random_field_element_test(Fe: *mut Fe) {
63
64 todo!();
65 /*
66 do {
67 unsigned char b32[32];
68 testrand256_test(b32);
69 if (fe_set_b32(Fe, b32)) {
70 break;
71 }
72 } while(1);
73 */
74}
75
76pub fn random_field_element_magnitude(Fe: *mut Fe) {
77
78 todo!();
79 /*
80 Fe zero;
81 int n = testrand_int(9);
82 fe_normalize(Fe);
83 if (n == 0) {
84 return;
85 }
86 fe_clear(&zero);
87 fe_negate(&zero, &zero, 0);
88 fe_mul_int(&zero, n - 1);
89 fe_add(Fe, &zero);
90 #ifdef VERIFY
91 CHECK(Fe->magnitude == n);
92 #endif
93 */
94}
95
96pub fn random_group_element_test(ge: *mut Ge) {
97
98 todo!();
99 /*
100 Fe Fe;
101 do {
102 random_field_element_test(&Fe);
103 if (ge_set_xo_var(ge, &Fe, testrand_bits(1))) {
104 fe_normalize(&ge->y);
105 break;
106 }
107 } while(1);
108 ge->infinity = 0;
109 */
110}
111
112pub fn random_group_element_jacobian_test(
113 gej: *mut Gej,
114 ge: *const Ge) {
115
116 todo!();
117 /*
118 Fe z2, z3;
119 do {
120 random_field_element_test(&gej->z);
121 if (!fe_is_zero(&gej->z)) {
122 break;
123 }
124 } while(1);
125 fe_sqr(&z2, &gej->z);
126 fe_mul(&z3, &z2, &gej->z);
127 fe_mul(&gej->x, &ge->x, &z2);
128 fe_mul(&gej->y, &ge->y, &z3);
129 gej->infinity = ge->infinity;
130 */
131}
132
133pub fn random_scalar_order_test(num: *mut Scalar) {
134
135 todo!();
136 /*
137 do {
138 unsigned char b32[32];
139 int overflow = 0;
140 testrand256_test(b32);
141 scalar_set_b32(num, b32, &overflow);
142 if (overflow || scalar_is_zero(num)) {
143 continue;
144 }
145 break;
146 } while(1);
147 */
148}
149
150pub fn random_scalar_order(num: *mut Scalar) {
151
152 todo!();
153 /*
154 do {
155 unsigned char b32[32];
156 int overflow = 0;
157 testrand256(b32);
158 scalar_set_b32(num, b32, &overflow);
159 if (overflow || scalar_is_zero(num)) {
160 continue;
161 }
162 break;
163 } while(1);
164 */
165}
166
167pub fn random_scalar_order_b32(b32: *mut u8) {
168
169 todo!();
170 /*
171 scalar num;
172 random_scalar_order(&num);
173 scalar_get_b32(b32, &num);
174 */
175}
176
177pub fn run_context_tests(use_prealloc: i32) {
178
179 todo!();
180 /*
181 pubkey pubkey;
182 pubkey zero_pubkey;
183 ecdsa_signature sig;
184 unsigned char ctmp[32];
185 int32_t ecount;
186 int32_t ecount2;
187 context *none;
188 context *sign;
189 context *vrfy;
190 context *both;
191 c_void *none_prealloc = NULL;
192 c_void *sign_prealloc = NULL;
193 c_void *vrfy_prealloc = NULL;
194 c_void *both_prealloc = NULL;
195
196 gej pubj;
197 ge pub;
198 scalar msg, key, nonce;
199 scalar sigr, sigs;
200
201 if (use_prealloc) {
202 none_prealloc = malloc(context_preallocated_size(CONTEXT_NONE));
203 sign_prealloc = malloc(context_preallocated_size(CONTEXT_SIGN));
204 vrfy_prealloc = malloc(context_preallocated_size(CONTEXT_VERIFY));
205 both_prealloc = malloc(context_preallocated_size(CONTEXT_SIGN | CONTEXT_VERIFY));
206 CHECK(none_prealloc != NULL);
207 CHECK(sign_prealloc != NULL);
208 CHECK(vrfy_prealloc != NULL);
209 CHECK(both_prealloc != NULL);
210 none = context_preallocated_create(none_prealloc, CONTEXT_NONE);
211 sign = context_preallocated_create(sign_prealloc, CONTEXT_SIGN);
212 vrfy = context_preallocated_create(vrfy_prealloc, CONTEXT_VERIFY);
213 both = context_preallocated_create(both_prealloc, CONTEXT_SIGN | CONTEXT_VERIFY);
214 } else {
215 none = context_create(CONTEXT_NONE);
216 sign = context_create(CONTEXT_SIGN);
217 vrfy = context_create(CONTEXT_VERIFY);
218 both = context_create(CONTEXT_SIGN | CONTEXT_VERIFY);
219 }
220
221 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
222
223 ecount = 0;
224 ecount2 = 10;
225 context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
226 context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
227 /* set error callback (to a function that still aborts in case malloc() fails in context_clone() below) */
228 context_set_error_callback(sign, default_illegal_callback_fn, NULL);
229 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
230 CHECK(sign->error_callback.fn == default_illegal_callback_fn);
231
232 /* check if sizes for cloning are consistent */
233 CHECK(context_preallocated_clone_size(none) == context_preallocated_size(CONTEXT_NONE));
234 CHECK(context_preallocated_clone_size(sign) == context_preallocated_size(CONTEXT_SIGN));
235 CHECK(context_preallocated_clone_size(vrfy) == context_preallocated_size(CONTEXT_VERIFY));
236 CHECK(context_preallocated_clone_size(both) == context_preallocated_size(CONTEXT_SIGN | CONTEXT_VERIFY));
237
238 /*** clone and destroy all of them to make sure cloning was complete ***/
239 {
240 context *ctx_tmp;
241
242 if (use_prealloc) {
243 /* clone into a non-preallocated context and then again into a new preallocated one. */
244 ctx_tmp = none; none = context_clone(none); context_preallocated_destroy(ctx_tmp);
245 free(none_prealloc); none_prealloc = malloc(context_preallocated_size(CONTEXT_NONE)); CHECK(none_prealloc != NULL);
246 ctx_tmp = none; none = context_preallocated_clone(none, none_prealloc); context_destroy(ctx_tmp);
247
248 ctx_tmp = sign; sign = context_clone(sign); context_preallocated_destroy(ctx_tmp);
249 free(sign_prealloc); sign_prealloc = malloc(context_preallocated_size(CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
250 ctx_tmp = sign; sign = context_preallocated_clone(sign, sign_prealloc); context_destroy(ctx_tmp);
251
252 ctx_tmp = vrfy; vrfy = context_clone(vrfy); context_preallocated_destroy(ctx_tmp);
253 free(vrfy_prealloc); vrfy_prealloc = malloc(context_preallocated_size(CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
254 ctx_tmp = vrfy; vrfy = context_preallocated_clone(vrfy, vrfy_prealloc); context_destroy(ctx_tmp);
255
256 ctx_tmp = both; both = context_clone(both); context_preallocated_destroy(ctx_tmp);
257 free(both_prealloc); both_prealloc = malloc(context_preallocated_size(CONTEXT_SIGN | CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
258 ctx_tmp = both; both = context_preallocated_clone(both, both_prealloc); context_destroy(ctx_tmp);
259 } else {
260 /* clone into a preallocated context and then again into a new non-preallocated one. */
261 c_void *prealloc_tmp;
262
263 prealloc_tmp = malloc(context_preallocated_size(CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
264 ctx_tmp = none; none = context_preallocated_clone(none, prealloc_tmp); context_destroy(ctx_tmp);
265 ctx_tmp = none; none = context_clone(none); context_preallocated_destroy(ctx_tmp);
266 free(prealloc_tmp);
267
268 prealloc_tmp = malloc(context_preallocated_size(CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
269 ctx_tmp = sign; sign = context_preallocated_clone(sign, prealloc_tmp); context_destroy(ctx_tmp);
270 ctx_tmp = sign; sign = context_clone(sign); context_preallocated_destroy(ctx_tmp);
271 free(prealloc_tmp);
272
273 prealloc_tmp = malloc(context_preallocated_size(CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
274 ctx_tmp = vrfy; vrfy = context_preallocated_clone(vrfy, prealloc_tmp); context_destroy(ctx_tmp);
275 ctx_tmp = vrfy; vrfy = context_clone(vrfy); context_preallocated_destroy(ctx_tmp);
276 free(prealloc_tmp);
277
278 prealloc_tmp = malloc(context_preallocated_size(CONTEXT_SIGN | CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
279 ctx_tmp = both; both = context_preallocated_clone(both, prealloc_tmp); context_destroy(ctx_tmp);
280 ctx_tmp = both; both = context_clone(both); context_preallocated_destroy(ctx_tmp);
281 free(prealloc_tmp);
282 }
283 }
284
285 /* Verify that the error callback makes it across the clone. */
286 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
287 CHECK(sign->error_callback.fn == default_illegal_callback_fn);
288 /* And that it resets back to default. */
289 context_set_error_callback(sign, NULL, NULL);
290 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
291
292 /*** attempt to use them ***/
293 random_scalar_order_test(&msg);
294 random_scalar_order_test(&key);
295 ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
296 ge_set_gej(&pub, &pubj);
297
298 /* Verify context-type checking illegal-argument errors. */
299 memset(ctmp, 1, 32);
300 CHECK(ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
301 CHECK(ecount == 1);
302 VG_UNDEF(&pubkey, sizeof(pubkey));
303 CHECK(ec_pubkey_create(sign, &pubkey, ctmp) == 1);
304 VG_CHECK(&pubkey, sizeof(pubkey));
305 CHECK(ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
306 CHECK(ecount == 2);
307 VG_UNDEF(&sig, sizeof(sig));
308 CHECK(ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
309 VG_CHECK(&sig, sizeof(sig));
310 CHECK(ecount2 == 10);
311 CHECK(ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
312 CHECK(ecount2 == 11);
313 CHECK(ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
314 CHECK(ecount == 2);
315 CHECK(ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
316 CHECK(ecount2 == 12);
317 CHECK(ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
318 CHECK(ecount == 2);
319 CHECK(ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
320 CHECK(ecount2 == 13);
321 CHECK(ec_pubkey_negate(vrfy, &pubkey) == 1);
322 CHECK(ecount == 2);
323 CHECK(ec_pubkey_negate(sign, &pubkey) == 1);
324 CHECK(ecount == 2);
325 CHECK(ec_pubkey_negate(sign, NULL) == 0);
326 CHECK(ecount2 == 14);
327 CHECK(ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
328 CHECK(ecount == 3);
329 CHECK(ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
330 CHECK(ecount == 3);
331 CHECK(context_randomize(vrfy, ctmp) == 1);
332 CHECK(ecount == 3);
333 CHECK(context_randomize(vrfy, NULL) == 1);
334 CHECK(ecount == 3);
335 CHECK(context_randomize(sign, ctmp) == 1);
336 CHECK(ecount2 == 14);
337 CHECK(context_randomize(sign, NULL) == 1);
338 CHECK(ecount2 == 14);
339 context_set_illegal_callback(vrfy, NULL, NULL);
340 context_set_illegal_callback(sign, NULL, NULL);
341
342 /* obtain a working nonce */
343 do {
344 random_scalar_order_test(&nonce);
345 } while(!ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
346
347 /* try signing */
348 CHECK(ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
349 CHECK(ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
350
351 /* try verifying */
352 CHECK(ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
353 CHECK(ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
354
355 /* cleanup */
356 if (use_prealloc) {
357 context_preallocated_destroy(none);
358 context_preallocated_destroy(sign);
359 context_preallocated_destroy(vrfy);
360 context_preallocated_destroy(both);
361 free(none_prealloc);
362 free(sign_prealloc);
363 free(vrfy_prealloc);
364 free(both_prealloc);
365 } else {
366 context_destroy(none);
367 context_destroy(sign);
368 context_destroy(vrfy);
369 context_destroy(both);
370 }
371 /* Defined as no-op. */
372 context_destroy(NULL);
373 context_preallocated_destroy(NULL);
374 */
375}
376
377pub fn run_scratch_tests() {
378
379 todo!();
380 /*
381 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
382
383 int32_t ecount = 0;
384 size_t checkpoint;
385 size_t checkpoint_2;
386 context *none = context_create(CONTEXT_NONE);
387 scratch_space *scratch;
388 scratch_space local_scratch;
389
390 /* Test public API */
391 context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
392 context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
393
394 scratch = scratch_space_create(none, 1000);
395 CHECK(scratch != NULL);
396 CHECK(ecount == 0);
397
398 /* Test internal API */
399 CHECK(scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
400 CHECK(scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
401 CHECK(scratch->alloc_size == 0);
402 CHECK(scratch->alloc_size % ALIGNMENT == 0);
403
404 /* Allocating 500 bytes succeeds */
405 checkpoint = scratch_checkpoint(&none->error_callback, scratch);
406 CHECK(scratch_alloc(&none->error_callback, scratch, 500) != NULL);
407 CHECK(scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
408 CHECK(scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
409 CHECK(scratch->alloc_size != 0);
410 CHECK(scratch->alloc_size % ALIGNMENT == 0);
411
412 /* Allocating another 501 bytes fails */
413 CHECK(scratch_alloc(&none->error_callback, scratch, 501) == NULL);
414 CHECK(scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
415 CHECK(scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
416 CHECK(scratch->alloc_size != 0);
417 CHECK(scratch->alloc_size % ALIGNMENT == 0);
418
419 /* ...but it succeeds once we apply the checkpoint to undo it */
420 scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
421 CHECK(scratch->alloc_size == 0);
422 CHECK(scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
423 CHECK(scratch_alloc(&none->error_callback, scratch, 500) != NULL);
424 CHECK(scratch->alloc_size != 0);
425
426 /* try to apply a bad checkpoint */
427 checkpoint_2 = scratch_checkpoint(&none->error_callback, scratch);
428 scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
429 CHECK(ecount == 0);
430 scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
431 CHECK(ecount == 1);
432 scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
433 CHECK(ecount == 2);
434
435 /* try to use badly initialized scratch space */
436 scratch_space_destroy(none, scratch);
437 memset(&local_scratch, 0, sizeof(local_scratch));
438 scratch = &local_scratch;
439 CHECK(!scratch_max_allocation(&none->error_callback, scratch, 0));
440 CHECK(ecount == 3);
441 CHECK(scratch_alloc(&none->error_callback, scratch, 500) == NULL);
442 CHECK(ecount == 4);
443 scratch_space_destroy(none, scratch);
444 CHECK(ecount == 5);
445
446 /* Test that large integers do not wrap around in a bad way */
447 scratch = scratch_space_create(none, 1000);
448 /* Try max allocation with a large number of objects. Only makes sense if
449 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
450 * space. */
451 CHECK(ALIGNMENT <= 1 || !scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
452 /* Try allocating SIZE_MAX to test wrap around which only happens if
453 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
454 * space is too small. */
455 CHECK(scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
456 scratch_space_destroy(none, scratch);
457
458 /* cleanup */
459 scratch_space_destroy(none, NULL); /* no-op */
460 context_destroy(none);
461 */
462}
463
464pub fn run_ctz_tests() {
465
466 todo!();
467 /*
468 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
469 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
470 int shift;
471 unsigned i;
472 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
473 for (shift = 0; shift < 32; ++shift) {
474 CHECK(ctz32_var_debruijn(b32[i] << shift) == shift);
475 CHECK(ctz32_var(b32[i] << shift) == shift);
476 }
477 }
478 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
479 for (shift = 0; shift < 64; ++shift) {
480 CHECK(ctz64_var_debruijn(b64[i] << shift) == shift);
481 CHECK(ctz64_var(b64[i] << shift) == shift);
482 }
483 }
484 */
485}
486
487/* --------------- HASH TESTS --------------- */
488
489pub fn run_sha256_tests() {
490
491 todo!();
492 /*
493 static const char *inputs[8] = {
494 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
495 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
496 "For this sample, this 63-byte string will be used as input data",
497 "This is exactly 64 bytes long, not counting the terminating byte"
498 };
499 static const unsigned char outputs[8][32] = {
500 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
501 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
502 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
503 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
504 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
505 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
506 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
507 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
508 };
509 int i;
510 for (i = 0; i < 8; i++) {
511 unsigned char out[32];
512 sha256 hasher;
513 sha256_initialize(&hasher);
514 sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
515 sha256_finalize(&hasher, out);
516 CHECK(memcmp_var(out, outputs[i], 32) == 0);
517 if (strlen(inputs[i]) > 0) {
518 int split = testrand_int(strlen(inputs[i]));
519 sha256_initialize(&hasher);
520 sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
521 sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
522 sha256_finalize(&hasher, out);
523 CHECK(memcmp_var(out, outputs[i], 32) == 0);
524 }
525 }
526 */
527}
528
529pub fn run_hmac_sha256_tests() {
530
531 todo!();
532 /*
533 static const char *keys[6] = {
534 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
535 "\x4a\x65\x66\x65",
536 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
537 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
538 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
539 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
540 };
541 static const char *inputs[6] = {
542 "\x48\x69\x20\x54\x68\x65\x72\x65",
543 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
544 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
545 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
546 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
547 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
548 };
549 static const unsigned char outputs[6][32] = {
550 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
551 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
552 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
553 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
554 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
555 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
556 };
557 int i;
558 for (i = 0; i < 6; i++) {
559 hmac_sha256 hasher;
560 unsigned char out[32];
561 hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
562 hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
563 hmac_sha256_finalize(&hasher, out);
564 CHECK(memcmp_var(out, outputs[i], 32) == 0);
565 if (strlen(inputs[i]) > 0) {
566 int split = testrand_int(strlen(inputs[i]));
567 hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
568 hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
569 hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
570 hmac_sha256_finalize(&hasher, out);
571 CHECK(memcmp_var(out, outputs[i], 32) == 0);
572 }
573 }
574 */
575}
576
577pub fn run_rfc6979_hmac_sha256_tests() {
578
579 todo!();
580 /*
581 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
582 static const unsigned char out1[3][32] = {
583 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
584 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
585 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
586 };
587
588 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
589 static const unsigned char out2[3][32] = {
590 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
591 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
592 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
593 };
594
595 rfc6979_hmac_sha256 rng;
596 unsigned char out[32];
597 int i;
598
599 rfc6979_hmac_sha256_initialize(&rng, key1, 64);
600 for (i = 0; i < 3; i++) {
601 rfc6979_hmac_sha256_generate(&rng, out, 32);
602 CHECK(memcmp_var(out, out1[i], 32) == 0);
603 }
604 rfc6979_hmac_sha256_finalize(&rng);
605
606 rfc6979_hmac_sha256_initialize(&rng, key1, 65);
607 for (i = 0; i < 3; i++) {
608 rfc6979_hmac_sha256_generate(&rng, out, 32);
609 CHECK(memcmp_var(out, out1[i], 32) != 0);
610 }
611 rfc6979_hmac_sha256_finalize(&rng);
612
613 rfc6979_hmac_sha256_initialize(&rng, key2, 64);
614 for (i = 0; i < 3; i++) {
615 rfc6979_hmac_sha256_generate(&rng, out, 32);
616 CHECK(memcmp_var(out, out2[i], 32) == 0);
617 }
618 rfc6979_hmac_sha256_finalize(&rng);
619 */
620}
621
622pub fn run_tagged_sha256_tests() {
623
624 todo!();
625 /*
626 int ecount = 0;
627 context *none = context_create(CONTEXT_NONE);
628 unsigned char tag[32] = { 0 };
629 unsigned char msg[32] = { 0 };
630 unsigned char hash32[32];
631 unsigned char hash_expected[32] = {
632 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
633 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
634 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
635 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
636 };
637
638 context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
639
640 /* API test */
641 CHECK(tagged_sha256(none, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
642 CHECK(tagged_sha256(none, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0);
643 CHECK(ecount == 1);
644 CHECK(tagged_sha256(none, hash32, NULL, 0, msg, sizeof(msg)) == 0);
645 CHECK(ecount == 2);
646 CHECK(tagged_sha256(none, hash32, tag, sizeof(tag), NULL, 0) == 0);
647 CHECK(ecount == 3);
648
649 /* Static test vector */
650 memcpy(tag, "tag", 3);
651 memcpy(msg, "msg", 3);
652 CHECK(tagged_sha256(none, hash32, tag, 3, msg, 3) == 1);
653 CHECK(memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
654 context_destroy(none);
655 */
656}
657
658/* -------------- **** RANDOM TESTS **** -------------- */
659
660pub fn test_rand_bits(
661 rand32: i32,
662 bits: i32) {
663
664 todo!();
665 /*
666 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
667 * get a false negative chance below once in a billion */
668 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
669 /* We try multiplying the results with various odd numbers, which shouldn't
670 * influence the uniform distribution modulo a power of 2. */
671 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
672 /* We only select up to 6 bits from the output to analyse */
673 unsigned int usebits = bits > 6 ? 6 : bits;
674 unsigned int maxshift = bits - usebits;
675 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
676 number, track all observed outcomes, one per bit in a uint64_t. */
677 uint64_t x[6][27] = {{0}};
678 unsigned int i, shift, m;
679 /* Multiply the output of all rand calls with the odd number m, which
680 should not change the uniformity of its distribution. */
681 for (i = 0; i < rounds[usebits]; i++) {
682 uint32_t r = (rand32 ? testrand32() : testrand_bits(bits));
683 CHECK((((uint64_t)r) >> bits) == 0);
684 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
685 uint32_t rm = r * mults[m];
686 for (shift = 0; shift <= maxshift; shift++) {
687 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
688 }
689 }
690 }
691 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
692 for (shift = 0; shift <= maxshift; shift++) {
693 /* Test that the lower usebits bits of x[shift] are 1 */
694 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
695 }
696 }
697 */
698}
699
700/**
701 | Subrange must be a whole divisor of range,
702 | and at most 64
703 |
704 */
705pub fn test_rand_int(
706 range: u32,
707 subrange: u32) {
708
709 todo!();
710 /*
711 /* (1-1/subrange)^rounds < 1/10^9 */
712 int rounds = (subrange * 2073) / 100;
713 int i;
714 uint64_t x = 0;
715 CHECK((range % subrange) == 0);
716 for (i = 0; i < rounds; i++) {
717 uint32_t r = testrand_int(range);
718 CHECK(r < range);
719 r = r % subrange;
720 x |= (((uint64_t)1) << r);
721 }
722 /* Test that the lower subrange bits of x are 1. */
723 CHECK(((~x) << (64 - subrange)) == 0);
724 */
725}
726
727pub fn run_rand_bits() {
728
729 todo!();
730 /*
731 size_t b;
732 test_rand_bits(1, 32);
733 for (b = 1; b <= 32; b++) {
734 test_rand_bits(0, b);
735 }
736 */
737}
738
739pub fn run_rand_int() {
740
741 todo!();
742 /*
743 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
744 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
745 unsigned int m, s;
746 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
747 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
748 test_rand_int(ms[m] * ss[s], ss[s]);
749 }
750 }
751 */
752}
753
754/* -------------- **** MODINV TESTS **** -------------- */
755
756/**
757 | Compute the modular inverse of (odd)
758 | x mod 2^64.
759 |
760 */
761pub fn modinv2p64(x: u64) -> u64 {
762
763 todo!();
764 /*
765 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
766 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
767 * why. Start with L=0, for which it is true for every odd x that
768 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
769 int l;
770 uint64_t w = 1;
771 CHECK(x & 1);
772 for (l = 0; l < 6; ++l) w *= (2 - w*x);
773 return w;
774 */
775}
776
777/**
778 | compute out = (a*b) mod m; if b=NULL,
779 | treat b=1.
780 |
781 | Out is a 512-bit number (represented
782 | as 32 uint16_t's in LE order). The other
783 | arguments are 256-bit numbers (represented
784 | as 16 uint16_t's in LE order).
785 |
786 */
787pub fn mulmod256(
788 out: *mut u16,
789 a: *const u16,
790 b: *const u16,
791 m: *const u16) {
792
793 todo!();
794 /*
795 uint16_t mul[32];
796 uint64_t c = 0;
797 int i, j;
798 int m_bitlen = 0;
799 int mul_bitlen = 0;
800
801 if (b != NULL) {
802 /* Compute the product of a and b, and put it in mul. */
803 for (i = 0; i < 32; ++i) {
804 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
805 c += (uint64_t)a[j] * b[i - j];
806 }
807 mul[i] = c & 0xFFFF;
808 c >>= 16;
809 }
810 CHECK(c == 0);
811
812 /* compute the highest set bit in mul */
813 for (i = 511; i >= 0; --i) {
814 if ((mul[i >> 4] >> (i & 15)) & 1) {
815 mul_bitlen = i;
816 break;
817 }
818 }
819 } else {
820 /* if b==NULL, set mul=a. */
821 memcpy(mul, a, 32);
822 memset(mul + 16, 0, 32);
823 /* compute the highest set bit in mul */
824 for (i = 255; i >= 0; --i) {
825 if ((mul[i >> 4] >> (i & 15)) & 1) {
826 mul_bitlen = i;
827 break;
828 }
829 }
830 }
831
832 /* Compute the highest set bit in m. */
833 for (i = 255; i >= 0; --i) {
834 if ((m[i >> 4] >> (i & 15)) & 1) {
835 m_bitlen = i;
836 break;
837 }
838 }
839
840 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
841 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
842 uint16_t mul2[32];
843 int64_t cs;
844
845 /* Compute mul2 = mul - m<<i. */
846 cs = 0; /* accumulator */
847 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
848 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
849 uint16_t sub = 0;
850 int p;
851 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
852 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
853 if (bitpos >= 0 && bitpos < 256) {
854 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
855 }
856 }
857 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
858 cs += mul[j];
859 cs -= sub;
860 mul2[j] = (cs & 0xFFFF);
861 cs >>= 16;
862 }
863 /* If remainder of subtraction is 0, set mul = mul2. */
864 if (cs == 0) {
865 memcpy(mul, mul2, sizeof(mul));
866 }
867 }
868 /* Sanity check: test that all limbs higher than m's highest are zero */
869 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
870 CHECK(mul[i] == 0);
871 }
872 memcpy(out, mul, 32);
873 */
874}
875
876/**
877 | Convert a 256-bit number represented
878 | as 16 uint16_t's to signed30 notation.
879 |
880 */
881pub fn uint16_to_signed30(
882 out: *mut ModInv32Signed30,
883 in_: *const u16) {
884
885 todo!();
886 /*
887 int i;
888 memset(out->v, 0, sizeof(out->v));
889 for (i = 0; i < 256; ++i) {
890 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
891 }
892 */
893}
894
895/**
896 | Convert a 256-bit number in signed30
897 | notation to a representation as 16 uint16_t's.
898 |
899 */
900pub fn signed30_to_uint16(
901 out: *mut u16,
902 in_: *const ModInv32Signed30) {
903
904 todo!();
905 /*
906 int i;
907 memset(out, 0, 32);
908 for (i = 0; i < 256; ++i) {
909 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
910 }
911 */
912}
913
914/**
915 | Randomly mutate the sign of limbs in
916 | signed30 representation, without
917 | changing the value.
918 |
919 */
920pub fn mutate_sign_signed30(x: *mut ModInv32Signed30) {
921
922 todo!();
923 /*
924 int i;
925 for (i = 0; i < 16; ++i) {
926 int pos = testrand_int(8);
927 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
928 x->v[pos] -= 0x40000000;
929 x->v[pos + 1] += 1;
930 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
931 x->v[pos] += 0x40000000;
932 x->v[pos + 1] -= 1;
933 }
934 }
935 */
936}
937
938/**
939 | Test modinv32{_var}, using inputs
940 | in 16-bit limb format, and returning
941 | inverse.
942 |
943 */
944pub fn test_modinv32_uint16(
945 out: *mut u16,
946 in_: *const u16,
947 mod_: *const u16) {
948
949 todo!();
950 /*
951 uint16_t tmp[16];
952 modinv32_signed30 x;
953 modinv32_modinfo m;
954 int i, vartime, nonzero;
955
956 uint16_to_signed30(&x, in);
957 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
958 uint16_to_signed30(&m.modulus, mod);
959 mutate_sign_signed30(&m.modulus);
960
961 /* compute 1/modulus mod 2^30 */
962 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
963 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
964
965 for (vartime = 0; vartime < 2; ++vartime) {
966 /* compute inverse */
967 (vartime ? modinv32_var : modinv32)(&x, &m);
968
969 /* produce output */
970 signed30_to_uint16(out, &x);
971
972 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
973 mulmod256(tmp, out, in, mod);
974 CHECK(tmp[0] == nonzero);
975 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
976
977 /* invert again */
978 (vartime ? modinv32_var : modinv32)(&x, &m);
979
980 /* check if the result is equal to the input */
981 signed30_to_uint16(tmp, &x);
982 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
983 }
984 */
985}
986
987/**
988 | Convert a 256-bit number represented
989 | as 16 uint16_t's to signed62 notation.
990 |
991 */
992#[cfg(WIDEMUL_INT128)]
993pub fn uint16_to_signed62(
994 out: *mut ModInv64Signed62,
995 in_: *const u16) {
996
997 todo!();
998 /*
999 int i;
1000 memset(out->v, 0, sizeof(out->v));
1001 for (i = 0; i < 256; ++i) {
1002 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
1003 }
1004 */
1005}
1006
1007/**
1008 | Convert a 256-bit number in signed62
1009 | notation to a representation as 16 uint16_t's.
1010 |
1011 */
1012#[cfg(WIDEMUL_INT128)]
1013pub fn signed62_to_uint16(
1014 out: *mut u16,
1015 in_: *const ModInv64Signed62) {
1016
1017 todo!();
1018 /*
1019 int i;
1020 memset(out, 0, 32);
1021 for (i = 0; i < 256; ++i) {
1022 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
1023 }
1024 */
1025}
1026
1027/**
1028 | Randomly mutate the sign of limbs in
1029 | signed62 representation, without
1030 | changing the value.
1031 |
1032 */
1033#[cfg(WIDEMUL_INT128)]
1034pub fn mutate_sign_signed62(x: *mut ModInv64Signed62) {
1035
1036 todo!();
1037 /*
1038 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1039 int i;
1040 for (i = 0; i < 8; ++i) {
1041 int pos = testrand_int(4);
1042 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
1043 x->v[pos] -= (M62 + 1);
1044 x->v[pos + 1] += 1;
1045 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1046 x->v[pos] += (M62 + 1);
1047 x->v[pos + 1] -= 1;
1048 }
1049 }
1050 */
1051}
1052
1053/**
1054 | Test modinv64{_var}, using inputs
1055 | in 16-bit limb format, and returning
1056 | inverse.
1057 |
1058 */
1059#[cfg(WIDEMUL_INT128)]
1060pub fn test_modinv64_uint16(
1061 out: *mut u16,
1062 in_: *const u16,
1063 mod_: *const u16) {
1064
1065 todo!();
1066 /*
1067 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1068 uint16_t tmp[16];
1069 modinv64_signed62 x;
1070 modinv64_modinfo m;
1071 int i, vartime, nonzero;
1072
1073 uint16_to_signed62(&x, in);
1074 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1075 uint16_to_signed62(&m.modulus, mod);
1076 mutate_sign_signed62(&m.modulus);
1077
1078 /* compute 1/modulus mod 2^62 */
1079 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1080 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1081
1082 for (vartime = 0; vartime < 2; ++vartime) {
1083 /* compute inverse */
1084 (vartime ? modinv64_var : modinv64)(&x, &m);
1085
1086 /* produce output */
1087 signed62_to_uint16(out, &x);
1088
1089 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1090 mulmod256(tmp, out, in, mod);
1091 CHECK(tmp[0] == nonzero);
1092 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1093
1094 /* invert again */
1095 (vartime ? modinv64_var : modinv64)(&x, &m);
1096
1097 /* check if the result is equal to the input */
1098 signed62_to_uint16(tmp, &x);
1099 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1100 }
1101 */
1102}
1103
1104/**
1105 | test if a and b are coprime
1106 |
1107 */
1108pub fn coprime(
1109 a: *const u16,
1110 b: *const u16) -> i32 {
1111
1112 todo!();
1113 /*
1114 uint16_t x[16], y[16], t[16];
1115 int i;
1116 int iszero;
1117 memcpy(x, a, 32);
1118 memcpy(y, b, 32);
1119
1120 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1121 while (1) {
1122 iszero = 1;
1123 for (i = 0; i < 16; ++i) {
1124 if (x[i] != 0) {
1125 iszero = 0;
1126 break;
1127 }
1128 }
1129 if (iszero) break;
1130 mulmod256(t, y, NULL, x);
1131 memcpy(y, x, 32);
1132 memcpy(x, t, 32);
1133 }
1134
1135 /* return whether y=1 */
1136 if (y[0] != 1) return 0;
1137 for (i = 1; i < 16; ++i) {
1138 if (y[i] != 0) return 0;
1139 }
1140 return 1;
1141 */
1142}
1143
1144pub fn run_modinv_tests() {
1145
1146 todo!();
1147 /*
1148 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1149 static const uint16_t CASES[][3][16] = {
1150 /* Test cases triggering edge cases in divsteps */
1151
1152 /* Test case known to need 713 divsteps */
1153 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1154 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1155 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1156 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1157 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1158 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1159 /* Test case known to need 589 divsteps, reaching delta=-140 and
1160 delta=141. */
1161 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1162 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1163 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1164 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1165 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1166 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1167 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1168 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1169 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1170 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1171 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1172 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1173 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1174 /* example needing 713 divsteps; delta=-2..3 */
1175 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1176 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1177 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1178 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1179 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1180 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1181 /* example needing 713 divsteps; delta=-2..3 */
1182 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1183 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1184 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1185 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1186 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1187 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1188 /* example needing 713 divsteps; delta=-2..3 */
1189 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1190 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1191 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1192 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1193 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1194 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1195 /* example reaching delta=-64..65; 661 divsteps */
1196 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1197 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1198 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1199 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1200 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1201 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1202 /* example reaching delta=-64..65; 661 divsteps */
1203 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1204 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1205 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1206 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1207 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1208 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1209 /* example reaching delta=-64..65; 661 divsteps */
1210 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1211 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1212 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1213 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1214 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1215 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1216 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1217 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1218 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1219 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1220 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1221 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1222 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1223 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1224 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1225 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1226 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1227 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1228 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1229 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1230 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1231 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1232 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1233 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1234 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1235 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1236 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1237 /* example doing 446 (f,g/2) steps; 523 divsteps */
1238 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1239 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1240 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1241 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1242 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1243 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1244 /* example doing 446 (f,g/2) steps; 523 divsteps */
1245 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1246 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1247 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1248 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1249 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1250 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1251 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1252 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1253 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1254 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1255 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1256 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1257 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1258 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1259 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1260 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1261 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1262 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1263 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1264 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1265 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1266 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1267 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1268 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1269 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1270 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1271 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1272 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1273 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1274 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1275 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1276 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1277 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1278 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1279
1280 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1281
1282 /* example needing 590 divsteps; delta=-5/2..7/2 */
1283 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1284 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1285 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1286 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1287 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1288 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1289 /* example needing 590 divsteps; delta=-3/2..5/2 */
1290 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1291 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1292 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1293 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1294 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1295 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1296 /* example needing 590 divsteps; delta=-3/2..5/2 */
1297 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1298 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1299 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1300 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1301 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1302 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1303 /* example needing 590 divsteps; delta=-5/2..7/2 */
1304 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1305 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1306 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1307 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1308 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1309 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1310 /* example needing 590 divsteps; delta=-3/2..5/2 */
1311 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1312 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1313 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1314 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1315 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1316 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1317 /* example reaching delta=-127/2..129/2; 571 divsteps */
1318 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1319 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1320 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1321 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1322 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1323 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1324 /* example reaching delta=-127/2..129/2; 571 divsteps */
1325 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1326 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1327 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1328 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1329 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1330 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1331 /* example reaching delta=-127/2..129/2; 571 divsteps */
1332 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1333 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1334 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1335 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1336 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1337 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1338 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1339 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1340 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1341 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1342 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1343 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1344 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1345 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1346 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1347 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1348 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1349 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1350 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1351 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1352 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1353 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1354 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1355 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1356 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1357 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1358 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1359 /* example doing 453 (f,g/2) steps; 514 divsteps */
1360 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1361 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1362 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1363 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1364 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1365 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1366 /* example doing 453 (f,g/2) steps; 514 divsteps */
1367 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1368 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1369 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1370 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1371 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1372 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1373 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1374 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1375 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1376 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1377 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1378 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1379 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1380 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1381 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1382 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1383 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1384 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1385 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1386 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1387 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1388 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1389 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1390 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1391 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1392 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1393 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1394 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1395 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1396 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1397 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1398 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1399 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1400 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1401
1402 /* Test cases with the group order as modulus. */
1403
1404 /* Test case with the group order as modulus, needing 635 divsteps. */
1405 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1406 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1407 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1408 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1409 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1410 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1411 /* example with group size as modulus needing 631 divsteps */
1412 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1413 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1414 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1415 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1416 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1417 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1418 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1419 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1420 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1421 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1422 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1423 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1424 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1425 /* Test case with the group size as modulus, needing 981 divsteps with
1426 broken eta handling. */
1427 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1428 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1429 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1430 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1431 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1432 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1433 /* Test case with the group size as modulus, input = 0. */
1434 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1435 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1436 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1437 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1438 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1439 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1440 /* Test case with the group size as modulus, input = 1. */
1441 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1442 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1443 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1444 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1445 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1446 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1447 /* Test case with the group size as modulus, input = 2. */
1448 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1449 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1450 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1451 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1452 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1453 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1454 /* Test case with the group size as modulus, input = group - 1. */
1455 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1456 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1457 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1458 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1459 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1460 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1461
1462 /* Test cases with the field size as modulus. */
1463
1464 /* Test case with the field size as modulus, needing 637 divsteps. */
1465 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1466 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1467 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1468 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1469 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1470 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1471 /* example with field size as modulus needing 637 divsteps */
1472 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1473 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1474 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1475 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1476 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1477 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1478 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1479 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1480 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1481 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1482 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1483 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1484 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1485 /* Test case with the field size as modulus, needing 935 divsteps with
1486 broken eta handling. */
1487 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1488 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1489 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1490 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1491 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1492 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1493 /* Test case with the field size as modulus, input = 0. */
1494 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1495 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1496 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1497 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1498 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1499 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1500 /* Test case with the field size as modulus, input = 1. */
1501 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1502 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1503 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1504 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1505 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1506 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1507 /* Test case with the field size as modulus, input = 2. */
1508 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1509 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1510 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1511 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1512 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1513 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1514 /* Test case with the field size as modulus, input = field - 1. */
1515 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1516 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1517 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1518 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1519 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1520 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1521
1522 /* Selected from a large number of random inputs to reach small/large
1523 * d/e values in various configurations. */
1524 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1525 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1526 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1527 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1528 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1529 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1530 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1531 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1532 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1533 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1534 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1535 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1536 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1537 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1538 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1539 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1540 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1541 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1542 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1543 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1544 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1545 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1546 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1547 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1548 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1549 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1550 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1551 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1552 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1553 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1554 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1555 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1556 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1557 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1558 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1559 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1560 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1561 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1562 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1563 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1564 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1565 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1566 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1567 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1568 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1569 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1570 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1571 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1572 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1573 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1574 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1575 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1576 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1577 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1578 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1579 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1580 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1581 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1582 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1583 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1584 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1585 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1586 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1587 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1588 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1589 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1590 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1591 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1592 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1593 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1594 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1595 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1596 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1597 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1598 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1599 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1600 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1601 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1602 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1603 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1604 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1605 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1606 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1607 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1608 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1609 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1610 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1611 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1612 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1613 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1614 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1615 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1616 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1617 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1618 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1619 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1620 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1621 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1622 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1623 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1624 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1625 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1626 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1627 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1628 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1629 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1630 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1631 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1632 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1633 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1634 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1635 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1636 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1637 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1638 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1639 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1640 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1641 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1642 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1643 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1644 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1645 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1646 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1647 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1648 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1649 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1650 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1651 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1652 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1653 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1654 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1655 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1656 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1657 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1658 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1659 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1660 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1661 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1662 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1663 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1664 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1665 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1666 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1667 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1668 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1669 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1670 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1671 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1672 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1673 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1674 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1675 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1676 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1677 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1678 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1679 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1680 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1681 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1682 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1683 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1684 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1685 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1686 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1687 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1688 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1689 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1690 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1691 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1692 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1693 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1694 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1695 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1696 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1697 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1698 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1699 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1700 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1701 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1702 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1703 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1704 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1705 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1706 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1707 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1708 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1709 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1710 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1711 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1712 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1713 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1714 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1715 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1716 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1717 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1718 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1719 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1720 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1721 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1722 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1723 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1724 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1725 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1726 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1727 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1728 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1729 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1730 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1731 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1732 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1733 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1734 };
1735
1736 int i, j, ok;
1737
1738 /* Test known inputs/outputs */
1739 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1740 uint16_t out[16];
1741 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1742 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1743 #ifdef WIDEMUL_INT128
1744 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1745 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1746 #endif
1747 }
1748
1749 for (i = 0; i < 100 * count; ++i) {
1750 /* 256-bit numbers in 16-uint16_t's notation */
1751 static const uint16_t ZERO[16] = {0};
1752 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1753 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1754 uint16_t id[16]; /* the inverse of xd mod md */
1755
1756 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1757 do {
1758 /* generate random xd and md (with many subsequent 0s and 1s) */
1759 testrand256_test((unsigned char*)xd);
1760 testrand256_test((unsigned char*)md);
1761 md[0] |= 1; /* modulus must be odd */
1762 /* If modulus is 1, find another one. */
1763 ok = md[0] != 1;
1764 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1765 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1766 } while (!(ok && coprime(xd, md)));
1767
1768 test_modinv32_uint16(id, xd, md);
1769 #ifdef WIDEMUL_INT128
1770 test_modinv64_uint16(id, xd, md);
1771 #endif
1772
1773 /* In a few cases, also test with input=0 */
1774 if (i < count) {
1775 test_modinv32_uint16(id, ZERO, md);
1776 #ifdef WIDEMUL_INT128
1777 test_modinv64_uint16(id, ZERO, md);
1778 #endif
1779 }
1780 }
1781 */
1782}
1783
1784/* -------------- **** SCALAR TESTS **** -------------- */
1785
1786pub fn scalar_test() {
1787
1788 todo!();
1789 /*
1790 scalar s;
1791 scalar s1;
1792 scalar s2;
1793 unsigned char c[32];
1794
1795 /* Set 's' to a random scalar, with value 'snum'. */
1796 random_scalar_order_test(&s);
1797
1798 /* Set 's1' to a random scalar, with value 's1num'. */
1799 random_scalar_order_test(&s1);
1800
1801 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
1802 random_scalar_order_test(&s2);
1803 scalar_get_b32(c, &s2);
1804
1805 {
1806 int i;
1807 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
1808 scalar n;
1809 scalar_set_int(&n, 0);
1810 for (i = 0; i < 256; i += 4) {
1811 scalar t;
1812 int j;
1813 scalar_set_int(&t, scalar_get_bits(&s, 256 - 4 - i, 4));
1814 for (j = 0; j < 4; j++) {
1815 scalar_add(&n, &n, &n);
1816 }
1817 scalar_add(&n, &n, &t);
1818 }
1819 CHECK(scalar_eq(&n, &s));
1820 }
1821
1822 {
1823 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
1824 scalar n;
1825 int i = 0;
1826 scalar_set_int(&n, 0);
1827 while (i < 256) {
1828 scalar t;
1829 int j;
1830 int now = testrand_int(15) + 1;
1831 if (now + i > 256) {
1832 now = 256 - i;
1833 }
1834 scalar_set_int(&t, scalar_get_bits_var(&s, 256 - now - i, now));
1835 for (j = 0; j < now; j++) {
1836 scalar_add(&n, &n, &n);
1837 }
1838 scalar_add(&n, &n, &t);
1839 i += now;
1840 }
1841 CHECK(scalar_eq(&n, &s));
1842 }
1843
1844 {
1845 /* test scalar_shr_int */
1846 scalar r;
1847 int i;
1848 random_scalar_order_test(&r);
1849 for (i = 0; i < 100; ++i) {
1850 int low;
1851 int shift = 1 + testrand_int(15);
1852 int expected = r.d[0] % (1 << shift);
1853 low = scalar_shr_int(&r, shift);
1854 CHECK(expected == low);
1855 }
1856 }
1857
1858 {
1859 /* Test commutativity of add. */
1860 scalar r1, r2;
1861 scalar_add(&r1, &s1, &s2);
1862 scalar_add(&r2, &s2, &s1);
1863 CHECK(scalar_eq(&r1, &r2));
1864 }
1865
1866 {
1867 scalar r1, r2;
1868 scalar b;
1869 int i;
1870 /* Test add_bit. */
1871 int bit = testrand_bits(8);
1872 scalar_set_int(&b, 1);
1873 CHECK(scalar_is_one(&b));
1874 for (i = 0; i < bit; i++) {
1875 scalar_add(&b, &b, &b);
1876 }
1877 r1 = s1;
1878 r2 = s1;
1879 if (!scalar_add(&r1, &r1, &b)) {
1880 /* No overflow happened. */
1881 scalar_cadd_bit(&r2, bit, 1);
1882 CHECK(scalar_eq(&r1, &r2));
1883 /* cadd is a noop when flag is zero */
1884 scalar_cadd_bit(&r2, bit, 0);
1885 CHECK(scalar_eq(&r1, &r2));
1886 }
1887 }
1888
1889 {
1890 /* Test commutativity of mul. */
1891 scalar r1, r2;
1892 scalar_mul(&r1, &s1, &s2);
1893 scalar_mul(&r2, &s2, &s1);
1894 CHECK(scalar_eq(&r1, &r2));
1895 }
1896
1897 {
1898 /* Test associativity of add. */
1899 scalar r1, r2;
1900 scalar_add(&r1, &s1, &s2);
1901 scalar_add(&r1, &r1, &s);
1902 scalar_add(&r2, &s2, &s);
1903 scalar_add(&r2, &s1, &r2);
1904 CHECK(scalar_eq(&r1, &r2));
1905 }
1906
1907 {
1908 /* Test associativity of mul. */
1909 scalar r1, r2;
1910 scalar_mul(&r1, &s1, &s2);
1911 scalar_mul(&r1, &r1, &s);
1912 scalar_mul(&r2, &s2, &s);
1913 scalar_mul(&r2, &s1, &r2);
1914 CHECK(scalar_eq(&r1, &r2));
1915 }
1916
1917 {
1918 /* Test distributitivity of mul over add. */
1919 scalar r1, r2, t;
1920 scalar_add(&r1, &s1, &s2);
1921 scalar_mul(&r1, &r1, &s);
1922 scalar_mul(&r2, &s1, &s);
1923 scalar_mul(&t, &s2, &s);
1924 scalar_add(&r2, &r2, &t);
1925 CHECK(scalar_eq(&r1, &r2));
1926 }
1927
1928 {
1929 /* Test multiplicative identity. */
1930 scalar r1, v1;
1931 scalar_set_int(&v1,1);
1932 scalar_mul(&r1, &s1, &v1);
1933 CHECK(scalar_eq(&r1, &s1));
1934 }
1935
1936 {
1937 /* Test additive identity. */
1938 scalar r1, v0;
1939 scalar_set_int(&v0,0);
1940 scalar_add(&r1, &s1, &v0);
1941 CHECK(scalar_eq(&r1, &s1));
1942 }
1943
1944 {
1945 /* Test zero product property. */
1946 scalar r1, v0;
1947 scalar_set_int(&v0,0);
1948 scalar_mul(&r1, &s1, &v0);
1949 CHECK(scalar_eq(&r1, &v0));
1950 }
1951 */
1952}
1953
1954pub fn run_scalar_set_b32_seckey_tests() {
1955
1956 todo!();
1957 /*
1958 unsigned char b32[32];
1959 scalar s1;
1960 scalar s2;
1961
1962 /* Usually set_b32 and set_b32_seckey give the same result */
1963 random_scalar_order_b32(b32);
1964 scalar_set_b32(&s1, b32, NULL);
1965 CHECK(scalar_set_b32_seckey(&s2, b32) == 1);
1966 CHECK(scalar_eq(&s1, &s2) == 1);
1967
1968 memset(b32, 0, sizeof(b32));
1969 CHECK(scalar_set_b32_seckey(&s2, b32) == 0);
1970 memset(b32, 0xFF, sizeof(b32));
1971 CHECK(scalar_set_b32_seckey(&s2, b32) == 0);
1972 */
1973}
1974
1975pub fn run_scalar_tests() {
1976
1977 todo!();
1978 /*
1979 int i;
1980 for (i = 0; i < 128 * count; i++) {
1981 scalar_test();
1982 }
1983 for (i = 0; i < count; i++) {
1984 run_scalar_set_b32_seckey_tests();
1985 }
1986
1987 {
1988 /* (-1)+1 should be zero. */
1989 scalar s, o;
1990 scalar_set_int(&s, 1);
1991 CHECK(scalar_is_one(&s));
1992 scalar_negate(&o, &s);
1993 scalar_add(&o, &o, &s);
1994 CHECK(scalar_is_zero(&o));
1995 scalar_negate(&o, &o);
1996 CHECK(scalar_is_zero(&o));
1997 }
1998
1999 {
2000 /* Does check_overflow check catch all ones? */
2001 static const scalar overflowed = SCALAR_CONST(
2002 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2003 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2004 );
2005 CHECK(scalar_check_overflow(&overflowed));
2006 }
2007
2008 {
2009 /* Static test vectors.
2010 * These were reduced from ~10^12 random vectors based on comparison-decision
2011 * and edge-case coverage on 32-bit and 64-bit implementations.
2012 * The responses were generated with Sage 5.9.
2013 */
2014 scalar x;
2015 scalar y;
2016 scalar z;
2017 scalar zz;
2018 scalar one;
2019 scalar r1;
2020 scalar r2;
2021 scalar zzv;
2022 int overflow;
2023 unsigned char chal[33][2][32] = {
2024 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2025 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2026 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2027 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2028 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2029 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2030 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2031 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2032 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2033 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2034 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2035 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2036 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2037 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2038 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2039 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2040 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2041 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2042 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2043 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2044 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2045 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2046 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2047 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2048 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2049 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2050 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2051 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2052 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2053 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2054 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2055 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2056 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2057 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2058 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2059 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2060 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2061 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2062 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2063 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2064 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2065 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2066 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2067 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2068 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2069 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2070 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2071 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2072 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2073 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2074 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2075 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2076 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2077 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2078 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2079 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2080 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2081 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2082 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2083 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2084 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2085 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2086 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2087 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2088 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2089 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2090 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2091 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2092 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2093 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2094 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2095 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2096 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2097 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2098 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2099 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2100 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2101 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2102 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2103 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2104 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2105 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2106 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2107 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2108 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2109 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2110 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2111 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2112 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2113 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2114 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2115 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2116 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2117 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2118 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2119 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2120 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2121 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2123 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2124 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2125 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2126 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2127 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2128 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2129 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2130 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2131 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2132 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2133 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2134 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2135 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2136 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2137 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2138 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2139 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2140 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2141 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2142 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2143 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2144 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2145 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2146 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2147 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2148 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2149 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2150 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2151 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2152 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2153 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2154 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2155 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2156 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2157 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2158 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2159 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2160 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2161 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2162 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2163 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2164 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2165 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2167 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2168 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2169 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2170 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2171 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2172 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2173 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2174 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2175 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2176 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2177 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2178 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2179 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2180 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2181 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2182 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2183 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2184 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2185 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2186 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2187 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2188 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2189 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2190 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2191 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2192 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2194 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2195 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2196 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2197 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2199 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2200 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2201 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2202 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2203 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2204 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2205 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2206 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2207 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2208 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2209 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2210 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2211 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2212 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2213 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2214 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2215 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2216 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2217 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2218 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2219 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2220 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2221 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2222 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2223 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2224 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2225 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2226 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2227 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2228 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2229 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2230 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2231 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2232 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2233 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2234 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2235 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2236 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2237 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2238 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2239 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2240 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2241 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2242 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2243 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2244 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2245 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2246 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2247 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2248 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2249 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2250 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2251 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2252 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2253 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2254 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2255 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2256 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2257 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2258 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2259 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2260 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2261 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2262 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2263 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2264 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2265 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2266 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2267 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2268 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2269 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2270 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2271 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2272 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2273 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2274 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2275 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2276 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2277 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2278 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2279 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2280 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2281 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2282 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2283 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2284 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2285 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2286 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2287 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2288 };
2289 unsigned char res[33][2][32] = {
2290 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2291 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2292 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2293 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2294 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2295 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2296 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2297 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2298 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2299 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2300 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2301 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2302 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2303 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2304 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2305 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2306 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2307 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2308 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2309 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2310 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2311 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2312 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2313 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2314 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2315 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2316 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2317 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2318 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2319 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2320 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2321 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2322 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2323 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2324 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2325 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2326 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2327 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2328 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2329 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2330 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2331 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2332 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2333 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2334 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2335 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2336 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2337 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2338 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2339 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2340 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2341 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2342 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2343 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2344 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2345 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2346 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2347 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2348 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2349 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2350 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2351 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2352 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2353 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2354 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2355 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2356 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2357 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2358 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2359 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2360 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2361 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2362 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2363 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2364 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2365 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2366 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2367 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2368 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2369 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2370 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2371 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2372 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2373 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2374 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2375 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2376 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2377 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2378 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2379 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2380 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2381 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2382 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2383 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2384 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2385 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2386 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2387 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2388 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2389 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2390 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2391 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2392 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2393 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2394 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2395 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2396 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2397 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2398 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2399 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2400 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2401 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2402 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2403 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2404 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2405 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2406 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2407 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2408 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2409 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2410 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2411 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2412 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2413 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2414 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2415 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2416 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2417 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2418 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2419 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2420 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2421 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2422 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2423 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2424 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2425 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2426 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2427 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2428 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2429 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2430 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2431 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2432 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2433 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2434 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2435 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2436 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2437 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2438 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2439 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2440 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2441 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2442 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2443 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2444 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2445 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2446 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2447 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2448 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2449 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2450 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2451 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2452 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2453 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2454 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2455 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2457 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2458 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2461 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2462 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2463 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2464 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2465 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2466 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2467 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2468 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2469 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2470 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2471 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2472 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2473 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2474 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2475 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2476 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2477 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2478 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2479 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2480 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2481 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2482 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2483 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2484 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2485 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2486 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2487 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2488 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2489 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2490 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2491 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2492 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2493 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2494 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2495 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2497 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2498 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2499 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2500 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2501 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2502 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2503 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2504 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2505 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2506 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2507 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2508 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2509 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2510 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2511 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2512 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2513 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2514 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2515 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2516 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2517 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2518 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2519 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2520 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2521 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2522 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2523 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2524 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2525 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2526 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2527 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2528 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2529 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2530 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2531 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2532 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2533 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2534 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2535 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2536 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2537 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2538 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
2539 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
2540 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
2541 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
2542 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
2543 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
2544 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
2545 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
2546 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2547 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2548 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2549 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
2550 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
2551 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
2552 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
2553 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
2554 };
2555 scalar_set_int(&one, 1);
2556 for (i = 0; i < 33; i++) {
2557 scalar_set_b32(&x, chal[i][0], &overflow);
2558 CHECK(!overflow);
2559 scalar_set_b32(&y, chal[i][1], &overflow);
2560 CHECK(!overflow);
2561 scalar_set_b32(&r1, res[i][0], &overflow);
2562 CHECK(!overflow);
2563 scalar_set_b32(&r2, res[i][1], &overflow);
2564 CHECK(!overflow);
2565 scalar_mul(&z, &x, &y);
2566 CHECK(!scalar_check_overflow(&z));
2567 CHECK(scalar_eq(&r1, &z));
2568 if (!scalar_is_zero(&y)) {
2569 scalar_inverse(&zz, &y);
2570 CHECK(!scalar_check_overflow(&zz));
2571 scalar_inverse_var(&zzv, &y);
2572 CHECK(scalar_eq(&zzv, &zz));
2573 scalar_mul(&z, &z, &zz);
2574 CHECK(!scalar_check_overflow(&z));
2575 CHECK(scalar_eq(&x, &z));
2576 scalar_mul(&zz, &zz, &y);
2577 CHECK(!scalar_check_overflow(&zz));
2578 CHECK(scalar_eq(&one, &zz));
2579 }
2580 }
2581 }
2582 */
2583}
2584
2585/* -------------- **** FIELD TESTS **** -------------- */
2586
2587pub fn random_fe(x: *mut Fe) {
2588
2589 todo!();
2590 /*
2591 unsigned char bin[32];
2592 do {
2593 testrand256(bin);
2594 if (fe_set_b32(x, bin)) {
2595 return;
2596 }
2597 } while(1);
2598 */
2599}
2600
2601pub fn random_fe_test(x: *mut Fe) {
2602
2603 todo!();
2604 /*
2605 unsigned char bin[32];
2606 do {
2607 testrand256_test(bin);
2608 if (fe_set_b32(x, bin)) {
2609 return;
2610 }
2611 } while(1);
2612 */
2613}
2614
2615pub fn random_fe_non_zero(nz: *mut Fe) {
2616
2617 todo!();
2618 /*
2619 int tries = 10;
2620 while (--tries >= 0) {
2621 random_fe(nz);
2622 fe_normalize(nz);
2623 if (!fe_is_zero(nz)) {
2624 break;
2625 }
2626 }
2627 /* Infinitesimal probability of spurious failure here */
2628 CHECK(tries >= 0);
2629 */
2630}
2631
2632pub fn random_fe_non_square(ns: *mut Fe) {
2633
2634 todo!();
2635 /*
2636 Fe r;
2637 random_fe_non_zero(ns);
2638 if (fe_sqrt(&r, ns)) {
2639 fe_negate(ns, ns, 1);
2640 }
2641 */
2642}
2643
2644pub fn check_fe_equal(
2645 a: *const Fe,
2646 b: *const Fe) -> i32 {
2647
2648 todo!();
2649 /*
2650 Fe an = *a;
2651 Fe bn = *b;
2652 fe_normalize_weak(&an);
2653 fe_normalize_var(&bn);
2654 return fe_equal_var(&an, &bn);
2655 */
2656}
2657
2658pub fn run_field_convert() {
2659
2660 todo!();
2661 /*
2662 static const unsigned char b32[32] = {
2663 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2664 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
2665 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
2666 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
2667 };
2668 static const fe_storage fes = FE_STORAGE_CONST(
2669 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2670 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2671 );
2672 static const Fe Fe = FE_CONST(
2673 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
2674 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
2675 );
2676 Fe fe2;
2677 unsigned char b322[32];
2678 fe_storage fes2;
2679 /* Check conversions to Fe. */
2680 CHECK(fe_set_b32(&fe2, b32));
2681 CHECK(fe_equal_var(&Fe, &fe2));
2682 fe_from_storage(&fe2, &fes);
2683 CHECK(fe_equal_var(&Fe, &fe2));
2684 /* Check conversion from Fe. */
2685 fe_get_b32(b322, &Fe);
2686 CHECK(memcmp_var(b322, b32, 32) == 0);
2687 fe_to_storage(&fes2, &Fe);
2688 CHECK(memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
2689 */
2690}
2691
2692pub fn fe_memcmp_var(
2693 a: *const Fe,
2694 b: *const Fe) -> i32 {
2695
2696 todo!();
2697 /*
2698 Fe t = *b;
2699 #ifdef VERIFY
2700 t.magnitude = a->magnitude;
2701 t.normalized = a->normalized;
2702 #endif
2703 return memcmp_var(a, &t, sizeof(Fe));
2704 */
2705}
2706
2707pub fn run_field_misc() {
2708
2709 todo!();
2710 /*
2711 Fe x;
2712 Fe y;
2713 Fe z;
2714 Fe q;
2715 Fe fe5 = FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
2716 int i, j;
2717 for (i = 0; i < 5*count; i++) {
2718 fe_storage xs, ys, zs;
2719 random_fe(&x);
2720 random_fe_non_zero(&y);
2721 /* Test the Fe equality and comparison operations. */
2722 CHECK(fe_cmp_var(&x, &x) == 0);
2723 CHECK(fe_equal_var(&x, &x));
2724 z = x;
2725 fe_add(&z,&y);
2726 /* Test Fe conditional move; z is not normalized here. */
2727 q = x;
2728 fe_cmov(&x, &z, 0);
2729 #ifdef VERIFY
2730 CHECK(x.normalized && x.magnitude == 1);
2731 #endif
2732 fe_cmov(&x, &x, 1);
2733 CHECK(fe_memcmp_var(&x, &z) != 0);
2734 CHECK(fe_memcmp_var(&x, &q) == 0);
2735 fe_cmov(&q, &z, 1);
2736 #ifdef VERIFY
2737 CHECK(!q.normalized && q.magnitude == z.magnitude);
2738 #endif
2739 CHECK(fe_memcmp_var(&q, &z) == 0);
2740 fe_normalize_var(&x);
2741 fe_normalize_var(&z);
2742 CHECK(!fe_equal_var(&x, &z));
2743 fe_normalize_var(&q);
2744 fe_cmov(&q, &z, (i&1));
2745 #ifdef VERIFY
2746 CHECK(q.normalized && q.magnitude == 1);
2747 #endif
2748 for (j = 0; j < 6; j++) {
2749 fe_negate(&z, &z, j+1);
2750 fe_normalize_var(&q);
2751 fe_cmov(&q, &z, (j&1));
2752 #ifdef VERIFY
2753 CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
2754 #endif
2755 }
2756 fe_normalize_var(&z);
2757 /* Test storage conversion and conditional moves. */
2758 fe_to_storage(&xs, &x);
2759 fe_to_storage(&ys, &y);
2760 fe_to_storage(&zs, &z);
2761 fe_storage_cmov(&zs, &xs, 0);
2762 fe_storage_cmov(&zs, &zs, 1);
2763 CHECK(memcmp_var(&xs, &zs, sizeof(xs)) != 0);
2764 fe_storage_cmov(&ys, &xs, 1);
2765 CHECK(memcmp_var(&xs, &ys, sizeof(xs)) == 0);
2766 fe_from_storage(&x, &xs);
2767 fe_from_storage(&y, &ys);
2768 fe_from_storage(&z, &zs);
2769 /* Test that mul_int, mul, and add agree. */
2770 fe_add(&y, &x);
2771 fe_add(&y, &x);
2772 z = x;
2773 fe_mul_int(&z, 3);
2774 CHECK(check_fe_equal(&y, &z));
2775 fe_add(&y, &x);
2776 fe_add(&z, &x);
2777 CHECK(check_fe_equal(&z, &y));
2778 z = x;
2779 fe_mul_int(&z, 5);
2780 fe_mul(&q, &x, &fe5);
2781 CHECK(check_fe_equal(&z, &q));
2782 fe_negate(&x, &x, 1);
2783 fe_add(&z, &x);
2784 fe_add(&q, &x);
2785 CHECK(check_fe_equal(&y, &z));
2786 CHECK(check_fe_equal(&q, &y));
2787 }
2788 */
2789}
2790
2791pub fn test_fe_mul(
2792 a: *const Fe,
2793 b: *const Fe,
2794 use_sqr: i32) {
2795
2796 todo!();
2797 /*
2798 Fe c, an, bn;
2799 /* Variables in BE 32-byte format. */
2800 unsigned char a32[32], b32[32], c32[32];
2801 /* Variables in LE 16x uint16_t format. */
2802 uint16_t a16[16], b16[16], c16[16];
2803 /* Field modulus in LE 16x uint16_t format. */
2804 static const uint16_t m16[16] = {
2805 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
2806 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
2807 };
2808 uint16_t t16[32];
2809 int i;
2810
2811 /* Compute C = A * B in Fe format. */
2812 c = *a;
2813 if (use_sqr) {
2814 fe_sqr(&c, &c);
2815 } else {
2816 fe_mul(&c, &c, b);
2817 }
2818
2819 /* Convert A, B, C into LE 16x uint16_t format. */
2820 an = *a;
2821 bn = *b;
2822 fe_normalize_var(&c);
2823 fe_normalize_var(&an);
2824 fe_normalize_var(&bn);
2825 fe_get_b32(a32, &an);
2826 fe_get_b32(b32, &bn);
2827 fe_get_b32(c32, &c);
2828 for (i = 0; i < 16; ++i) {
2829 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
2830 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
2831 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
2832 }
2833 /* Compute T = A * B in LE 16x uint16_t format. */
2834 mulmod256(t16, a16, b16, m16);
2835 /* Compare */
2836 CHECK(memcmp_var(t16, c16, 32) == 0);
2837 */
2838}
2839
2840pub fn run_fe_mul() {
2841
2842 todo!();
2843 /*
2844 int i;
2845 for (i = 0; i < 100 * count; ++i) {
2846 Fe a, b, c, d;
2847 random_fe(&a);
2848 random_field_element_magnitude(&a);
2849 random_fe(&b);
2850 random_field_element_magnitude(&b);
2851 random_fe_test(&c);
2852 random_field_element_magnitude(&c);
2853 random_fe_test(&d);
2854 random_field_element_magnitude(&d);
2855 test_fe_mul(&a, &a, 1);
2856 test_fe_mul(&c, &c, 1);
2857 test_fe_mul(&a, &b, 0);
2858 test_fe_mul(&a, &c, 0);
2859 test_fe_mul(&c, &b, 0);
2860 test_fe_mul(&c, &d, 0);
2861 }
2862 */
2863}
2864
2865pub fn run_sqr() {
2866
2867 todo!();
2868 /*
2869 Fe x, s;
2870
2871 {
2872 int i;
2873 fe_set_int(&x, 1);
2874 fe_negate(&x, &x, 1);
2875
2876 for (i = 1; i <= 512; ++i) {
2877 fe_mul_int(&x, 2);
2878 fe_normalize(&x);
2879 fe_sqr(&s, &x);
2880 }
2881 }
2882 */
2883}
2884
2885pub fn test_sqrt(
2886 a: *const Fe,
2887 k: *const Fe) {
2888
2889 todo!();
2890 /*
2891 Fe r1, r2;
2892 int v = fe_sqrt(&r1, a);
2893 CHECK((v == 0) == (k == NULL));
2894
2895 if (k != NULL) {
2896 /* Check that the returned root is +/- the given known answer */
2897 fe_negate(&r2, &r1, 1);
2898 fe_add(&r1, k); fe_add(&r2, k);
2899 fe_normalize(&r1); fe_normalize(&r2);
2900 CHECK(fe_is_zero(&r1) || fe_is_zero(&r2));
2901 }
2902 */
2903}
2904
2905pub fn run_sqrt() {
2906
2907 todo!();
2908 /*
2909 Fe ns, x, s, t;
2910 int i;
2911
2912 /* Check sqrt(0) is 0 */
2913 fe_set_int(&x, 0);
2914 fe_sqr(&s, &x);
2915 test_sqrt(&s, &x);
2916
2917 /* Check sqrt of small squares (and their negatives) */
2918 for (i = 1; i <= 100; i++) {
2919 fe_set_int(&x, i);
2920 fe_sqr(&s, &x);
2921 test_sqrt(&s, &x);
2922 fe_negate(&t, &s, 1);
2923 test_sqrt(&t, NULL);
2924 }
2925
2926 /* Consistency checks for large random values */
2927 for (i = 0; i < 10; i++) {
2928 int j;
2929 random_fe_non_square(&ns);
2930 for (j = 0; j < count; j++) {
2931 random_fe(&x);
2932 fe_sqr(&s, &x);
2933 test_sqrt(&s, &x);
2934 fe_negate(&t, &s, 1);
2935 test_sqrt(&t, NULL);
2936 fe_mul(&t, &s, &ns);
2937 test_sqrt(&t, NULL);
2938 }
2939 }
2940 */
2941}
2942
2943/* ------- **** FIELD/SCALAR INVERSE TESTS **** ------- */
2944
2945lazy_static!{
2946 /*
2947 static const scalar scalar_minus_one = SCALAR_CONST(
2948 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
2949 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
2950 );
2951 */
2952}
2953
2954lazy_static!{
2955 /*
2956 static const Fe fe_minus_one = FE_CONST(
2957 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
2958 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
2959 );
2960 */
2961}
2962
2963/**
2964 | These tests test the following identities:
2965 |
2966 | for x==0: 1/x == 0
2967 |
2968 | for x!=0: x*(1/x) == 1
2969 |
2970 | for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
2971 */
2972pub fn test_inverse_scalar(
2973 out: *mut Scalar,
2974 x: *const Scalar,
2975 var: i32) {
2976
2977 todo!();
2978 /*
2979 scalar l, r, t;
2980
2981 (var ? scalar_inverse_var : scalar_inverse)(&l, x); /* l = 1/x */
2982 if (out) *out = l;
2983 if (scalar_is_zero(x)) {
2984 CHECK(scalar_is_zero(&l));
2985 return;
2986 }
2987 scalar_mul(&t, x, &l); /* t = x*(1/x) */
2988 CHECK(scalar_is_one(&t)); /* x*(1/x) == 1 */
2989 scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
2990 if (scalar_is_zero(&r)) return;
2991 (var ? scalar_inverse_var : scalar_inverse)(&r, &r); /* r = 1/(x-1) */
2992 scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
2993 (var ? scalar_inverse_var : scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
2994 scalar_add(&l, &l, &scalar_one); /* l = 1/(1/x-1)+1 */
2995 scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2996 CHECK(scalar_is_zero(&l)); /* l == 0 */
2997 */
2998}
2999
3000pub fn test_inverse_field(
3001 out: *mut Fe,
3002 x: *const Fe,
3003 var: i32) {
3004
3005 todo!();
3006 /*
3007 Fe l, r, t;
3008
3009 (var ? fe_inv_var : fe_inv)(&l, x) ; /* l = 1/x */
3010 if (out) *out = l;
3011 t = *x; /* t = x */
3012 if (fe_normalizes_to_zero_var(&t)) {
3013 CHECK(fe_normalizes_to_zero(&l));
3014 return;
3015 }
3016 fe_mul(&t, x, &l); /* t = x*(1/x) */
3017 fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3018 CHECK(fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3019 r = *x; /* r = x */
3020 fe_add(&r, &fe_minus_one); /* r = x-1 */
3021 if (fe_normalizes_to_zero_var(&r)) return;
3022 (var ? fe_inv_var : fe_inv)(&r, &r); /* r = 1/(x-1) */
3023 fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3024 (var ? fe_inv_var : fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3025 fe_add(&l, &fe_one); /* l = 1/(1/x-1)+1 */
3026 fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3027 CHECK(fe_normalizes_to_zero_var(&l)); /* l == 0 */
3028 */
3029}
3030
3031pub fn run_inverse_tests() {
3032
3033 todo!();
3034 /*
3035 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3036 static const Fe fe_cases[][2] = {
3037 /* 0 */
3038 {FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3039 FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3040 /* 1 */
3041 {FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3042 FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3043 /* -1 */
3044 {FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3045 FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3046 /* 2 */
3047 {FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3048 FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3049 /* 2**128 */
3050 {FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3051 FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3052 /* Input known to need 637 divsteps */
3053 {FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3054 FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3055 /* Input known to need 567 divsteps starting with delta=1/2. */
3056 {FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3057 FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3058 /* Input known to need 566 divsteps starting with delta=1/2. */
3059 {FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3060 FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3061 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3062 {FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3063 FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3064 {FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3065 FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3066 {FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3067 FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3068 {FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3069 FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3070 {FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3071 FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3072 {FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3073 FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3074 {FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3075 FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3076 {FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3077 FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3078 {FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3079 FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3080 {FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3081 FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3082 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3083 {FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3084 FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3085 {FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3086 FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3087 {FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3088 FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3089 {FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3090 FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3091 {FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3092 FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3093 {FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3094 FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3095 {FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3096 FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3097 {FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3098 FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3099 {FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3100 FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3101 {FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3102 FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3103 {FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3104 FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3105 {FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3106 FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3107 {FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3108 FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3109 {FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3110 FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3111 {FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3112 FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3113 {FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3114 FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3115 {FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3116 FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3117 {FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3118 FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3119 {FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3120 FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3121 {FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3122 FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3123 {FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3124 FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3125 {FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3126 FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3127 {FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3128 FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3129 {FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3130 FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3131 {FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3132 FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3133 {FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3134 FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3135 {FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3136 FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3137 {FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3138 FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3139 };
3140 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3141 static const scalar scalar_cases[][2] = {
3142 /* 0 */
3143 {SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3144 SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3145 /* 1 */
3146 {SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3147 SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3148 /* -1 */
3149 {SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3150 SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3151 /* 2 */
3152 {SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3153 SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3154 /* 2**128 */
3155 {SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3156 SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3157 /* Input known to need 635 divsteps */
3158 {SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3159 SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3160 /* Input known to need 566 divsteps starting with delta=1/2. */
3161 {SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3162 SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3163 /* Input known to need 565 divsteps starting with delta=1/2. */
3164 {SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3165 SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3166 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3167 {SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3168 SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3169 {SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3170 SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3171 {SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3172 SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3173 {SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3174 SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3175 {SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3176 SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3177 {SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3178 SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3179 {SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3180 SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3181 {SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3182 SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3183 {SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3184 SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3185 {SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3186 SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3187 {SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3188 SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3189 {SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3190 SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3191 {SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3192 SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3193 {SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3194 SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3195 {SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3196 SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3197 {SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3198 SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3199 {SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3200 SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3201 {SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3202 SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3203 {SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3204 SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3205 {SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3206 SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3207 {SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3208 SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3209 {SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3210 SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3211 {SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3212 SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3213 {SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3214 SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3215 {SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3216 SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3217 {SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3218 SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3219 {SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3220 SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3221 {SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3222 SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3223 {SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3224 SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3225 };
3226 int i, var, testrand;
3227 unsigned char b32[32];
3228 Fe x_fe;
3229 scalar x_scalar;
3230 memset(b32, 0, sizeof(b32));
3231 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3232 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
3233 for (var = 0; var <= 1; ++var) {
3234 test_inverse_field(&x_fe, &fe_cases[i][0], var);
3235 check_fe_equal(&x_fe, &fe_cases[i][1]);
3236 test_inverse_field(&x_fe, &fe_cases[i][1], var);
3237 check_fe_equal(&x_fe, &fe_cases[i][0]);
3238 }
3239 }
3240 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
3241 for (var = 0; var <= 1; ++var) {
3242 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3243 CHECK(scalar_eq(&x_scalar, &scalar_cases[i][1]));
3244 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3245 CHECK(scalar_eq(&x_scalar, &scalar_cases[i][0]));
3246 }
3247 }
3248 /* Test inputs 0..999 and their respective negations. */
3249 for (i = 0; i < 1000; ++i) {
3250 b32[31] = i & 0xff;
3251 b32[30] = (i >> 8) & 0xff;
3252 scalar_set_b32(&x_scalar, b32, NULL);
3253 fe_set_b32(&x_fe, b32);
3254 for (var = 0; var <= 1; ++var) {
3255 test_inverse_scalar(NULL, &x_scalar, var);
3256 test_inverse_field(NULL, &x_fe, var);
3257 }
3258 scalar_negate(&x_scalar, &x_scalar);
3259 fe_negate(&x_fe, &x_fe, 1);
3260 for (var = 0; var <= 1; ++var) {
3261 test_inverse_scalar(NULL, &x_scalar, var);
3262 test_inverse_field(NULL, &x_fe, var);
3263 }
3264 }
3265 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3266 for (testrand = 0; testrand <= 1; ++testrand) {
3267 for (i = 0; i < 64 * count; ++i) {
3268 (testrand ? testrand256_test : testrand256)(b32);
3269 scalar_set_b32(&x_scalar, b32, NULL);
3270 fe_set_b32(&x_fe, b32);
3271 for (var = 0; var <= 1; ++var) {
3272 test_inverse_scalar(NULL, &x_scalar, var);
3273 test_inverse_field(NULL, &x_fe, var);
3274 }
3275 }
3276 }
3277 */
3278}
3279
3280/* -------------- **** GROUP TESTS **** -------------- */
3281
3282pub fn ge_equals_ge(
3283 a: *const Ge,
3284 b: *const Ge) {
3285
3286 todo!();
3287 /*
3288 CHECK(a->infinity == b->infinity);
3289 if (a->infinity) {
3290 return;
3291 }
3292 CHECK(fe_equal_var(&a->x, &b->x));
3293 CHECK(fe_equal_var(&a->y, &b->y));
3294 */
3295}
3296
3297/**
3298 | This compares jacobian points including
3299 | their Z, not just their geometric meaning.
3300 |
3301 */
3302pub fn gej_xyz_equals_gej(
3303 a: *const Gej,
3304 b: *const Gej) -> i32 {
3305
3306 todo!();
3307 /*
3308 gej a2;
3309 gej b2;
3310 int ret = 1;
3311 ret &= a->infinity == b->infinity;
3312 if (ret && !a->infinity) {
3313 a2 = *a;
3314 b2 = *b;
3315 fe_normalize(&a2.x);
3316 fe_normalize(&a2.y);
3317 fe_normalize(&a2.z);
3318 fe_normalize(&b2.x);
3319 fe_normalize(&b2.y);
3320 fe_normalize(&b2.z);
3321 ret &= fe_cmp_var(&a2.x, &b2.x) == 0;
3322 ret &= fe_cmp_var(&a2.y, &b2.y) == 0;
3323 ret &= fe_cmp_var(&a2.z, &b2.z) == 0;
3324 }
3325 return ret;
3326 */
3327}
3328
3329pub fn ge_equals_gej(
3330 a: *const Ge,
3331 b: *const Gej) {
3332
3333 todo!();
3334 /*
3335 Fe z2s;
3336 Fe u1, u2, s1, s2;
3337 CHECK(a->infinity == b->infinity);
3338 if (a->infinity) {
3339 return;
3340 }
3341 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
3342 fe_sqr(&z2s, &b->z);
3343 fe_mul(&u1, &a->x, &z2s);
3344 u2 = b->x; fe_normalize_weak(&u2);
3345 fe_mul(&s1, &a->y, &z2s); fe_mul(&s1, &s1, &b->z);
3346 s2 = b->y; fe_normalize_weak(&s2);
3347 CHECK(fe_equal_var(&u1, &u2));
3348 CHECK(fe_equal_var(&s1, &s2));
3349 */
3350}
3351
3352pub fn test_ge() {
3353
3354 todo!();
3355 /*
3356 int i, i1;
3357 int runs = 6;
3358 /* 25 points are used:
3359 * - infinity
3360 * - for each of four random points p1 p2 p3 p4, we add the point, its
3361 * negation, and then those two again but with randomized Z coordinate.
3362 * - The same is then done for lambda*p1 and lambda^2*p1.
3363 */
3364 ge *ge = (ge *)checked_malloc(&ctx->error_callback, sizeof(ge) * (1 + 4 * runs));
3365 gej *gej = (gej *)checked_malloc(&ctx->error_callback, sizeof(gej) * (1 + 4 * runs));
3366 Fe zf;
3367 Fe zfi2, zfi3;
3368
3369 gej_set_infinity(&gej[0]);
3370 ge_clear(&ge[0]);
3371 ge_set_gej_var(&ge[0], &gej[0]);
3372 for (i = 0; i < runs; i++) {
3373 int j;
3374 ge g;
3375 random_group_element_test(&g);
3376 if (i >= runs - 2) {
3377 ge_mul_lambda(&g, &ge[1]);
3378 }
3379 if (i >= runs - 1) {
3380 ge_mul_lambda(&g, &g);
3381 }
3382 ge[1 + 4 * i] = g;
3383 ge[2 + 4 * i] = g;
3384 ge_neg(&ge[3 + 4 * i], &g);
3385 ge_neg(&ge[4 + 4 * i], &g);
3386 gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3387 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3388 gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3389 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3390 for (j = 0; j < 4; j++) {
3391 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
3392 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
3393 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
3394 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
3395 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
3396 }
3397 }
3398
3399 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3400 do {
3401 random_field_element_test(&zf);
3402 } while(fe_is_zero(&zf));
3403 random_field_element_magnitude(&zf);
3404 fe_inv_var(&zfi3, &zf);
3405 fe_sqr(&zfi2, &zfi3);
3406 fe_mul(&zfi3, &zfi3, &zfi2);
3407
3408 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3409 int i2;
3410 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3411 /* Compute reference result using gej + gej (var). */
3412 gej refj, resj;
3413 ge ref;
3414 Fe zr;
3415 gej_add_var(&refj, &gej[i1], &gej[i2], gej_is_infinity(&gej[i1]) ? NULL : &zr);
3416 /* Check Z ratio. */
3417 if (!gej_is_infinity(&gej[i1]) && !gej_is_infinity(&refj)) {
3418 Fe zrz; fe_mul(&zrz, &zr, &gej[i1].z);
3419 CHECK(fe_equal_var(&zrz, &refj.z));
3420 }
3421 ge_set_gej_var(&ref, &refj);
3422
3423 /* Test gej + ge with Z ratio result (var). */
3424 gej_add_ge_var(&resj, &gej[i1], &ge[i2], gej_is_infinity(&gej[i1]) ? NULL : &zr);
3425 ge_equals_gej(&ref, &resj);
3426 if (!gej_is_infinity(&gej[i1]) && !gej_is_infinity(&resj)) {
3427 Fe zrz; fe_mul(&zrz, &zr, &gej[i1].z);
3428 CHECK(fe_equal_var(&zrz, &resj.z));
3429 }
3430
3431 /* Test gej + ge (var, with additional Z factor). */
3432 {
3433 ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3434 fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3435 fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3436 random_field_element_magnitude(&ge2_zfi.x);
3437 random_field_element_magnitude(&ge2_zfi.y);
3438 gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3439 ge_equals_gej(&ref, &resj);
3440 }
3441
3442 /* Test gej + ge (const). */
3443 if (i2 != 0) {
3444 /* gej_add_ge does not support its second argument being infinity. */
3445 gej_add_ge(&resj, &gej[i1], &ge[i2]);
3446 ge_equals_gej(&ref, &resj);
3447 }
3448
3449 /* Test doubling (var). */
3450 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3451 Fe zr2;
3452 /* Normal doubling with Z ratio result. */
3453 gej_double_var(&resj, &gej[i1], &zr2);
3454 ge_equals_gej(&ref, &resj);
3455 /* Check Z ratio. */
3456 fe_mul(&zr2, &zr2, &gej[i1].z);
3457 CHECK(fe_equal_var(&zr2, &resj.z));
3458 /* Normal doubling. */
3459 gej_double_var(&resj, &gej[i2], NULL);
3460 ge_equals_gej(&ref, &resj);
3461 /* Constant-time doubling. */
3462 gej_double(&resj, &gej[i2]);
3463 ge_equals_gej(&ref, &resj);
3464 }
3465
3466 /* Test adding opposites. */
3467 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3468 CHECK(ge_is_infinity(&ref));
3469 }
3470
3471 /* Test adding infinity. */
3472 if (i1 == 0) {
3473 CHECK(ge_is_infinity(&ge[i1]));
3474 CHECK(gej_is_infinity(&gej[i1]));
3475 ge_equals_gej(&ref, &gej[i2]);
3476 }
3477 if (i2 == 0) {
3478 CHECK(ge_is_infinity(&ge[i2]));
3479 CHECK(gej_is_infinity(&gej[i2]));
3480 ge_equals_gej(&ref, &gej[i1]);
3481 }
3482 }
3483 }
3484
3485 /* Test adding all points together in random order equals infinity. */
3486 {
3487 gej sum = GEJ_CONST_INFINITY;
3488 gej *gej_shuffled = (gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(gej));
3489 for (i = 0; i < 4 * runs + 1; i++) {
3490 gej_shuffled[i] = gej[i];
3491 }
3492 for (i = 0; i < 4 * runs + 1; i++) {
3493 int swap = i + testrand_int(4 * runs + 1 - i);
3494 if (swap != i) {
3495 gej t = gej_shuffled[i];
3496 gej_shuffled[i] = gej_shuffled[swap];
3497 gej_shuffled[swap] = t;
3498 }
3499 }
3500 for (i = 0; i < 4 * runs + 1; i++) {
3501 gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
3502 }
3503 CHECK(gej_is_infinity(&sum));
3504 free(gej_shuffled);
3505 }
3506
3507 /* Test batch gej -> ge conversion without known z ratios. */
3508 {
3509 ge *ge_set_all = (ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(ge));
3510 ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
3511 for (i = 0; i < 4 * runs + 1; i++) {
3512 Fe s;
3513 random_fe_non_zero(&s);
3514 gej_rescale(&gej[i], &s);
3515 ge_equals_gej(&ge_set_all[i], &gej[i]);
3516 }
3517 free(ge_set_all);
3518 }
3519
3520 /* Test batch gej -> ge conversion with many infinities. */
3521 for (i = 0; i < 4 * runs + 1; i++) {
3522 int odd;
3523 random_group_element_test(&ge[i]);
3524 odd = fe_is_odd(&ge[i].x);
3525 CHECK(odd == 0 || odd == 1);
3526 /* randomly set half the points to infinity */
3527 if (odd == i % 2) {
3528 ge_set_infinity(&ge[i]);
3529 }
3530 gej_set_ge(&gej[i], &ge[i]);
3531 }
3532 /* batch convert */
3533 ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3534 /* check result */
3535 for (i = 0; i < 4 * runs + 1; i++) {
3536 ge_equals_gej(&ge[i], &gej[i]);
3537 }
3538
3539 /* Test batch gej -> ge conversion with all infinities. */
3540 for (i = 0; i < 4 * runs + 1; i++) {
3541 gej_set_infinity(&gej[i]);
3542 }
3543 /* batch convert */
3544 ge_set_all_gej_var(ge, gej, 4 * runs + 1);
3545 /* check result */
3546 for (i = 0; i < 4 * runs + 1; i++) {
3547 CHECK(ge_is_infinity(&ge[i]));
3548 }
3549
3550 free(ge);
3551 free(gej);
3552 */
3553}
3554
3555pub fn test_intialized_inf() {
3556
3557 todo!();
3558 /*
3559 ge p;
3560 gej pj, npj, infj1, infj2, infj3;
3561 Fe zinv;
3562
3563 /* Test that adding P+(-P) results in a fully initalized infinity*/
3564 random_group_element_test(&p);
3565 gej_set_ge(&pj, &p);
3566 gej_neg(&npj, &pj);
3567
3568 gej_add_var(&infj1, &pj, &npj, NULL);
3569 CHECK(gej_is_infinity(&infj1));
3570 CHECK(fe_is_zero(&infj1.x));
3571 CHECK(fe_is_zero(&infj1.y));
3572 CHECK(fe_is_zero(&infj1.z));
3573
3574 gej_add_ge_var(&infj2, &npj, &p, NULL);
3575 CHECK(gej_is_infinity(&infj2));
3576 CHECK(fe_is_zero(&infj2.x));
3577 CHECK(fe_is_zero(&infj2.y));
3578 CHECK(fe_is_zero(&infj2.z));
3579
3580 fe_set_int(&zinv, 1);
3581 gej_add_zinv_var(&infj3, &npj, &p, &zinv);
3582 CHECK(gej_is_infinity(&infj3));
3583 CHECK(fe_is_zero(&infj3.x));
3584 CHECK(fe_is_zero(&infj3.y));
3585 CHECK(fe_is_zero(&infj3.z));
3586 */
3587}
3588
3589pub fn test_add_neg_y_diff_x() {
3590
3591 todo!();
3592 /*
3593 /* The point of this test is to check that we can add two points
3594 * whose y-coordinates are negatives of each other but whose x
3595 * coordinates differ. If the x-coordinates were the same, these
3596 * points would be negatives of each other and their sum is
3597 * infinity. This is cool because it "covers up" any degeneracy
3598 * in the addition algorithm that would cause the xy coordinates
3599 * of the sum to be wrong (since infinity has no xy coordinates).
3600 * HOWEVER, if the x-coordinates are different, infinity is the
3601 * wrong answer, and such degeneracies are exposed. This is the
3602 * root of https://github.com/bitcoin-core/secp256k1/issues/257
3603 * which this test is a regression test for.
3604 *
3605 * These points were generated in sage as
3606 * # secp256k1 params
3607 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
3608 * C = EllipticCurve ([F (0), F (7)])
3609 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
3610 * N = FiniteField(G.order())
3611 *
3612 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
3613 * x = polygen(N)
3614 * lam = (1 - x^3).roots()[1][0]
3615 *
3616 * # random "bad pair"
3617 * P = C.random_element()
3618 * Q = -int(lam) * P
3619 * print " P: %x %x" % P.xy()
3620 * print " Q: %x %x" % Q.xy()
3621 * print "P + Q: %x %x" % (P + Q).xy()
3622 */
3623 gej aj = GEJ_CONST(
3624 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
3625 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
3626 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
3627 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
3628 );
3629 gej bj = GEJ_CONST(
3630 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
3631 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
3632 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
3633 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
3634 );
3635 gej sumj = GEJ_CONST(
3636 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
3637 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
3638 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
3639 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
3640 );
3641 ge b;
3642 gej resj;
3643 ge res;
3644 ge_set_gej(&b, &bj);
3645
3646 gej_add_var(&resj, &aj, &bj, NULL);
3647 ge_set_gej(&res, &resj);
3648 ge_equals_gej(&res, &sumj);
3649
3650 gej_add_ge(&resj, &aj, &b);
3651 ge_set_gej(&res, &resj);
3652 ge_equals_gej(&res, &sumj);
3653
3654 gej_add_ge_var(&resj, &aj, &b, NULL);
3655 ge_set_gej(&res, &resj);
3656 ge_equals_gej(&res, &sumj);
3657 */
3658}
3659
3660pub fn run_ge() {
3661
3662 todo!();
3663 /*
3664 int i;
3665 for (i = 0; i < count * 32; i++) {
3666 test_ge();
3667 }
3668 test_add_neg_y_diff_x();
3669 test_intialized_inf();
3670 */
3671}
3672
3673pub fn test_ec_combine() {
3674
3675 todo!();
3676 /*
3677 scalar sum = SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3678 pubkey data[6];
3679 const pubkey* d[6];
3680 pubkey sd;
3681 pubkey sd2;
3682 gej Qj;
3683 ge Q;
3684 int i;
3685 for (i = 1; i <= 6; i++) {
3686 scalar s;
3687 random_scalar_order_test(&s);
3688 scalar_add(&sum, &sum, &s);
3689 ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
3690 ge_set_gej(&Q, &Qj);
3691 pubkey_save(&data[i - 1], &Q);
3692 d[i - 1] = &data[i - 1];
3693 ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
3694 ge_set_gej(&Q, &Qj);
3695 pubkey_save(&sd, &Q);
3696 CHECK(ec_pubkey_combine(ctx, &sd2, d, i) == 1);
3697 CHECK(memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
3698 }
3699 */
3700}
3701
3702pub fn run_ec_combine() {
3703
3704 todo!();
3705 /*
3706 int i;
3707 for (i = 0; i < count * 8; i++) {
3708 test_ec_combine();
3709 }
3710 */
3711}
3712
3713pub fn test_group_decompress(x: *const Fe) {
3714
3715 todo!();
3716 /*
3717 /* The input itself, normalized. */
3718 Fe fex = *x;
3719 /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */
3720 ge ge_even, ge_odd;
3721 /* Return values of the above calls. */
3722 int res_even, res_odd;
3723
3724 fe_normalize_var(&fex);
3725
3726 res_even = ge_set_xo_var(&ge_even, &fex, 0);
3727 res_odd = ge_set_xo_var(&ge_odd, &fex, 1);
3728
3729 CHECK(res_even == res_odd);
3730
3731 if (res_even) {
3732 fe_normalize_var(&ge_odd.x);
3733 fe_normalize_var(&ge_even.x);
3734 fe_normalize_var(&ge_odd.y);
3735 fe_normalize_var(&ge_even.y);
3736
3737 /* No infinity allowed. */
3738 CHECK(!ge_even.infinity);
3739 CHECK(!ge_odd.infinity);
3740
3741 /* Check that the x coordinates check out. */
3742 CHECK(fe_equal_var(&ge_even.x, x));
3743 CHECK(fe_equal_var(&ge_odd.x, x));
3744
3745 /* Check odd/even Y in ge_odd, ge_even. */
3746 CHECK(fe_is_odd(&ge_odd.y));
3747 CHECK(!fe_is_odd(&ge_even.y));
3748 }
3749 */
3750}
3751
3752pub fn run_group_decompress() {
3753
3754 todo!();
3755 /*
3756 int i;
3757 for (i = 0; i < count * 4; i++) {
3758 Fe Fe;
3759 random_fe_test(&Fe);
3760 test_group_decompress(&Fe);
3761 }
3762 */
3763}
3764
3765/* -------------- **** ECMULT TESTS **** -------------- */
3766
3767pub fn run_ecmult_chain() {
3768
3769 todo!();
3770 /*
3771 /* random starting point A (on the curve) */
3772 gej a = GEJ_CONST(
3773 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
3774 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
3775 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
3776 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
3777 );
3778 /* two random initial factors xn and gn */
3779 scalar xn = SCALAR_CONST(
3780 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
3781 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
3782 );
3783 scalar gn = SCALAR_CONST(
3784 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
3785 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
3786 );
3787 /* two small multipliers to be applied to xn and gn in every iteration: */
3788 static const scalar xf = SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
3789 static const scalar gf = SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
3790 /* accumulators with the resulting coefficients to A and G */
3791 scalar ae = SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3792 scalar ge = SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3793 /* actual points */
3794 gej x;
3795 gej x2;
3796 int i;
3797
3798 /* the point being computed */
3799 x = a;
3800 for (i = 0; i < 200*count; i++) {
3801 /* in each iteration, compute X = xn*X + gn*G; */
3802 ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
3803 /* also compute ae and ge: the actual accumulated factors for A and G */
3804 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
3805 scalar_mul(&ae, &ae, &xn);
3806 scalar_mul(&ge, &ge, &xn);
3807 scalar_add(&ge, &ge, &gn);
3808 /* modify xn and gn */
3809 scalar_mul(&xn, &xn, &xf);
3810 scalar_mul(&gn, &gn, &gf);
3811
3812 /* verify */
3813 if (i == 19999) {
3814 /* expected result after 19999 iterations */
3815 gej rp = GEJ_CONST(
3816 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
3817 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
3818 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
3819 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
3820 );
3821
3822 gej_neg(&rp, &rp);
3823 gej_add_var(&rp, &rp, &x, NULL);
3824 CHECK(gej_is_infinity(&rp));
3825 }
3826 }
3827 /* redo the computation, but directly with the resulting ae and ge coefficients: */
3828 ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
3829 gej_neg(&x2, &x2);
3830 gej_add_var(&x2, &x2, &x, NULL);
3831 CHECK(gej_is_infinity(&x2));
3832 */
3833}
3834
3835pub fn test_point_times_order(point: *const Gej) {
3836
3837 todo!();
3838 /*
3839 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
3840 scalar x;
3841 scalar nx;
3842 scalar zero = SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3843 scalar one = SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
3844 gej res1, res2;
3845 ge res3;
3846 unsigned char pub[65];
3847 size_t psize = 65;
3848 random_scalar_order_test(&x);
3849 scalar_negate(&nx, &x);
3850 ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
3851 ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
3852 gej_add_var(&res1, &res1, &res2, NULL);
3853 CHECK(gej_is_infinity(&res1));
3854 ge_set_gej(&res3, &res1);
3855 CHECK(ge_is_infinity(&res3));
3856 CHECK(ge_is_valid_var(&res3) == 0);
3857 CHECK(eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
3858 psize = 65;
3859 CHECK(eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
3860 /* check zero/one edge cases */
3861 ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
3862 ge_set_gej(&res3, &res1);
3863 CHECK(ge_is_infinity(&res3));
3864 ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
3865 ge_set_gej(&res3, &res1);
3866 ge_equals_gej(&res3, point);
3867 ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
3868 ge_set_gej(&res3, &res1);
3869 ge_equals_ge(&res3, &ge_const_g);
3870 */
3871}
3872
3873
3874/**
3875 | These scalars reach large (in absolute value)
3876 | outputs when fed to scalar_split_lambda.
3877 |
3878 | They are computed as:
3879 | - For a in [-2, -1, 0, 1, 2]:
3880 | - For b in [-3, -1, 1, 3]:
3881 | - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
3882 */
3883lazy_static!{
3884 /*
3885 static const scalar scalars_near_split_bounds[20] = {
3886 SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
3887 SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
3888 SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
3889 SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
3890 SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
3891 SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
3892 SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
3893 SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
3894 SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
3895 SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
3896 SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
3897 SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
3898 SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
3899 SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
3900 SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
3901 SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
3902 SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
3903 SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
3904 SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
3905 SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
3906 };
3907 */
3908}
3909
3910pub fn test_ecmult_target(
3911 target: *const Scalar,
3912 mode: i32) {
3913
3914 todo!();
3915 /*
3916 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
3917 scalar n1, n2;
3918 ge p;
3919 gej pj, p1j, p2j, ptj;
3920 static const scalar zero = SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
3921
3922 /* Generate random n1,n2 such that n1+n2 = -target. */
3923 random_scalar_order_test(&n1);
3924 scalar_add(&n2, &n1, target);
3925 scalar_negate(&n2, &n2);
3926
3927 /* Generate a random input point. */
3928 if (mode != 0) {
3929 random_group_element_test(&p);
3930 gej_set_ge(&pj, &p);
3931 }
3932
3933 /* EC multiplications */
3934 if (mode == 0) {
3935 ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
3936 ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
3937 ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
3938 } else if (mode == 1) {
3939 ecmult(&ctx->ecmult_ctx, &p1j, &pj, &n1, &zero);
3940 ecmult(&ctx->ecmult_ctx, &p2j, &pj, &n2, &zero);
3941 ecmult(&ctx->ecmult_ctx, &ptj, &pj, target, &zero);
3942 } else {
3943 ecmult_const(&p1j, &p, &n1, 256);
3944 ecmult_const(&p2j, &p, &n2, 256);
3945 ecmult_const(&ptj, &p, target, 256);
3946 }
3947
3948 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
3949 gej_add_var(&ptj, &ptj, &p1j, NULL);
3950 gej_add_var(&ptj, &ptj, &p2j, NULL);
3951 CHECK(gej_is_infinity(&ptj));
3952 */
3953}
3954
3955pub fn run_ecmult_near_split_bound() {
3956
3957 todo!();
3958 /*
3959 int i;
3960 unsigned j;
3961 for (i = 0; i < 4*count; ++i) {
3962 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
3963 test_ecmult_target(&scalars_near_split_bounds[j], 0);
3964 test_ecmult_target(&scalars_near_split_bounds[j], 1);
3965 test_ecmult_target(&scalars_near_split_bounds[j], 2);
3966 }
3967 }
3968 */
3969}
3970
3971pub fn run_point_times_order() {
3972
3973 todo!();
3974 /*
3975 int i;
3976 Fe x = FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
3977 static const Fe xr = FE_CONST(
3978 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
3979 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
3980 );
3981 for (i = 0; i < 500; i++) {
3982 ge p;
3983 if (ge_set_xo_var(&p, &x, 1)) {
3984 gej j;
3985 CHECK(ge_is_valid_var(&p));
3986 gej_set_ge(&j, &p);
3987 test_point_times_order(&j);
3988 }
3989 fe_sqr(&x, &x);
3990 }
3991 fe_normalize_var(&x);
3992 CHECK(fe_equal_var(&x, &xr));
3993 */
3994}
3995
3996pub fn ecmult_const_random_mult() {
3997
3998 todo!();
3999 /*
4000 /* random starting point A (on the curve) */
4001 ge a = GE_CONST(
4002 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4003 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4004 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4005 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4006 );
4007 /* random initial factor xn */
4008 scalar xn = SCALAR_CONST(
4009 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4010 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4011 );
4012 /* expected xn * A (from sage) */
4013 ge expected_b = GE_CONST(
4014 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4015 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4016 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4017 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4018 );
4019 gej b;
4020 ecmult_const(&b, &a, &xn, 256);
4021
4022 CHECK(ge_is_valid_var(&a));
4023 ge_equals_gej(&expected_b, &b);
4024 */
4025}
4026
4027pub fn ecmult_const_commutativity() {
4028
4029 todo!();
4030 /*
4031 scalar a;
4032 scalar b;
4033 gej res1;
4034 gej res2;
4035 ge mid1;
4036 ge mid2;
4037 random_scalar_order_test(&a);
4038 random_scalar_order_test(&b);
4039
4040 ecmult_const(&res1, &ge_const_g, &a, 256);
4041 ecmult_const(&res2, &ge_const_g, &b, 256);
4042 ge_set_gej(&mid1, &res1);
4043 ge_set_gej(&mid2, &res2);
4044 ecmult_const(&res1, &mid1, &b, 256);
4045 ecmult_const(&res2, &mid2, &a, 256);
4046 ge_set_gej(&mid1, &res1);
4047 ge_set_gej(&mid2, &res2);
4048 ge_equals_ge(&mid1, &mid2);
4049 */
4050}
4051
4052pub fn ecmult_const_mult_zero_one() {
4053
4054 todo!();
4055 /*
4056 scalar zero = SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
4057 scalar one = SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
4058 scalar negone;
4059 gej res1;
4060 ge res2;
4061 ge point;
4062 scalar_negate(&negone, &one);
4063
4064 random_group_element_test(&point);
4065 ecmult_const(&res1, &point, &zero, 3);
4066 ge_set_gej(&res2, &res1);
4067 CHECK(ge_is_infinity(&res2));
4068 ecmult_const(&res1, &point, &one, 2);
4069 ge_set_gej(&res2, &res1);
4070 ge_equals_ge(&res2, &point);
4071 ecmult_const(&res1, &point, &negone, 256);
4072 gej_neg(&res1, &res1);
4073 ge_set_gej(&res2, &res1);
4074 ge_equals_ge(&res2, &point);
4075 */
4076}
4077
4078pub fn ecmult_const_chain_multiply() {
4079
4080 todo!();
4081 /*
4082 /* Check known result (randomly generated test problem from sage) */
4083 const scalar scalar = SCALAR_CONST(
4084 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4085 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4086 );
4087 const gej expected_point = GEJ_CONST(
4088 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4089 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4090 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4091 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4092 );
4093 gej point;
4094 ge res;
4095 int i;
4096
4097 gej_set_ge(&point, &ge_const_g);
4098 for (i = 0; i < 100; ++i) {
4099 ge tmp;
4100 ge_set_gej(&tmp, &point);
4101 ecmult_const(&point, &tmp, &scalar, 256);
4102 }
4103 ge_set_gej(&res, &point);
4104 ge_equals_gej(&res, &expected_point);
4105 */
4106}
4107
4108pub fn run_ecmult_const_tests() {
4109
4110 todo!();
4111 /*
4112 ecmult_const_mult_zero_one();
4113 ecmult_const_random_mult();
4114 ecmult_const_commutativity();
4115 ecmult_const_chain_multiply();
4116 */
4117}
4118
4119pub struct EcMultMultiData {
4120 sc: *mut Scalar,
4121 pt: *mut Ge,
4122}
4123
4124pub fn ecmult_multi_callback(
4125 sc: *mut Scalar,
4126 pt: *mut Ge,
4127 idx: usize,
4128 cbdata: *mut c_void) -> i32 {
4129
4130 todo!();
4131 /*
4132 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4133 *sc = data->sc[idx];
4134 *pt = data->pt[idx];
4135 return 1;
4136 */
4137}
4138
4139pub fn ecmult_multi_false_callback(
4140 sc: *mut Scalar,
4141 pt: *mut Ge,
4142 idx: usize,
4143 cbdata: *mut c_void) -> i32 {
4144
4145 todo!();
4146 /*
4147 (c_void)sc;
4148 (c_void)pt;
4149 (c_void)idx;
4150 (c_void)cbdata;
4151 return 0;
4152 */
4153}
4154
4155pub fn test_ecmult_multi(
4156 scratch: *mut Scratch,
4157 ecmult_multi: EcMultMultiFunc) {
4158
4159 todo!();
4160 /*
4161 int ncount;
4162 scalar szero;
4163 scalar sc[32];
4164 ge pt[32];
4165 gej r;
4166 gej r2;
4167 ecmult_multi_data data;
4168
4169 data.sc = sc;
4170 data.pt = pt;
4171 scalar_set_int(&szero, 0);
4172
4173 /* No points to multiply */
4174 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4175
4176 /* Check 1- and 2-point multiplies against ecmult */
4177 for (ncount = 0; ncount < count; ncount++) {
4178 ge ptg;
4179 gej ptgj;
4180 random_scalar_order(&sc[0]);
4181 random_scalar_order(&sc[1]);
4182
4183 random_group_element_test(&ptg);
4184 gej_set_ge(&ptgj, &ptg);
4185 pt[0] = ptg;
4186 pt[1] = ge_const_g;
4187
4188 /* only G scalar */
4189 ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
4190 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4191 gej_neg(&r2, &r2);
4192 gej_add_var(&r, &r, &r2, NULL);
4193 CHECK(gej_is_infinity(&r));
4194
4195 /* 1-point */
4196 ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
4197 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
4198 gej_neg(&r2, &r2);
4199 gej_add_var(&r, &r, &r2, NULL);
4200 CHECK(gej_is_infinity(&r));
4201
4202 /* Try to multiply 1 point, but callback returns false */
4203 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
4204
4205 /* 2-point */
4206 ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
4207 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
4208 gej_neg(&r2, &r2);
4209 gej_add_var(&r, &r, &r2, NULL);
4210 CHECK(gej_is_infinity(&r));
4211
4212 /* 2-point with G scalar */
4213 ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
4214 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4215 gej_neg(&r2, &r2);
4216 gej_add_var(&r, &r, &r2, NULL);
4217 CHECK(gej_is_infinity(&r));
4218 }
4219
4220 /* Check infinite outputs of various forms */
4221 for (ncount = 0; ncount < count; ncount++) {
4222 ge ptg;
4223 size_t i, j;
4224 size_t sizes[] = { 2, 10, 32 };
4225
4226 for (j = 0; j < 3; j++) {
4227 for (i = 0; i < 32; i++) {
4228 random_scalar_order(&sc[i]);
4229 ge_set_infinity(&pt[i]);
4230 }
4231 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4232 CHECK(gej_is_infinity(&r));
4233 }
4234
4235 for (j = 0; j < 3; j++) {
4236 for (i = 0; i < 32; i++) {
4237 random_group_element_test(&ptg);
4238 pt[i] = ptg;
4239 scalar_set_int(&sc[i], 0);
4240 }
4241 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4242 CHECK(gej_is_infinity(&r));
4243 }
4244
4245 for (j = 0; j < 3; j++) {
4246 random_group_element_test(&ptg);
4247 for (i = 0; i < 16; i++) {
4248 random_scalar_order(&sc[2*i]);
4249 scalar_negate(&sc[2*i + 1], &sc[2*i]);
4250 pt[2 * i] = ptg;
4251 pt[2 * i + 1] = ptg;
4252 }
4253
4254 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4255 CHECK(gej_is_infinity(&r));
4256
4257 random_scalar_order(&sc[0]);
4258 for (i = 0; i < 16; i++) {
4259 random_group_element_test(&ptg);
4260
4261 sc[2*i] = sc[0];
4262 sc[2*i+1] = sc[0];
4263 pt[2 * i] = ptg;
4264 ge_neg(&pt[2*i+1], &pt[2*i]);
4265 }
4266
4267 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
4268 CHECK(gej_is_infinity(&r));
4269 }
4270
4271 random_group_element_test(&ptg);
4272 scalar_set_int(&sc[0], 0);
4273 pt[0] = ptg;
4274 for (i = 1; i < 32; i++) {
4275 pt[i] = ptg;
4276
4277 random_scalar_order(&sc[i]);
4278 scalar_add(&sc[0], &sc[0], &sc[i]);
4279 scalar_negate(&sc[i], &sc[i]);
4280 }
4281
4282 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
4283 CHECK(gej_is_infinity(&r));
4284 }
4285
4286 /* Check random points, constant scalar */
4287 for (ncount = 0; ncount < count; ncount++) {
4288 size_t i;
4289 gej_set_infinity(&r);
4290
4291 random_scalar_order(&sc[0]);
4292 for (i = 0; i < 20; i++) {
4293 ge ptg;
4294 sc[i] = sc[0];
4295 random_group_element_test(&ptg);
4296 pt[i] = ptg;
4297 gej_add_ge_var(&r, &r, &pt[i], NULL);
4298 }
4299
4300 ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
4301 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4302 gej_neg(&r2, &r2);
4303 gej_add_var(&r, &r, &r2, NULL);
4304 CHECK(gej_is_infinity(&r));
4305 }
4306
4307 /* Check random scalars, constant point */
4308 for (ncount = 0; ncount < count; ncount++) {
4309 size_t i;
4310 ge ptg;
4311 gej p0j;
4312 scalar rs;
4313 scalar_set_int(&rs, 0);
4314
4315 random_group_element_test(&ptg);
4316 for (i = 0; i < 20; i++) {
4317 random_scalar_order(&sc[i]);
4318 pt[i] = ptg;
4319 scalar_add(&rs, &rs, &sc[i]);
4320 }
4321
4322 gej_set_ge(&p0j, &pt[0]);
4323 ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
4324 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4325 gej_neg(&r2, &r2);
4326 gej_add_var(&r, &r, &r2, NULL);
4327 CHECK(gej_is_infinity(&r));
4328 }
4329
4330 /* Sanity check that zero scalars don't cause problems */
4331 for (ncount = 0; ncount < 20; ncount++) {
4332 random_scalar_order(&sc[ncount]);
4333 random_group_element_test(&pt[ncount]);
4334 }
4335
4336 scalar_clear(&sc[0]);
4337 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
4338 scalar_clear(&sc[1]);
4339 scalar_clear(&sc[2]);
4340 scalar_clear(&sc[3]);
4341 scalar_clear(&sc[4]);
4342 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
4343 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
4344 CHECK(gej_is_infinity(&r));
4345
4346 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
4347 {
4348 const size_t TOP = 8;
4349 size_t s0i, s1i;
4350 size_t t0i, t1i;
4351 ge ptg;
4352 gej ptgj;
4353
4354 random_group_element_test(&ptg);
4355 gej_set_ge(&ptgj, &ptg);
4356
4357 for(t0i = 0; t0i < TOP; t0i++) {
4358 for(t1i = 0; t1i < TOP; t1i++) {
4359 gej t0p, t1p;
4360 scalar t0, t1;
4361
4362 scalar_set_int(&t0, (t0i + 1) / 2);
4363 scalar_cond_negate(&t0, t0i & 1);
4364 scalar_set_int(&t1, (t1i + 1) / 2);
4365 scalar_cond_negate(&t1, t1i & 1);
4366
4367 ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
4368 ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
4369
4370 for(s0i = 0; s0i < TOP; s0i++) {
4371 for(s1i = 0; s1i < TOP; s1i++) {
4372 scalar tmp1, tmp2;
4373 gej expected, actual;
4374
4375 ge_set_gej(&pt[0], &t0p);
4376 ge_set_gej(&pt[1], &t1p);
4377
4378 scalar_set_int(&sc[0], (s0i + 1) / 2);
4379 scalar_cond_negate(&sc[0], s0i & 1);
4380 scalar_set_int(&sc[1], (s1i + 1) / 2);
4381 scalar_cond_negate(&sc[1], s1i & 1);
4382
4383 scalar_mul(&tmp1, &t0, &sc[0]);
4384 scalar_mul(&tmp2, &t1, &sc[1]);
4385 scalar_add(&tmp1, &tmp1, &tmp2);
4386
4387 ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
4388 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
4389 gej_neg(&expected, &expected);
4390 gej_add_var(&actual, &actual, &expected, NULL);
4391 CHECK(gej_is_infinity(&actual));
4392 }
4393 }
4394 }
4395 }
4396 }
4397 */
4398}
4399
4400pub fn test_ecmult_multi_batch_single(ecmult_multi: EcMultMultiFunc) {
4401
4402 todo!();
4403 /*
4404 scalar szero;
4405 scalar sc;
4406 ge pt;
4407 gej r;
4408 ecmult_multi_data data;
4409 scratch *scratch_empty;
4410
4411 random_group_element_test(&pt);
4412 random_scalar_order(&sc);
4413 data.sc = ≻
4414 data.pt = &pt;
4415 scalar_set_int(&szero, 0);
4416
4417 /* Try to multiply 1 point, but scratch space is empty.*/
4418 scratch_empty = scratch_create(&ctx->error_callback, 0);
4419 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
4420 scratch_destroy(&ctx->error_callback, scratch_empty);
4421 */
4422}
4423
4424pub fn test_pippenger_bucket_window_inv() {
4425
4426 todo!();
4427 /*
4428 int i;
4429
4430 CHECK(pippenger_bucket_window_inv(0) == 0);
4431 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
4432 /* Bucket_window of 8 is not used with endo */
4433 if (i == 8) {
4434 continue;
4435 }
4436 CHECK(pippenger_bucket_window(pippenger_bucket_window_inv(i)) == i);
4437 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
4438 CHECK(pippenger_bucket_window(pippenger_bucket_window_inv(i)+1) > i);
4439 }
4440 }
4441 */
4442}
4443
4444/**
4445 | Probabilistically test the function
4446 | returning the maximum number of possible
4447 | points for a given scratch space.
4448 |
4449 */
4450pub fn test_ecmult_multi_pippenger_max_points() {
4451
4452 todo!();
4453 /*
4454 size_t scratch_size = testrand_int(256);
4455 size_t max_size = pippenger_scratch_size(pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
4456 scratch *scratch;
4457 size_t n_points_supported;
4458 int bucket_window = 0;
4459
4460 for(; scratch_size < max_size; scratch_size+=256) {
4461 size_t i;
4462 size_t total_alloc;
4463 size_t checkpoint;
4464 scratch = scratch_create(&ctx->error_callback, scratch_size);
4465 CHECK(scratch != NULL);
4466 checkpoint = scratch_checkpoint(&ctx->error_callback, scratch);
4467 n_points_supported = pippenger_max_points(&ctx->error_callback, scratch);
4468 if (n_points_supported == 0) {
4469 scratch_destroy(&ctx->error_callback, scratch);
4470 continue;
4471 }
4472 bucket_window = pippenger_bucket_window(n_points_supported);
4473 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
4474 total_alloc = pippenger_scratch_size(n_points_supported, bucket_window);
4475 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
4476 CHECK(scratch_alloc(&ctx->error_callback, scratch, 1));
4477 total_alloc--;
4478 }
4479 CHECK(scratch_alloc(&ctx->error_callback, scratch, total_alloc));
4480 scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
4481 scratch_destroy(&ctx->error_callback, scratch);
4482 }
4483 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
4484 */
4485}
4486
4487pub fn test_ecmult_multi_batch_size_helper() {
4488
4489 todo!();
4490 /*
4491 size_t n_batches, n_batch_points, max_n_batch_points, n;
4492
4493 max_n_batch_points = 0;
4494 n = 1;
4495 CHECK(ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
4496
4497 max_n_batch_points = 1;
4498 n = 0;
4499 CHECK(ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4500 CHECK(n_batches == 0);
4501 CHECK(n_batch_points == 0);
4502
4503 max_n_batch_points = 2;
4504 n = 5;
4505 CHECK(ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4506 CHECK(n_batches == 3);
4507 CHECK(n_batch_points == 2);
4508
4509 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
4510 n = ECMULT_MAX_POINTS_PER_BATCH;
4511 CHECK(ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4512 CHECK(n_batches == 1);
4513 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
4514
4515 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
4516 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
4517 CHECK(ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4518 CHECK(n_batches == 2);
4519 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
4520
4521 max_n_batch_points = 1;
4522 n = SIZE_MAX;
4523 CHECK(ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4524 CHECK(n_batches == SIZE_MAX);
4525 CHECK(n_batch_points == 1);
4526
4527 max_n_batch_points = 2;
4528 n = SIZE_MAX;
4529 CHECK(ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
4530 CHECK(n_batches == SIZE_MAX/2 + 1);
4531 CHECK(n_batch_points == 2);
4532 */
4533}
4534
4535/**
4536 | Run ecmult_multi_var with num points
4537 | and a scratch space restricted to 1 <=
4538 | i <= num points.
4539 |
4540 */
4541pub fn test_ecmult_multi_batching() {
4542
4543 todo!();
4544 /*
4545 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
4546 scalar scG;
4547 scalar szero;
4548 scalar *sc = (scalar *)checked_malloc(&ctx->error_callback, sizeof(scalar) * n_points);
4549 ge *pt = (ge *)checked_malloc(&ctx->error_callback, sizeof(ge) * n_points);
4550 gej r;
4551 gej r2;
4552 ecmult_multi_data data;
4553 int i;
4554 scratch *scratch;
4555
4556 gej_set_infinity(&r2);
4557 scalar_set_int(&szero, 0);
4558
4559 /* Get random scalars and group elements and compute result */
4560 random_scalar_order(&scG);
4561 ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
4562 for(i = 0; i < n_points; i++) {
4563 ge ptg;
4564 gej ptgj;
4565 random_group_element_test(&ptg);
4566 gej_set_ge(&ptgj, &ptg);
4567 pt[i] = ptg;
4568 random_scalar_order(&sc[i]);
4569 ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
4570 gej_add_var(&r2, &r2, &ptgj, NULL);
4571 }
4572 data.sc = sc;
4573 data.pt = pt;
4574 gej_neg(&r2, &r2);
4575
4576 /* Test with empty scratch space. It should compute the correct result using
4577 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
4578 scratch = scratch_create(&ctx->error_callback, 0);
4579 CHECK(ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4580 gej_add_var(&r, &r, &r2, NULL);
4581 CHECK(gej_is_infinity(&r));
4582 scratch_destroy(&ctx->error_callback, scratch);
4583
4584 /* Test with space for 1 point in pippenger. That's not enough because
4585 * ecmult_multi selects strauss which requires more memory. It should
4586 * therefore select the simple algorithm. */
4587 scratch = scratch_create(&ctx->error_callback, pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
4588 CHECK(ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4589 gej_add_var(&r, &r, &r2, NULL);
4590 CHECK(gej_is_infinity(&r));
4591 scratch_destroy(&ctx->error_callback, scratch);
4592
4593 for(i = 1; i <= n_points; i++) {
4594 if (i > ECMULT_PIPPENGER_THRESHOLD) {
4595 int bucket_window = pippenger_bucket_window(i);
4596 size_t scratch_size = pippenger_scratch_size(i, bucket_window);
4597 scratch = scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
4598 } else {
4599 size_t scratch_size = strauss_scratch_size(i);
4600 scratch = scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
4601 }
4602 CHECK(ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
4603 gej_add_var(&r, &r, &r2, NULL);
4604 CHECK(gej_is_infinity(&r));
4605 scratch_destroy(&ctx->error_callback, scratch);
4606 }
4607 free(sc);
4608 free(pt);
4609 */
4610}
4611
4612pub fn run_ecmult_multi_tests() {
4613
4614 todo!();
4615 /*
4616 scratch *scratch;
4617
4618 test_pippenger_bucket_window_inv();
4619 test_ecmult_multi_pippenger_max_points();
4620 scratch = scratch_create(&ctx->error_callback, 819200);
4621 test_ecmult_multi(scratch, ecmult_multi_var);
4622 test_ecmult_multi(NULL, ecmult_multi_var);
4623 test_ecmult_multi(scratch, ecmult_pippenger_batch_single);
4624 test_ecmult_multi_batch_single(ecmult_pippenger_batch_single);
4625 test_ecmult_multi(scratch, ecmult_strauss_batch_single);
4626 test_ecmult_multi_batch_single(ecmult_strauss_batch_single);
4627 scratch_destroy(&ctx->error_callback, scratch);
4628
4629 /* Run test_ecmult_multi with space for exactly one point */
4630 scratch = scratch_create(&ctx->error_callback, strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
4631 test_ecmult_multi(scratch, ecmult_multi_var);
4632 scratch_destroy(&ctx->error_callback, scratch);
4633
4634 test_ecmult_multi_batch_size_helper();
4635 test_ecmult_multi_batching();
4636 */
4637}
4638
4639pub fn test_wnaf(
4640 number: *const Scalar,
4641 w: i32) {
4642
4643 todo!();
4644 /*
4645 scalar x, two, t;
4646 int wnaf[256];
4647 int zeroes = -1;
4648 int i;
4649 int bits;
4650 scalar_set_int(&x, 0);
4651 scalar_set_int(&two, 2);
4652 bits = ecmult_wnaf(wnaf, 256, number, w);
4653 CHECK(bits <= 256);
4654 for (i = bits-1; i >= 0; i--) {
4655 int v = wnaf[i];
4656 scalar_mul(&x, &x, &two);
4657 if (v) {
4658 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4659 zeroes=0;
4660 CHECK((v & 1) == 1); /* check non-zero elements are odd */
4661 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
4662 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4663 } else {
4664 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4665 zeroes++;
4666 }
4667 if (v >= 0) {
4668 scalar_set_int(&t, v);
4669 } else {
4670 scalar_set_int(&t, -v);
4671 scalar_negate(&t, &t);
4672 }
4673 scalar_add(&x, &x, &t);
4674 }
4675 CHECK(scalar_eq(&x, number)); /* check that wnaf represents number */
4676 */
4677}
4678
4679pub fn test_constant_wnaf_negate(number: *const Scalar) {
4680
4681 todo!();
4682 /*
4683 scalar neg1 = *number;
4684 scalar neg2 = *number;
4685 int sign1 = 1;
4686 int sign2 = 1;
4687
4688 if (!scalar_get_bits(&neg1, 0, 1)) {
4689 scalar_negate(&neg1, &neg1);
4690 sign1 = -1;
4691 }
4692 sign2 = scalar_cond_negate(&neg2, scalar_is_even(&neg2));
4693 CHECK(sign1 == sign2);
4694 CHECK(scalar_eq(&neg1, &neg2));
4695 */
4696}
4697
4698pub fn test_constant_wnaf(
4699 number: *const Scalar,
4700 w: i32) {
4701
4702 todo!();
4703 /*
4704 scalar x, shift;
4705 int wnaf[256] = {0};
4706 int i;
4707 int skew;
4708 int bits = 256;
4709 scalar num = *number;
4710 scalar scalar_skew;
4711
4712 scalar_set_int(&x, 0);
4713 scalar_set_int(&shift, 1 << w);
4714 for (i = 0; i < 16; ++i) {
4715 scalar_shr_int(&num, 8);
4716 }
4717 bits = 128;
4718 skew = wnaf_const(wnaf, &num, w, bits);
4719
4720 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
4721 scalar t;
4722 int v = wnaf[i];
4723 CHECK(v != 0); /* check nonzero */
4724 CHECK(v & 1); /* check parity */
4725 CHECK(v > -(1 << w)); /* check range above */
4726 CHECK(v < (1 << w)); /* check range below */
4727
4728 scalar_mul(&x, &x, &shift);
4729 if (v >= 0) {
4730 scalar_set_int(&t, v);
4731 } else {
4732 scalar_set_int(&t, -v);
4733 scalar_negate(&t, &t);
4734 }
4735 scalar_add(&x, &x, &t);
4736 }
4737 /* Skew num because when encoding numbers as odd we use an offset */
4738 scalar_set_int(&scalar_skew, 1 << (skew == 2));
4739 scalar_add(&num, &num, &scalar_skew);
4740 CHECK(scalar_eq(&x, &num));
4741 */
4742}
4743
4744pub fn test_fixed_wnaf(
4745 number: *const Scalar,
4746 w: i32) {
4747
4748 todo!();
4749 /*
4750 scalar x, shift;
4751 int wnaf[256] = {0};
4752 int i;
4753 int skew;
4754 scalar num = *number;
4755
4756 scalar_set_int(&x, 0);
4757 scalar_set_int(&shift, 1 << w);
4758 for (i = 0; i < 16; ++i) {
4759 scalar_shr_int(&num, 8);
4760 }
4761 skew = wnaf_fixed(wnaf, &num, w);
4762
4763 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4764 scalar t;
4765 int v = wnaf[i];
4766 CHECK(v == 0 || v & 1); /* check parity */
4767 CHECK(v > -(1 << w)); /* check range above */
4768 CHECK(v < (1 << w)); /* check range below */
4769
4770 scalar_mul(&x, &x, &shift);
4771 if (v >= 0) {
4772 scalar_set_int(&t, v);
4773 } else {
4774 scalar_set_int(&t, -v);
4775 scalar_negate(&t, &t);
4776 }
4777 scalar_add(&x, &x, &t);
4778 }
4779 /* If skew is 1 then add 1 to num */
4780 scalar_cadd_bit(&num, 0, skew == 1);
4781 CHECK(scalar_eq(&x, &num));
4782 */
4783}
4784
4785/**
4786 | Checks that the first 8 elements of wnaf
4787 | are equal to wnaf_expected and the rest
4788 | is 0.
4789 |
4790 */
4791pub fn test_fixed_wnaf_small_helper(
4792 wnaf: *mut i32,
4793 wnaf_expected: *mut i32,
4794 w: i32) {
4795
4796 todo!();
4797 /*
4798 int i;
4799 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
4800 CHECK(wnaf[i] == 0);
4801 }
4802 for (i = 7; i >= 0; --i) {
4803 CHECK(wnaf[i] == wnaf_expected[i]);
4804 }
4805 */
4806}
4807
4808pub fn test_fixed_wnaf_small() {
4809
4810 todo!();
4811 /*
4812 int w = 4;
4813 int wnaf[256] = {0};
4814 int i;
4815 int skew;
4816 scalar num;
4817
4818 scalar_set_int(&num, 0);
4819 skew = wnaf_fixed(wnaf, &num, w);
4820 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
4821 int v = wnaf[i];
4822 CHECK(v == 0);
4823 }
4824 CHECK(skew == 0);
4825
4826 scalar_set_int(&num, 1);
4827 skew = wnaf_fixed(wnaf, &num, w);
4828 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
4829 int v = wnaf[i];
4830 CHECK(v == 0);
4831 }
4832 CHECK(wnaf[0] == 1);
4833 CHECK(skew == 0);
4834
4835 {
4836 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
4837 scalar_set_int(&num, 0xffffffff);
4838 skew = wnaf_fixed(wnaf, &num, w);
4839 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4840 CHECK(skew == 0);
4841 }
4842 {
4843 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
4844 scalar_set_int(&num, 0xeeeeeeee);
4845 skew = wnaf_fixed(wnaf, &num, w);
4846 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4847 CHECK(skew == 1);
4848 }
4849 {
4850 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
4851 scalar_set_int(&num, 0x01010101);
4852 skew = wnaf_fixed(wnaf, &num, w);
4853 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4854 CHECK(skew == 0);
4855 }
4856 {
4857 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
4858 scalar_set_int(&num, 0x01ef1ef1);
4859 skew = wnaf_fixed(wnaf, &num, w);
4860 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
4861 CHECK(skew == 0);
4862 }
4863 */
4864}
4865
4866pub fn run_wnaf() {
4867
4868 todo!();
4869 /*
4870 int i;
4871 scalar n = {{0}};
4872
4873 test_constant_wnaf(&n, 4);
4874 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
4875 * have easier-to-diagnose failure modes */
4876 n.d[0] = 1;
4877 test_constant_wnaf(&n, 4);
4878 n.d[0] = 2;
4879 test_constant_wnaf(&n, 4);
4880 /* Test -1, because it's a special case in wnaf_const */
4881 n = scalar_one;
4882 scalar_negate(&n, &n);
4883 test_constant_wnaf(&n, 4);
4884
4885 /* Test -2, which may not lead to overflows in wnaf_const */
4886 scalar_add(&n, &scalar_one, &scalar_one);
4887 scalar_negate(&n, &n);
4888 test_constant_wnaf(&n, 4);
4889
4890 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
4891 as corner cases of negation handling in wnaf_const */
4892 scalar_inverse(&n, &n);
4893 test_constant_wnaf(&n, 4);
4894
4895 scalar_add(&n, &n, &scalar_one);
4896 test_constant_wnaf(&n, 4);
4897
4898 /* Test 0 for fixed wnaf */
4899 test_fixed_wnaf_small();
4900 /* Random tests */
4901 for (i = 0; i < count; i++) {
4902 random_scalar_order(&n);
4903 test_wnaf(&n, 4+(i%10));
4904 test_constant_wnaf_negate(&n);
4905 test_constant_wnaf(&n, 4 + (i % 10));
4906 test_fixed_wnaf(&n, 4 + (i % 10));
4907 }
4908 scalar_set_int(&n, 0);
4909 CHECK(scalar_cond_negate(&n, 1) == -1);
4910 CHECK(scalar_is_zero(&n));
4911 CHECK(scalar_cond_negate(&n, 0) == 1);
4912 CHECK(scalar_is_zero(&n));
4913 */
4914}
4915
4916pub fn test_ecmult_constants() {
4917
4918 todo!();
4919 /*
4920 /* Test ecmult_gen() for [0..36) and [order-36..0). */
4921 scalar x;
4922 gej r;
4923 ge ng;
4924 int i;
4925 int j;
4926 ge_neg(&ng, &ge_const_g);
4927 for (i = 0; i < 36; i++ ) {
4928 scalar_set_int(&x, i);
4929 ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
4930 for (j = 0; j < i; j++) {
4931 if (j == i - 1) {
4932 ge_equals_gej(&ge_const_g, &r);
4933 }
4934 gej_add_ge(&r, &r, &ng);
4935 }
4936 CHECK(gej_is_infinity(&r));
4937 }
4938 for (i = 1; i <= 36; i++ ) {
4939 scalar_set_int(&x, i);
4940 scalar_negate(&x, &x);
4941 ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
4942 for (j = 0; j < i; j++) {
4943 if (j == i - 1) {
4944 ge_equals_gej(&ng, &r);
4945 }
4946 gej_add_ge(&r, &r, &ge_const_g);
4947 }
4948 CHECK(gej_is_infinity(&r));
4949 }
4950 */
4951}
4952
4953pub fn run_ecmult_constants() {
4954
4955 todo!();
4956 /*
4957 test_ecmult_constants();
4958 */
4959}
4960
4961pub fn test_ecmult_gen_blind() {
4962
4963 todo!();
4964 /*
4965 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
4966 scalar key;
4967 scalar b;
4968 unsigned char seed32[32];
4969 gej pgej;
4970 gej pgej2;
4971 gej i;
4972 ge pge;
4973 random_scalar_order_test(&key);
4974 ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
4975 testrand256(seed32);
4976 b = ctx->ecmult_gen_ctx.blind;
4977 i = ctx->ecmult_gen_ctx.initial;
4978 ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
4979 CHECK(!scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
4980 ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
4981 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
4982 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
4983 ge_set_gej(&pge, &pgej);
4984 ge_equals_gej(&pge, &pgej2);
4985 */
4986}
4987
4988pub fn test_ecmult_gen_blind_reset() {
4989
4990 todo!();
4991 /*
4992 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
4993 scalar b;
4994 gej initial;
4995 ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
4996 b = ctx->ecmult_gen_ctx.blind;
4997 initial = ctx->ecmult_gen_ctx.initial;
4998 ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
4999 CHECK(scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
5000 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
5001 */
5002}
5003
5004pub fn run_ecmult_gen_blind() {
5005
5006 todo!();
5007 /*
5008 int i;
5009 test_ecmult_gen_blind_reset();
5010 for (i = 0; i < 10; i++) {
5011 test_ecmult_gen_blind();
5012 }
5013 */
5014}
5015
5016/* ----------- **** ENDOMORPHISH TESTS **** ----------- */
5017pub fn test_scalar_split(full: *const Scalar) {
5018
5019 todo!();
5020 /*
5021 scalar s, s1, slam;
5022 const unsigned char zero[32] = {0};
5023 unsigned char tmp[32];
5024
5025 scalar_split_lambda(&s1, &slam, full);
5026
5027 /* check slam*lambda + s1 == full */
5028 scalar_mul(&s, &const_lambda, &slam);
5029 scalar_add(&s, &s, &s1);
5030 CHECK(scalar_eq(&s, full));
5031
5032 /* check that both are <= 128 bits in size */
5033 if (scalar_is_high(&s1)) {
5034 scalar_negate(&s1, &s1);
5035 }
5036 if (scalar_is_high(&slam)) {
5037 scalar_negate(&slam, &slam);
5038 }
5039
5040 scalar_get_b32(tmp, &s1);
5041 CHECK(memcmp_var(zero, tmp, 16) == 0);
5042 scalar_get_b32(tmp, &slam);
5043 CHECK(memcmp_var(zero, tmp, 16) == 0);
5044 */
5045}
5046
5047pub fn run_endomorphism_tests() {
5048
5049 todo!();
5050 /*
5051 unsigned i;
5052 static scalar s;
5053 test_scalar_split(&scalar_zero);
5054 test_scalar_split(&scalar_one);
5055 scalar_negate(&s,&scalar_one);
5056 test_scalar_split(&s);
5057 test_scalar_split(&const_lambda);
5058 scalar_add(&s, &const_lambda, &scalar_one);
5059 test_scalar_split(&s);
5060
5061 for (i = 0; i < 100U * count; ++i) {
5062 scalar full;
5063 random_scalar_order_test(&full);
5064 test_scalar_split(&full);
5065 }
5066 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
5067 test_scalar_split(&scalars_near_split_bounds[i]);
5068 }
5069 */
5070}
5071
5072pub fn ec_pubkey_parse_pointtest(
5073 input: *const u8,
5074 xvalid: i32,
5075 yvalid: i32) {
5076
5077 todo!();
5078 /*
5079 unsigned char pubkeyc[65];
5080 pubkey pubkey;
5081 ge ge;
5082 size_t pubkeyclen;
5083 int32_t ecount;
5084 ecount = 0;
5085 context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5086 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5087 /* Smaller sizes are tested exhaustively elsewhere. */
5088 int32_t i;
5089 memcpy(&pubkeyc[1], input, 64);
5090 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5091 for (i = 0; i < 256; i++) {
5092 /* Try all type bytes. */
5093 int xpass;
5094 int ypass;
5095 int ysign;
5096 pubkeyc[0] = i;
5097 /* What sign does this point have? */
5098 ysign = (input[63] & 1) + 2;
5099 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5100 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5101 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5102 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5103 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5104 if (xpass || ypass) {
5105 /* These cases must parse. */
5106 unsigned char pubkeyo[65];
5107 size_t outl;
5108 memset(&pubkey, 0, sizeof(pubkey));
5109 VG_UNDEF(&pubkey, sizeof(pubkey));
5110 ecount = 0;
5111 CHECK(ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
5112 VG_CHECK(&pubkey, sizeof(pubkey));
5113 outl = 65;
5114 VG_UNDEF(pubkeyo, 65);
5115 CHECK(ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, EC_COMPRESSED) == 1);
5116 VG_CHECK(pubkeyo, outl);
5117 CHECK(outl == 33);
5118 CHECK(memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5119 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5120 if (ypass) {
5121 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5122 CHECK(pubkeyo[0] == ysign);
5123 CHECK(pubkey_load(ctx, &ge, &pubkey) == 1);
5124 memset(&pubkey, 0, sizeof(pubkey));
5125 VG_UNDEF(&pubkey, sizeof(pubkey));
5126 pubkey_save(&pubkey, &ge);
5127 VG_CHECK(&pubkey, sizeof(pubkey));
5128 outl = 65;
5129 VG_UNDEF(pubkeyo, 65);
5130 CHECK(ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, EC_UNCOMPRESSED) == 1);
5131 VG_CHECK(pubkeyo, outl);
5132 CHECK(outl == 65);
5133 CHECK(pubkeyo[0] == 4);
5134 CHECK(memcmp_var(&pubkeyo[1], input, 64) == 0);
5135 }
5136 CHECK(ecount == 0);
5137 } else {
5138 /* These cases must fail to parse. */
5139 memset(&pubkey, 0xfe, sizeof(pubkey));
5140 ecount = 0;
5141 VG_UNDEF(&pubkey, sizeof(pubkey));
5142 CHECK(ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
5143 VG_CHECK(&pubkey, sizeof(pubkey));
5144 CHECK(ecount == 0);
5145 CHECK(pubkey_load(ctx, &ge, &pubkey) == 0);
5146 CHECK(ecount == 1);
5147 }
5148 }
5149 }
5150 context_set_illegal_callback(ctx, NULL, NULL);
5151 */
5152}
5153
5154pub fn run_ec_pubkey_parse_test() {
5155
5156 todo!();
5157 /*
5158 #define EC_PARSE_TEST_NVALID (12)
5159 const unsigned char valid[EC_PARSE_TEST_NVALID][64] = {
5160 {
5161 /* Point with leading and trailing zeros in x and y serialization. */
5162 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5163 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5164 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5165 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5166 },
5167 {
5168 /* Point with x equal to a 3rd root of unity.*/
5169 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5170 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5171 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5172 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5173 },
5174 {
5175 /* Point with largest x. (1/2) */
5176 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5177 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5178 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5179 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5180 },
5181 {
5182 /* Point with largest x. (2/2) */
5183 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5184 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5185 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5186 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5187 },
5188 {
5189 /* Point with smallest x. (1/2) */
5190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5192 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5193 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5194 },
5195 {
5196 /* Point with smallest x. (2/2) */
5197 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5199 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5200 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5201 },
5202 {
5203 /* Point with largest y. (1/3) */
5204 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5205 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5206 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5207 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5208 },
5209 {
5210 /* Point with largest y. (2/3) */
5211 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5212 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5213 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5214 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5215 },
5216 {
5217 /* Point with largest y. (3/3) */
5218 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5219 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5220 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5221 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5222 },
5223 {
5224 /* Point with smallest y. (1/3) */
5225 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5226 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5227 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5228 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5229 },
5230 {
5231 /* Point with smallest y. (2/3) */
5232 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5233 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5234 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5236 },
5237 {
5238 /* Point with smallest y. (3/3) */
5239 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5240 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5241 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5242 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
5243 }
5244 };
5245 #define EC_PARSE_TEST_NXVALID (4)
5246 const unsigned char onlyxvalid[EC_PARSE_TEST_NXVALID][64] = {
5247 {
5248 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
5249 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
5250 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
5251 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5252 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5253 },
5254 {
5255 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
5256 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
5257 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
5258 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5259 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5260 },
5261 {
5262 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
5263 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
5264 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
5265 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5266 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5267 },
5268 {
5269 /* x on curve, y is from y^2 = x^3 + 8. */
5270 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5271 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5272 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5273 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
5274 }
5275 };
5276 #define EC_PARSE_TEST_NINVALID (7)
5277 const unsigned char invalid[EC_PARSE_TEST_NINVALID][64] = {
5278 {
5279 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
5280 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
5281 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
5282 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5283 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5284 },
5285 {
5286 /* Valid if x overflow ignored (x = 1 mod p). */
5287 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5288 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5289 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5290 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5291 },
5292 {
5293 /* Valid if x overflow ignored (x = 1 mod p). */
5294 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5295 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
5296 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
5297 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
5298 },
5299 {
5300 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5301 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5302 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5303 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
5304 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
5305 },
5306 {
5307 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
5308 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5309 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
5310 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
5311 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
5312 },
5313 {
5314 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5315 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5316 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5317 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
5318 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
5319 },
5320 {
5321 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
5322 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5323 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5324 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
5325 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
5326 }
5327 };
5328 const unsigned char pubkeyc[66] = {
5329 /* Serialization of G. */
5330 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
5331 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
5332 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
5333 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
5334 0xB8, 0x00
5335 };
5336 unsigned char sout[65];
5337 unsigned char shortkey[2];
5338 ge ge;
5339 pubkey pubkey;
5340 size_t len;
5341 int32_t i;
5342 int32_t ecount;
5343 int32_t ecount2;
5344 ecount = 0;
5345 /* Nothing should be reading this far into pubkeyc. */
5346 VG_UNDEF(&pubkeyc[65], 1);
5347 context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5348 /* Zero length claimed, fail, zeroize, no illegal arg error. */
5349 memset(&pubkey, 0xfe, sizeof(pubkey));
5350 ecount = 0;
5351 VG_UNDEF(shortkey, 2);
5352 VG_UNDEF(&pubkey, sizeof(pubkey));
5353 CHECK(ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
5354 VG_CHECK(&pubkey, sizeof(pubkey));
5355 CHECK(ecount == 0);
5356 CHECK(pubkey_load(ctx, &ge, &pubkey) == 0);
5357 CHECK(ecount == 1);
5358 /* Length one claimed, fail, zeroize, no illegal arg error. */
5359 for (i = 0; i < 256 ; i++) {
5360 memset(&pubkey, 0xfe, sizeof(pubkey));
5361 ecount = 0;
5362 shortkey[0] = i;
5363 VG_UNDEF(&shortkey[1], 1);
5364 VG_UNDEF(&pubkey, sizeof(pubkey));
5365 CHECK(ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
5366 VG_CHECK(&pubkey, sizeof(pubkey));
5367 CHECK(ecount == 0);
5368 CHECK(pubkey_load(ctx, &ge, &pubkey) == 0);
5369 CHECK(ecount == 1);
5370 }
5371 /* Length two claimed, fail, zeroize, no illegal arg error. */
5372 for (i = 0; i < 65536 ; i++) {
5373 memset(&pubkey, 0xfe, sizeof(pubkey));
5374 ecount = 0;
5375 shortkey[0] = i & 255;
5376 shortkey[1] = i >> 8;
5377 VG_UNDEF(&pubkey, sizeof(pubkey));
5378 CHECK(ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
5379 VG_CHECK(&pubkey, sizeof(pubkey));
5380 CHECK(ecount == 0);
5381 CHECK(pubkey_load(ctx, &ge, &pubkey) == 0);
5382 CHECK(ecount == 1);
5383 }
5384 memset(&pubkey, 0xfe, sizeof(pubkey));
5385 ecount = 0;
5386 VG_UNDEF(&pubkey, sizeof(pubkey));
5387 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
5388 CHECK(ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
5389 VG_CHECK(&pubkey, sizeof(pubkey));
5390 CHECK(ecount == 0);
5391 CHECK(pubkey_load(ctx, &ge, &pubkey) == 0);
5392 CHECK(ecount == 1);
5393 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
5394 CHECK(ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
5395 CHECK(ecount == 2);
5396 /* NULL input string. Illegal arg and zeroize output. */
5397 memset(&pubkey, 0xfe, sizeof(pubkey));
5398 ecount = 0;
5399 VG_UNDEF(&pubkey, sizeof(pubkey));
5400 CHECK(ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
5401 VG_CHECK(&pubkey, sizeof(pubkey));
5402 CHECK(ecount == 1);
5403 CHECK(pubkey_load(ctx, &ge, &pubkey) == 0);
5404 CHECK(ecount == 2);
5405 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
5406 memset(&pubkey, 0xfe, sizeof(pubkey));
5407 ecount = 0;
5408 VG_UNDEF(&pubkey, sizeof(pubkey));
5409 CHECK(ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
5410 VG_CHECK(&pubkey, sizeof(pubkey));
5411 CHECK(ecount == 0);
5412 CHECK(pubkey_load(ctx, &ge, &pubkey) == 0);
5413 CHECK(ecount == 1);
5414 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
5415 memset(&pubkey, 0xfe, sizeof(pubkey));
5416 ecount = 0;
5417 VG_UNDEF(&pubkey, sizeof(pubkey));
5418 CHECK(ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
5419 VG_CHECK(&pubkey, sizeof(pubkey));
5420 CHECK(ecount == 0);
5421 CHECK(pubkey_load(ctx, &ge, &pubkey) == 0);
5422 CHECK(ecount == 1);
5423 /* Valid parse. */
5424 memset(&pubkey, 0, sizeof(pubkey));
5425 ecount = 0;
5426 VG_UNDEF(&pubkey, sizeof(pubkey));
5427 CHECK(ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
5428 CHECK(ec_pubkey_parse(context_no_precomp, &pubkey, pubkeyc, 65) == 1);
5429 VG_CHECK(&pubkey, sizeof(pubkey));
5430 CHECK(ecount == 0);
5431 VG_UNDEF(&ge, sizeof(ge));
5432 CHECK(pubkey_load(ctx, &ge, &pubkey) == 1);
5433 VG_CHECK(&ge.x, sizeof(ge.x));
5434 VG_CHECK(&ge.y, sizeof(ge.y));
5435 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
5436 ge_equals_ge(&ge_const_g, &ge);
5437 CHECK(ecount == 0);
5438 /* ec_pubkey_serialize illegal args. */
5439 ecount = 0;
5440 len = 65;
5441 CHECK(ec_pubkey_serialize(ctx, NULL, &len, &pubkey, EC_UNCOMPRESSED) == 0);
5442 CHECK(ecount == 1);
5443 CHECK(len == 0);
5444 CHECK(ec_pubkey_serialize(ctx, sout, NULL, &pubkey, EC_UNCOMPRESSED) == 0);
5445 CHECK(ecount == 2);
5446 len = 65;
5447 VG_UNDEF(sout, 65);
5448 CHECK(ec_pubkey_serialize(ctx, sout, &len, NULL, EC_UNCOMPRESSED) == 0);
5449 VG_CHECK(sout, 65);
5450 CHECK(ecount == 3);
5451 CHECK(len == 0);
5452 len = 65;
5453 CHECK(ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
5454 CHECK(ecount == 4);
5455 CHECK(len == 0);
5456 len = 65;
5457 VG_UNDEF(sout, 65);
5458 CHECK(ec_pubkey_serialize(ctx, sout, &len, &pubkey, EC_UNCOMPRESSED) == 1);
5459 VG_CHECK(sout, 65);
5460 CHECK(ecount == 4);
5461 CHECK(len == 65);
5462 /* Multiple illegal args. Should still set arg error only once. */
5463 ecount = 0;
5464 ecount2 = 11;
5465 CHECK(ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
5466 CHECK(ecount == 1);
5467 /* Does the illegal arg callback actually change the behavior? */
5468 context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
5469 CHECK(ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
5470 CHECK(ecount == 1);
5471 CHECK(ecount2 == 10);
5472 context_set_illegal_callback(ctx, NULL, NULL);
5473 /* Try a bunch of prefabbed points with all possible encodings. */
5474 for (i = 0; i < EC_PARSE_TEST_NVALID; i++) {
5475 ec_pubkey_parse_pointtest(valid[i], 1, 1);
5476 }
5477 for (i = 0; i < EC_PARSE_TEST_NXVALID; i++) {
5478 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
5479 }
5480 for (i = 0; i < EC_PARSE_TEST_NINVALID; i++) {
5481 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
5482 }
5483 */
5484}
5485
5486pub fn run_eckey_edge_case_test() {
5487
5488 todo!();
5489 /*
5490 const unsigned char orderc[32] = {
5491 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5492 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5493 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5494 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
5495 };
5496 const unsigned char zeros[sizeof(pubkey)] = {0x00};
5497 unsigned char ctmp[33];
5498 unsigned char ctmp2[33];
5499 pubkey pubkey;
5500 pubkey pubkey2;
5501 pubkey pubkey_one;
5502 pubkey pubkey_negone;
5503 const pubkey *pubkeys[3];
5504 size_t len;
5505 int32_t ecount;
5506 /* Group order is too large, reject. */
5507 CHECK(ec_seckey_verify(ctx, orderc) == 0);
5508 VG_UNDEF(&pubkey, sizeof(pubkey));
5509 CHECK(ec_pubkey_create(ctx, &pubkey, orderc) == 0);
5510 VG_CHECK(&pubkey, sizeof(pubkey));
5511 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5512 /* Maximum value is too large, reject. */
5513 memset(ctmp, 255, 32);
5514 CHECK(ec_seckey_verify(ctx, ctmp) == 0);
5515 memset(&pubkey, 1, sizeof(pubkey));
5516 VG_UNDEF(&pubkey, sizeof(pubkey));
5517 CHECK(ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5518 VG_CHECK(&pubkey, sizeof(pubkey));
5519 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5520 /* Zero is too small, reject. */
5521 memset(ctmp, 0, 32);
5522 CHECK(ec_seckey_verify(ctx, ctmp) == 0);
5523 memset(&pubkey, 1, sizeof(pubkey));
5524 VG_UNDEF(&pubkey, sizeof(pubkey));
5525 CHECK(ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5526 VG_CHECK(&pubkey, sizeof(pubkey));
5527 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5528 /* One must be accepted. */
5529 ctmp[31] = 0x01;
5530 CHECK(ec_seckey_verify(ctx, ctmp) == 1);
5531 memset(&pubkey, 0, sizeof(pubkey));
5532 VG_UNDEF(&pubkey, sizeof(pubkey));
5533 CHECK(ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
5534 VG_CHECK(&pubkey, sizeof(pubkey));
5535 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) > 0);
5536 pubkey_one = pubkey;
5537 /* Group order + 1 is too large, reject. */
5538 memcpy(ctmp, orderc, 32);
5539 ctmp[31] = 0x42;
5540 CHECK(ec_seckey_verify(ctx, ctmp) == 0);
5541 memset(&pubkey, 1, sizeof(pubkey));
5542 VG_UNDEF(&pubkey, sizeof(pubkey));
5543 CHECK(ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
5544 VG_CHECK(&pubkey, sizeof(pubkey));
5545 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5546 /* -1 must be accepted. */
5547 ctmp[31] = 0x40;
5548 CHECK(ec_seckey_verify(ctx, ctmp) == 1);
5549 memset(&pubkey, 0, sizeof(pubkey));
5550 VG_UNDEF(&pubkey, sizeof(pubkey));
5551 CHECK(ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
5552 VG_CHECK(&pubkey, sizeof(pubkey));
5553 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) > 0);
5554 pubkey_negone = pubkey;
5555 /* Tweak of zero leaves the value unchanged. */
5556 memset(ctmp2, 0, 32);
5557 CHECK(ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
5558 CHECK(memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
5559 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
5560 CHECK(ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5561 CHECK(memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5562 /* Multiply tweak of zero zeroizes the output. */
5563 CHECK(ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
5564 CHECK(memcmp_var(zeros, ctmp, 32) == 0);
5565 CHECK(ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
5566 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5567 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5568 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
5569 seckey, the seckey is zeroized. */
5570 memcpy(ctmp, orderc, 32);
5571 memset(ctmp2, 0, 32);
5572 ctmp2[31] = 0x01;
5573 CHECK(ec_seckey_verify(ctx, ctmp2) == 1);
5574 CHECK(ec_seckey_verify(ctx, ctmp) == 0);
5575 CHECK(ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
5576 CHECK(memcmp_var(zeros, ctmp, 32) == 0);
5577 memcpy(ctmp, orderc, 32);
5578 CHECK(ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
5579 CHECK(memcmp_var(zeros, ctmp, 32) == 0);
5580 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
5581 tweak, the seckey is zeroized. */
5582 memcpy(ctmp, orderc, 32);
5583 ctmp[31] = 0x40;
5584 CHECK(ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
5585 CHECK(memcmp_var(zeros, ctmp, 32) == 0);
5586 memcpy(ctmp, orderc, 32);
5587 ctmp[31] = 0x40;
5588 CHECK(ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
5589 CHECK(memcmp_var(zeros, ctmp, 32) == 0);
5590 memcpy(ctmp, orderc, 32);
5591 ctmp[31] = 0x40;
5592 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
5593 tweak, the pubkey is zeroized. */
5594 CHECK(ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
5595 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5596 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5597 CHECK(ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
5598 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5599 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5600 /* If the resulting key in ec_seckey_tweak_add and
5601 * ec_pubkey_tweak_add is 0 the functions fail and in the latter
5602 * case the pubkey is zeroized. */
5603 memcpy(ctmp, orderc, 32);
5604 ctmp[31] = 0x40;
5605 memset(ctmp2, 0, 32);
5606 ctmp2[31] = 1;
5607 CHECK(ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
5608 CHECK(memcmp_var(zeros, ctmp2, 32) == 0);
5609 ctmp2[31] = 1;
5610 CHECK(ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5611 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5612 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5613 /* Tweak computation wraps and results in a key of 1. */
5614 ctmp2[31] = 2;
5615 CHECK(ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
5616 CHECK(memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
5617 ctmp2[31] = 2;
5618 CHECK(ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5619 ctmp2[31] = 1;
5620 CHECK(ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
5621 CHECK(memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5622 /* Tweak mul * 2 = 1+1. */
5623 CHECK(ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
5624 ctmp2[31] = 2;
5625 CHECK(ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
5626 CHECK(memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
5627 /* Test argument errors. */
5628 ecount = 0;
5629 context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5630 CHECK(ecount == 0);
5631 /* Zeroize pubkey on parse error. */
5632 memset(&pubkey, 0, 32);
5633 CHECK(ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
5634 CHECK(ecount == 1);
5635 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5636 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5637 memset(&pubkey2, 0, 32);
5638 CHECK(ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
5639 CHECK(ecount == 2);
5640 CHECK(memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
5641 /* Plain argument errors. */
5642 ecount = 0;
5643 CHECK(ec_seckey_verify(ctx, ctmp) == 1);
5644 CHECK(ecount == 0);
5645 CHECK(ec_seckey_verify(ctx, NULL) == 0);
5646 CHECK(ecount == 1);
5647 ecount = 0;
5648 memset(ctmp2, 0, 32);
5649 ctmp2[31] = 4;
5650 CHECK(ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
5651 CHECK(ecount == 1);
5652 CHECK(ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
5653 CHECK(ecount == 2);
5654 ecount = 0;
5655 memset(ctmp2, 0, 32);
5656 ctmp2[31] = 4;
5657 CHECK(ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
5658 CHECK(ecount == 1);
5659 CHECK(ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
5660 CHECK(ecount == 2);
5661 ecount = 0;
5662 memset(ctmp2, 0, 32);
5663 CHECK(ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
5664 CHECK(ecount == 1);
5665 CHECK(ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
5666 CHECK(ecount == 2);
5667 ecount = 0;
5668 memset(ctmp2, 0, 32);
5669 ctmp2[31] = 1;
5670 CHECK(ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
5671 CHECK(ecount == 1);
5672 CHECK(ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
5673 CHECK(ecount == 2);
5674 ecount = 0;
5675 CHECK(ec_pubkey_create(ctx, NULL, ctmp) == 0);
5676 CHECK(ecount == 1);
5677 memset(&pubkey, 1, sizeof(pubkey));
5678 CHECK(ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5679 CHECK(ecount == 2);
5680 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5681 /* ec_pubkey_combine tests. */
5682 ecount = 0;
5683 pubkeys[0] = &pubkey_one;
5684 VG_UNDEF(&pubkeys[0], sizeof(pubkey *));
5685 VG_UNDEF(&pubkeys[1], sizeof(pubkey *));
5686 VG_UNDEF(&pubkeys[2], sizeof(pubkey *));
5687 memset(&pubkey, 255, sizeof(pubkey));
5688 VG_UNDEF(&pubkey, sizeof(pubkey));
5689 CHECK(ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
5690 VG_CHECK(&pubkey, sizeof(pubkey));
5691 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5692 CHECK(ecount == 1);
5693 CHECK(ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
5694 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5695 CHECK(ecount == 2);
5696 memset(&pubkey, 255, sizeof(pubkey));
5697 VG_UNDEF(&pubkey, sizeof(pubkey));
5698 CHECK(ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
5699 VG_CHECK(&pubkey, sizeof(pubkey));
5700 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5701 CHECK(ecount == 3);
5702 pubkeys[0] = &pubkey_negone;
5703 memset(&pubkey, 255, sizeof(pubkey));
5704 VG_UNDEF(&pubkey, sizeof(pubkey));
5705 CHECK(ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
5706 VG_CHECK(&pubkey, sizeof(pubkey));
5707 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) > 0);
5708 CHECK(ecount == 3);
5709 len = 33;
5710 CHECK(ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, EC_COMPRESSED) == 1);
5711 CHECK(ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, EC_COMPRESSED) == 1);
5712 CHECK(memcmp_var(ctmp, ctmp2, 33) == 0);
5713 /* Result is infinity. */
5714 pubkeys[0] = &pubkey_one;
5715 pubkeys[1] = &pubkey_negone;
5716 memset(&pubkey, 255, sizeof(pubkey));
5717 VG_UNDEF(&pubkey, sizeof(pubkey));
5718 CHECK(ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
5719 VG_CHECK(&pubkey, sizeof(pubkey));
5720 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
5721 CHECK(ecount == 3);
5722 /* Passes through infinity but comes out one. */
5723 pubkeys[2] = &pubkey_one;
5724 memset(&pubkey, 255, sizeof(pubkey));
5725 VG_UNDEF(&pubkey, sizeof(pubkey));
5726 CHECK(ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
5727 VG_CHECK(&pubkey, sizeof(pubkey));
5728 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) > 0);
5729 CHECK(ecount == 3);
5730 len = 33;
5731 CHECK(ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, EC_COMPRESSED) == 1);
5732 CHECK(ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, EC_COMPRESSED) == 1);
5733 CHECK(memcmp_var(ctmp, ctmp2, 33) == 0);
5734 /* Adds to two. */
5735 pubkeys[1] = &pubkey_one;
5736 memset(&pubkey, 255, sizeof(pubkey));
5737 VG_UNDEF(&pubkey, sizeof(pubkey));
5738 CHECK(ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
5739 VG_CHECK(&pubkey, sizeof(pubkey));
5740 CHECK(memcmp_var(&pubkey, zeros, sizeof(pubkey)) > 0);
5741 CHECK(ecount == 3);
5742 context_set_illegal_callback(ctx, NULL, NULL);
5743 */
5744}
5745
5746pub fn run_eckey_negate_test() {
5747
5748 todo!();
5749 /*
5750 unsigned char seckey[32];
5751 unsigned char seckey_tmp[32];
5752
5753 random_scalar_order_b32(seckey);
5754 memcpy(seckey_tmp, seckey, 32);
5755
5756 /* Verify negation changes the key and changes it back */
5757 CHECK(ec_seckey_negate(ctx, seckey) == 1);
5758 CHECK(memcmp_var(seckey, seckey_tmp, 32) != 0);
5759 CHECK(ec_seckey_negate(ctx, seckey) == 1);
5760 CHECK(memcmp_var(seckey, seckey_tmp, 32) == 0);
5761
5762 /* Check that privkey alias gives same result */
5763 CHECK(ec_seckey_negate(ctx, seckey) == 1);
5764 CHECK(ec_privkey_negate(ctx, seckey_tmp) == 1);
5765 CHECK(memcmp_var(seckey, seckey_tmp, 32) == 0);
5766
5767 /* Negating all 0s fails */
5768 memset(seckey, 0, 32);
5769 memset(seckey_tmp, 0, 32);
5770 CHECK(ec_seckey_negate(ctx, seckey) == 0);
5771 /* Check that seckey is not modified */
5772 CHECK(memcmp_var(seckey, seckey_tmp, 32) == 0);
5773
5774 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
5775 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
5776 * doesn't just set seckey to a constant value in case of failure. */
5777 random_scalar_order_b32(seckey);
5778 memset(seckey, 0xFF, 16);
5779 memset(seckey_tmp, 0, 32);
5780 CHECK(ec_seckey_negate(ctx, seckey) == 0);
5781 CHECK(memcmp_var(seckey, seckey_tmp, 32) == 0);
5782 */
5783}
5784
5785pub fn random_sign(
5786 sigr: *mut Scalar,
5787 sigs: *mut Scalar,
5788 key: *const Scalar,
5789 msg: *const Scalar,
5790 recid: *mut i32) {
5791
5792 todo!();
5793 /*
5794 scalar nonce;
5795 do {
5796 random_scalar_order_test(&nonce);
5797 } while(!ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
5798 */
5799}
5800
5801pub fn test_ecdsa_sign_verify() {
5802
5803 todo!();
5804 /*
5805 gej pubj;
5806 ge pub;
5807 scalar one;
5808 scalar msg, key;
5809 scalar sigr, sigs;
5810 int getrec;
5811 /* Initialize recid to suppress a false positive -Wconditional-uninitialized in clang.
5812 VG_UNDEF ensures that valgrind will still treat the variable as uninitialized. */
5813 int recid = -1; VG_UNDEF(&recid, sizeof(recid));
5814 random_scalar_order_test(&msg);
5815 random_scalar_order_test(&key);
5816 ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
5817 ge_set_gej(&pub, &pubj);
5818 getrec = testrand_bits(1);
5819 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
5820 if (getrec) {
5821 CHECK(recid >= 0 && recid < 4);
5822 }
5823 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5824 scalar_set_int(&one, 1);
5825 scalar_add(&msg, &msg, &one);
5826 CHECK(!ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5827 */
5828}
5829
5830pub fn run_ecdsa_sign_verify() {
5831
5832 todo!();
5833 /*
5834 int i;
5835 for (i = 0; i < 10*count; i++) {
5836 test_ecdsa_sign_verify();
5837 }
5838 */
5839}
5840
5841/**
5842 | Dummy nonce generation function that
5843 | just uses a precomputed nonce, and fails
5844 | if it is not accepted. Use only for testing.
5845 |
5846 */
5847pub fn precomputed_nonce_function(
5848 nonce32: *mut u8,
5849 msg32: *const u8,
5850 key32: *const u8,
5851 algo16: *const u8,
5852 data: *mut c_void,
5853 counter: u32) -> i32 {
5854
5855 todo!();
5856 /*
5857 (c_void)msg32;
5858 (c_void)key32;
5859 (c_void)algo16;
5860 memcpy(nonce32, data, 32);
5861 return (counter == 0);
5862 */
5863}
5864
5865pub fn nonce_function_test_fail(
5866 nonce32: *mut u8,
5867 msg32: *const u8,
5868 key32: *const u8,
5869 algo16: *const u8,
5870 data: *mut c_void,
5871 counter: u32) -> i32 {
5872
5873 todo!();
5874 /*
5875 /* Dummy nonce generator that has a fatal error on the first counter value. */
5876 if (counter == 0) {
5877 return 0;
5878 }
5879 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
5880 */
5881}
5882
5883pub fn nonce_function_test_retry(
5884 nonce32: *mut u8,
5885 msg32: *const u8,
5886 key32: *const u8,
5887 algo16: *const u8,
5888 data: *mut c_void,
5889 counter: u32) -> i32 {
5890
5891 todo!();
5892 /*
5893 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
5894 if (counter < 3) {
5895 memset(nonce32, counter==0 ? 0 : 255, 32);
5896 if (counter == 2) {
5897 nonce32[31]--;
5898 }
5899 return 1;
5900 }
5901 if (counter < 5) {
5902 static const unsigned char order[] = {
5903 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
5904 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
5905 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
5906 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
5907 };
5908 memcpy(nonce32, order, 32);
5909 if (counter == 4) {
5910 nonce32[31]++;
5911 }
5912 return 1;
5913 }
5914 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
5915 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
5916 if (counter > 5) {
5917 return 0;
5918 }
5919 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
5920 */
5921}
5922
5923pub fn is_empty_signature(sig: *const Secp256k1EcdsaSignature) -> i32 {
5924
5925 todo!();
5926 /*
5927 static const unsigned char res[sizeof(ecdsa_signature)] = {0};
5928 return memcmp_var(sig, res, sizeof(ecdsa_signature)) == 0;
5929 */
5930}
5931
5932pub fn test_ecdsa_end_to_end() {
5933
5934 todo!();
5935 /*
5936 unsigned char extra[32] = {0x00};
5937 unsigned char privkey[32];
5938 unsigned char message[32];
5939 unsigned char privkey2[32];
5940 ecdsa_signature signature[6];
5941 scalar r, s;
5942 unsigned char sig[74];
5943 size_t siglen = 74;
5944 unsigned char pubkeyc[65];
5945 size_t pubkeyclen = 65;
5946 pubkey pubkey;
5947 pubkey pubkey_tmp;
5948 unsigned char seckey[300];
5949 size_t seckeylen = 300;
5950
5951 /* Generate a random key and message. */
5952 {
5953 scalar msg, key;
5954 random_scalar_order_test(&msg);
5955 random_scalar_order_test(&key);
5956 scalar_get_b32(privkey, &key);
5957 scalar_get_b32(message, &msg);
5958 }
5959
5960 /* Construct and verify corresponding public key. */
5961 CHECK(ec_seckey_verify(ctx, privkey) == 1);
5962 CHECK(ec_pubkey_create(ctx, &pubkey, privkey) == 1);
5963
5964 /* Verify exporting and importing public key. */
5965 CHECK(ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, testrand_bits(1) == 1 ? EC_COMPRESSED : EC_UNCOMPRESSED));
5966 memset(&pubkey, 0, sizeof(pubkey));
5967 CHECK(ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
5968
5969 /* Verify negation changes the key and changes it back */
5970 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
5971 CHECK(ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
5972 CHECK(memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
5973 CHECK(ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
5974 CHECK(memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
5975
5976 /* Verify private key import and export. */
5977 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, testrand_bits(1) == 1));
5978 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
5979 CHECK(memcmp_var(privkey, privkey2, 32) == 0);
5980
5981 /* Optionally tweak the keys using addition. */
5982 if (testrand_int(3) == 0) {
5983 int ret1;
5984 int ret2;
5985 int ret3;
5986 unsigned char rnd[32];
5987 unsigned char privkey_tmp[32];
5988 pubkey pubkey2;
5989 testrand256_test(rnd);
5990 memcpy(privkey_tmp, privkey, 32);
5991 ret1 = ec_seckey_tweak_add(ctx, privkey, rnd);
5992 ret2 = ec_pubkey_tweak_add(ctx, &pubkey, rnd);
5993 /* Check that privkey alias gives same result */
5994 ret3 = ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
5995 CHECK(ret1 == ret2);
5996 CHECK(ret2 == ret3);
5997 if (ret1 == 0) {
5998 return;
5999 }
6000 CHECK(memcmp_var(privkey, privkey_tmp, 32) == 0);
6001 CHECK(ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
6002 CHECK(memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6003 }
6004
6005 /* Optionally tweak the keys using multiplication. */
6006 if (testrand_int(3) == 0) {
6007 int ret1;
6008 int ret2;
6009 int ret3;
6010 unsigned char rnd[32];
6011 unsigned char privkey_tmp[32];
6012 pubkey pubkey2;
6013 testrand256_test(rnd);
6014 memcpy(privkey_tmp, privkey, 32);
6015 ret1 = ec_seckey_tweak_mul(ctx, privkey, rnd);
6016 ret2 = ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
6017 /* Check that privkey alias gives same result */
6018 ret3 = ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
6019 CHECK(ret1 == ret2);
6020 CHECK(ret2 == ret3);
6021 if (ret1 == 0) {
6022 return;
6023 }
6024 CHECK(memcmp_var(privkey, privkey_tmp, 32) == 0);
6025 CHECK(ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
6026 CHECK(memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6027 }
6028
6029 /* Sign. */
6030 CHECK(ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
6031 CHECK(ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
6032 CHECK(ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
6033 extra[31] = 1;
6034 CHECK(ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
6035 extra[31] = 0;
6036 extra[0] = 1;
6037 CHECK(ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
6038 CHECK(memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6039 CHECK(memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6040 CHECK(memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6041 CHECK(memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6042 CHECK(memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6043 CHECK(memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6044 CHECK(memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6045 /* Verify. */
6046 CHECK(ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
6047 CHECK(ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
6048 CHECK(ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
6049 CHECK(ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
6050 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6051 CHECK(!ecdsa_signature_normalize(ctx, NULL, &signature[0]));
6052 ecdsa_signature_load(ctx, &r, &s, &signature[0]);
6053 scalar_negate(&s, &s);
6054 ecdsa_signature_save(&signature[5], &r, &s);
6055 CHECK(ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
6056 CHECK(ecdsa_signature_normalize(ctx, NULL, &signature[5]));
6057 CHECK(ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
6058 CHECK(!ecdsa_signature_normalize(ctx, NULL, &signature[5]));
6059 CHECK(!ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
6060 CHECK(ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
6061 scalar_negate(&s, &s);
6062 ecdsa_signature_save(&signature[5], &r, &s);
6063 CHECK(!ecdsa_signature_normalize(ctx, NULL, &signature[5]));
6064 CHECK(ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
6065 CHECK(memcmp_var(&signature[5], &signature[0], 64) == 0);
6066
6067 /* Serialize/parse DER and verify again */
6068 CHECK(ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
6069 memset(&signature[0], 0, sizeof(signature[0]));
6070 CHECK(ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
6071 CHECK(ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
6072 /* Serialize/destroy/parse DER and verify again. */
6073 siglen = 74;
6074 CHECK(ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
6075 sig[testrand_int(siglen)] += 1 + testrand_int(255);
6076 CHECK(ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
6077 ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
6078 */
6079}
6080
6081pub fn test_random_pubkeys() {
6082
6083 todo!();
6084 /*
6085 ge elem;
6086 ge elem2;
6087 unsigned char in[65];
6088 /* Generate some randomly sized pubkeys. */
6089 size_t len = testrand_bits(2) == 0 ? 65 : 33;
6090 if (testrand_bits(2) == 0) {
6091 len = testrand_bits(6);
6092 }
6093 if (len == 65) {
6094 in[0] = testrand_bits(1) ? 4 : (testrand_bits(1) ? 6 : 7);
6095 } else {
6096 in[0] = testrand_bits(1) ? 2 : 3;
6097 }
6098 if (testrand_bits(3) == 0) {
6099 in[0] = testrand_bits(8);
6100 }
6101 if (len > 1) {
6102 testrand256(&in[1]);
6103 }
6104 if (len > 33) {
6105 testrand256(&in[33]);
6106 }
6107 if (eckey_pubkey_parse(&elem, in, len)) {
6108 unsigned char out[65];
6109 unsigned char firstb;
6110 int res;
6111 size_t size = len;
6112 firstb = in[0];
6113 /* If the pubkey can be parsed, it should round-trip... */
6114 CHECK(eckey_pubkey_serialize(&elem, out, &size, len == 33));
6115 CHECK(size == len);
6116 CHECK(memcmp_var(&in[1], &out[1], len-1) == 0);
6117 /* ... except for the type of hybrid inputs. */
6118 if ((in[0] != 6) && (in[0] != 7)) {
6119 CHECK(in[0] == out[0]);
6120 }
6121 size = 65;
6122 CHECK(eckey_pubkey_serialize(&elem, in, &size, 0));
6123 CHECK(size == 65);
6124 CHECK(eckey_pubkey_parse(&elem2, in, size));
6125 ge_equals_ge(&elem,&elem2);
6126 /* Check that the X9.62 hybrid type is checked. */
6127 in[0] = testrand_bits(1) ? 6 : 7;
6128 res = eckey_pubkey_parse(&elem2, in, size);
6129 if (firstb == 2 || firstb == 3) {
6130 if (in[0] == firstb + 4) {
6131 CHECK(res);
6132 } else {
6133 CHECK(!res);
6134 }
6135 }
6136 if (res) {
6137 ge_equals_ge(&elem,&elem2);
6138 CHECK(eckey_pubkey_serialize(&elem, out, &size, 0));
6139 CHECK(memcmp_var(&in[1], &out[1], 64) == 0);
6140 }
6141 }
6142 */
6143}
6144
6145pub fn run_pubkey_comparison() {
6146
6147 todo!();
6148 /*
6149 unsigned char pk1_ser[33] = {
6150 0x02,
6151 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6152 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6153 };
6154 const unsigned char pk2_ser[33] = {
6155 0x02,
6156 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6157 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6158 };
6159 pubkey pk1;
6160 pubkey pk2;
6161 int32_t ecount = 0;
6162
6163 CHECK(ec_pubkey_parse(ctx, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6164 CHECK(ec_pubkey_parse(ctx, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6165
6166 context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
6167 CHECK(ec_pubkey_cmp(ctx, NULL, &pk2) < 0);
6168 CHECK(ecount == 1);
6169 CHECK(ec_pubkey_cmp(ctx, &pk1, NULL) > 0);
6170 CHECK(ecount == 2);
6171 CHECK(ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
6172 CHECK(ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
6173 CHECK(ec_pubkey_cmp(ctx, &pk1, &pk1) == 0);
6174 CHECK(ec_pubkey_cmp(ctx, &pk2, &pk2) == 0);
6175 CHECK(ecount == 2);
6176 {
6177 pubkey pk_tmp;
6178 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6179 CHECK(ec_pubkey_cmp(ctx, &pk_tmp, &pk2) < 0);
6180 CHECK(ecount == 3);
6181 CHECK(ec_pubkey_cmp(ctx, &pk_tmp, &pk_tmp) == 0);
6182 CHECK(ecount == 5);
6183 CHECK(ec_pubkey_cmp(ctx, &pk2, &pk_tmp) > 0);
6184 CHECK(ecount == 6);
6185 }
6186
6187 context_set_illegal_callback(ctx, NULL, NULL);
6188
6189 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6190 * an uncompressed encoding, these would have the opposite ordering */
6191 pk1_ser[0] = 3;
6192 CHECK(ec_pubkey_parse(ctx, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6193 CHECK(ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
6194 CHECK(ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
6195 */
6196}
6197
6198pub fn run_random_pubkeys() {
6199
6200 todo!();
6201 /*
6202 int i;
6203 for (i = 0; i < 10*count; i++) {
6204 test_random_pubkeys();
6205 }
6206 */
6207}
6208
6209pub fn run_ecdsa_end_to_end() {
6210
6211 todo!();
6212 /*
6213 int i;
6214 for (i = 0; i < 64*count; i++) {
6215 test_ecdsa_end_to_end();
6216 }
6217 */
6218}
6219
6220pub fn test_ecdsa_der_parse(
6221 sig: *const u8,
6222 siglen: usize,
6223 certainly_der: i32,
6224 certainly_not_der: i32) -> i32 {
6225
6226 todo!();
6227 /*
6228 static const unsigned char zeroes[32] = {0};
6229 #ifdef ENABLE_OPENSSL_TESTS
6230 static const unsigned char max_scalar[32] = {
6231 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6232 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
6233 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
6234 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
6235 };
6236 #endif
6237
6238 int ret = 0;
6239
6240 ecdsa_signature sig_der;
6241 unsigned char roundtrip_der[2048];
6242 unsigned char compact_der[64];
6243 size_t len_der = 2048;
6244 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
6245
6246 ecdsa_signature sig_der_lax;
6247 unsigned char roundtrip_der_lax[2048];
6248 unsigned char compact_der_lax[64];
6249 size_t len_der_lax = 2048;
6250 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
6251
6252 #ifdef ENABLE_OPENSSL_TESTS
6253 ECDSA_SIG *sig_openssl;
6254 const BIGNUM *r = NULL, *s = NULL;
6255 const unsigned char *sigptr;
6256 unsigned char roundtrip_openssl[2048];
6257 int len_openssl = 2048;
6258 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
6259 #endif
6260
6261 parsed_der = ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
6262 if (parsed_der) {
6263 ret |= (!ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
6264 valid_der = (memcmp_var(compact_der, zeroes, 32) != 0) && (memcmp_var(compact_der + 32, zeroes, 32) != 0);
6265 }
6266 if (valid_der) {
6267 ret |= (!ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
6268 roundtrips_der = (len_der == siglen) && memcmp_var(roundtrip_der, sig, siglen) == 0;
6269 }
6270
6271 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
6272 if (parsed_der_lax) {
6273 ret |= (!ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
6274 valid_der_lax = (memcmp_var(compact_der_lax, zeroes, 32) != 0) && (memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
6275 }
6276 if (valid_der_lax) {
6277 ret |= (!ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
6278 roundtrips_der_lax = (len_der_lax == siglen) && memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
6279 }
6280
6281 if (certainly_der) {
6282 ret |= (!parsed_der) << 2;
6283 }
6284 if (certainly_not_der) {
6285 ret |= (parsed_der) << 17;
6286 }
6287 if (valid_der) {
6288 ret |= (!roundtrips_der) << 3;
6289 }
6290
6291 if (valid_der) {
6292 ret |= (!roundtrips_der_lax) << 12;
6293 ret |= (len_der != len_der_lax) << 13;
6294 ret |= ((len_der != len_der_lax) || (memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
6295 }
6296 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
6297 if (parsed_der) {
6298 ret |= (!parsed_der_lax) << 16;
6299 }
6300
6301 #ifdef ENABLE_OPENSSL_TESTS
6302 sig_openssl = ECDSA_SIG_new();
6303 sigptr = sig;
6304 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
6305 if (parsed_openssl) {
6306 ECDSA_SIG_get0(sig_openssl, &r, &s);
6307 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
6308 if (valid_openssl) {
6309 unsigned char tmp[32] = {0};
6310 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
6311 valid_openssl = memcmp_var(tmp, max_scalar, 32) < 0;
6312 }
6313 if (valid_openssl) {
6314 unsigned char tmp[32] = {0};
6315 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
6316 valid_openssl = memcmp_var(tmp, max_scalar, 32) < 0;
6317 }
6318 }
6319 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
6320 if (len_openssl <= 2048) {
6321 unsigned char *ptr = roundtrip_openssl;
6322 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
6323 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp_var(roundtrip_openssl, sig, siglen) == 0);
6324 } else {
6325 len_openssl = 0;
6326 }
6327 ECDSA_SIG_free(sig_openssl);
6328
6329 ret |= (parsed_der && !parsed_openssl) << 4;
6330 ret |= (valid_der && !valid_openssl) << 5;
6331 ret |= (roundtrips_openssl && !parsed_der) << 6;
6332 ret |= (roundtrips_der != roundtrips_openssl) << 7;
6333 if (roundtrips_openssl) {
6334 ret |= (len_der != (size_t)len_openssl) << 8;
6335 ret |= ((len_der != (size_t)len_openssl) || (memcmp_var(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9;
6336 }
6337 #endif
6338 return ret;
6339 */
6340}
6341
6342pub fn assign_big_endian(
6343 ptr: *mut u8,
6344 ptrlen: usize,
6345 val: u32) {
6346
6347 todo!();
6348 /*
6349 size_t i;
6350 for (i = 0; i < ptrlen; i++) {
6351 int shift = ptrlen - 1 - i;
6352 if (shift >= 4) {
6353 ptr[i] = 0;
6354 } else {
6355 ptr[i] = (val >> shift) & 0xFF;
6356 }
6357 }
6358 */
6359}
6360
6361pub fn damage_array(
6362 sig: *mut u8,
6363 len: *mut usize) {
6364
6365 todo!();
6366 /*
6367 int pos;
6368 int action = testrand_bits(3);
6369 if (action < 1 && *len > 3) {
6370 /* Delete a byte. */
6371 pos = testrand_int(*len);
6372 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
6373 (*len)--;
6374 return;
6375 } else if (action < 2 && *len < 2048) {
6376 /* Insert a byte. */
6377 pos = testrand_int(1 + *len);
6378 memmove(sig + pos + 1, sig + pos, *len - pos);
6379 sig[pos] = testrand_bits(8);
6380 (*len)++;
6381 return;
6382 } else if (action < 4) {
6383 /* Modify a byte. */
6384 sig[testrand_int(*len)] += 1 + testrand_int(255);
6385 return;
6386 } else { /* action < 8 */
6387 /* Modify a bit. */
6388 sig[testrand_int(*len)] ^= 1 << testrand_bits(3);
6389 return;
6390 }
6391 */
6392}
6393
6394pub fn random_ber_signature(
6395 sig: *mut u8,
6396 len: *mut usize,
6397 certainly_der: *mut i32,
6398 certainly_not_der: *mut i32) {
6399
6400 todo!();
6401 /*
6402 int der;
6403 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
6404 size_t tlen, elen, glen;
6405 int indet;
6406 int n;
6407
6408 *len = 0;
6409 der = testrand_bits(2) == 0;
6410 *certainly_der = der;
6411 *certainly_not_der = 0;
6412 indet = der ? 0 : testrand_int(10) == 0;
6413
6414 for (n = 0; n < 2; n++) {
6415 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
6416 nlow[n] = der ? 1 : (testrand_bits(3) != 0);
6417 /* The length of the number in bytes (the first byte of which will always be nonzero) */
6418 nlen[n] = nlow[n] ? testrand_int(33) : 32 + testrand_int(200) * testrand_int(8) / 8;
6419 CHECK(nlen[n] <= 232);
6420 /* The top bit of the number. */
6421 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : testrand_bits(1));
6422 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
6423 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + testrand_bits(7) : 1 + testrand_int(127));
6424 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
6425 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? testrand_int(3) : testrand_int(300 - nlen[n]) * testrand_int(8) / 8);
6426 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
6427 *certainly_not_der = 1;
6428 }
6429 CHECK(nlen[n] + nzlen[n] <= 300);
6430 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
6431 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
6432 if (!der) {
6433 /* nlenlen[n] max 127 bytes */
6434 int add = testrand_int(127 - nlenlen[n]) * testrand_int(16) * testrand_int(16) / 256;
6435 nlenlen[n] += add;
6436 if (add != 0) {
6437 *certainly_not_der = 1;
6438 }
6439 }
6440 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
6441 }
6442
6443 /* The total length of the data to go, so far */
6444 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
6445 CHECK(tlen <= 856);
6446
6447 /* The length of the garbage inside the tuple. */
6448 elen = (der || indet) ? 0 : testrand_int(980 - tlen) * testrand_int(8) / 8;
6449 if (elen != 0) {
6450 *certainly_not_der = 1;
6451 }
6452 tlen += elen;
6453 CHECK(tlen <= 980);
6454
6455 /* The length of the garbage after the end of the tuple. */
6456 glen = der ? 0 : testrand_int(990 - tlen) * testrand_int(8) / 8;
6457 if (glen != 0) {
6458 *certainly_not_der = 1;
6459 }
6460 CHECK(tlen + glen <= 990);
6461
6462 /* Write the tuple header. */
6463 sig[(*len)++] = 0x30;
6464 if (indet) {
6465 /* Indeterminate length */
6466 sig[(*len)++] = 0x80;
6467 *certainly_not_der = 1;
6468 } else {
6469 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
6470 if (!der) {
6471 int add = testrand_int(127 - tlenlen) * testrand_int(16) * testrand_int(16) / 256;
6472 tlenlen += add;
6473 if (add != 0) {
6474 *certainly_not_der = 1;
6475 }
6476 }
6477 if (tlenlen == 0) {
6478 /* Short length notation */
6479 sig[(*len)++] = tlen;
6480 } else {
6481 /* Long length notation */
6482 sig[(*len)++] = 128 + tlenlen;
6483 assign_big_endian(sig + *len, tlenlen, tlen);
6484 *len += tlenlen;
6485 }
6486 tlen += tlenlen;
6487 }
6488 tlen += 2;
6489 CHECK(tlen + glen <= 1119);
6490
6491 for (n = 0; n < 2; n++) {
6492 /* Write the integer header. */
6493 sig[(*len)++] = 0x02;
6494 if (nlenlen[n] == 0) {
6495 /* Short length notation */
6496 sig[(*len)++] = nlen[n] + nzlen[n];
6497 } else {
6498 /* Long length notation. */
6499 sig[(*len)++] = 128 + nlenlen[n];
6500 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
6501 *len += nlenlen[n];
6502 }
6503 /* Write zero padding */
6504 while (nzlen[n] > 0) {
6505 sig[(*len)++] = 0x00;
6506 nzlen[n]--;
6507 }
6508 if (nlen[n] == 32 && !nlow[n]) {
6509 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
6510 int i;
6511 for (i = 0; i < 16; i++) {
6512 sig[(*len)++] = 0xFF;
6513 }
6514 nlen[n] -= 16;
6515 }
6516 /* Write first byte of number */
6517 if (nlen[n] > 0) {
6518 sig[(*len)++] = nhbyte[n];
6519 nlen[n]--;
6520 }
6521 /* Generate remaining random bytes of number */
6522 testrand_bytes_test(sig + *len, nlen[n]);
6523 *len += nlen[n];
6524 nlen[n] = 0;
6525 }
6526
6527 /* Generate random garbage inside tuple. */
6528 testrand_bytes_test(sig + *len, elen);
6529 *len += elen;
6530
6531 /* Generate end-of-contents bytes. */
6532 if (indet) {
6533 sig[(*len)++] = 0;
6534 sig[(*len)++] = 0;
6535 tlen += 2;
6536 }
6537 CHECK(tlen + glen <= 1121);
6538
6539 /* Generate random garbage outside tuple. */
6540 testrand_bytes_test(sig + *len, glen);
6541 *len += glen;
6542 tlen += glen;
6543 CHECK(tlen <= 1121);
6544 CHECK(tlen == *len);
6545 */
6546}
6547
6548pub fn run_ecdsa_der_parse() {
6549
6550 todo!();
6551 /*
6552 int i,j;
6553 for (i = 0; i < 200 * count; i++) {
6554 unsigned char buffer[2048];
6555 size_t buflen = 0;
6556 int certainly_der = 0;
6557 int certainly_not_der = 0;
6558 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
6559 CHECK(buflen <= 2048);
6560 for (j = 0; j < 16; j++) {
6561 int ret = 0;
6562 if (j > 0) {
6563 damage_array(buffer, &buflen);
6564 /* We don't know anything anymore about the DERness of the result */
6565 certainly_der = 0;
6566 certainly_not_der = 0;
6567 }
6568 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
6569 if (ret != 0) {
6570 size_t k;
6571 fprintf(stderr, "Failure %x on ", ret);
6572 for (k = 0; k < buflen; k++) {
6573 fprintf(stderr, "%02x ", buffer[k]);
6574 }
6575 fprintf(stderr, "\n");
6576 }
6577 CHECK(ret == 0);
6578 }
6579 }
6580 */
6581}
6582
6583/**
6584 | Tests several edge cases.
6585 |
6586 */
6587pub fn test_ecdsa_edge_cases() {
6588
6589 todo!();
6590 /*
6591 int t;
6592 ecdsa_signature sig;
6593
6594 /* Test the case where ECDSA recomputes a point that is infinity. */
6595 {
6596 gej keyj;
6597 ge key;
6598 scalar msg;
6599 scalar sr, ss;
6600 scalar_set_int(&ss, 1);
6601 scalar_negate(&ss, &ss);
6602 scalar_inverse(&ss, &ss);
6603 scalar_set_int(&sr, 1);
6604 ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
6605 ge_set_gej(&key, &keyj);
6606 msg = ss;
6607 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
6608 }
6609
6610 /* Verify signature with r of zero fails. */
6611 {
6612 const unsigned char pubkey_mods_zero[33] = {
6613 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6614 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6615 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6616 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6617 0x41
6618 };
6619 ge key;
6620 scalar msg;
6621 scalar sr, ss;
6622 scalar_set_int(&ss, 1);
6623 scalar_set_int(&msg, 0);
6624 scalar_set_int(&sr, 0);
6625 CHECK(eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
6626 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
6627 }
6628
6629 /* Verify signature with s of zero fails. */
6630 {
6631 const unsigned char pubkey[33] = {
6632 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6633 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6634 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6635 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6636 0x01
6637 };
6638 ge key;
6639 scalar msg;
6640 scalar sr, ss;
6641 scalar_set_int(&ss, 0);
6642 scalar_set_int(&msg, 0);
6643 scalar_set_int(&sr, 1);
6644 CHECK(eckey_pubkey_parse(&key, pubkey, 33));
6645 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
6646 }
6647
6648 /* Verify signature with message 0 passes. */
6649 {
6650 const unsigned char pubkey[33] = {
6651 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6652 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6653 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6654 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6655 0x02
6656 };
6657 const unsigned char pubkey2[33] = {
6658 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6659 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6660 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
6661 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
6662 0x43
6663 };
6664 ge key;
6665 ge key2;
6666 scalar msg;
6667 scalar sr, ss;
6668 scalar_set_int(&ss, 2);
6669 scalar_set_int(&msg, 0);
6670 scalar_set_int(&sr, 2);
6671 CHECK(eckey_pubkey_parse(&key, pubkey, 33));
6672 CHECK(eckey_pubkey_parse(&key2, pubkey2, 33));
6673 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
6674 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
6675 scalar_negate(&ss, &ss);
6676 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
6677 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
6678 scalar_set_int(&ss, 1);
6679 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
6680 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
6681 }
6682
6683 /* Verify signature with message 1 passes. */
6684 {
6685 const unsigned char pubkey[33] = {
6686 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
6687 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
6688 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
6689 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
6690 0x25
6691 };
6692 const unsigned char pubkey2[33] = {
6693 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
6694 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
6695 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
6696 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
6697 0x62
6698 };
6699 const unsigned char csr[32] = {
6700 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6701 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6702 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
6703 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
6704 };
6705 ge key;
6706 ge key2;
6707 scalar msg;
6708 scalar sr, ss;
6709 scalar_set_int(&ss, 1);
6710 scalar_set_int(&msg, 1);
6711 scalar_set_b32(&sr, csr, NULL);
6712 CHECK(eckey_pubkey_parse(&key, pubkey, 33));
6713 CHECK(eckey_pubkey_parse(&key2, pubkey2, 33));
6714 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
6715 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
6716 scalar_negate(&ss, &ss);
6717 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
6718 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
6719 scalar_set_int(&ss, 2);
6720 scalar_inverse_var(&ss, &ss);
6721 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
6722 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
6723 }
6724
6725 /* Verify signature with message -1 passes. */
6726 {
6727 const unsigned char pubkey[33] = {
6728 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
6729 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
6730 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
6731 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
6732 0xf1
6733 };
6734 const unsigned char csr[32] = {
6735 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6736 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6737 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
6738 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
6739 };
6740 ge key;
6741 scalar msg;
6742 scalar sr, ss;
6743 scalar_set_int(&ss, 1);
6744 scalar_set_int(&msg, 1);
6745 scalar_negate(&msg, &msg);
6746 scalar_set_b32(&sr, csr, NULL);
6747 CHECK(eckey_pubkey_parse(&key, pubkey, 33));
6748 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
6749 scalar_negate(&ss, &ss);
6750 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
6751 scalar_set_int(&ss, 3);
6752 scalar_inverse_var(&ss, &ss);
6753 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
6754 }
6755
6756 /* Signature where s would be zero. */
6757 {
6758 pubkey pubkey;
6759 size_t siglen;
6760 int32_t ecount;
6761 unsigned char signature[72];
6762 static const unsigned char nonce[32] = {
6763 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6764 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6765 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6766 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6767 };
6768 static const unsigned char nonce2[32] = {
6769 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
6770 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
6771 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
6772 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
6773 };
6774 const unsigned char key[32] = {
6775 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6778 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6779 };
6780 unsigned char msg[32] = {
6781 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
6782 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
6783 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
6784 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
6785 };
6786 ecount = 0;
6787 context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
6788 CHECK(ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
6789 CHECK(ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
6790 msg[31] = 0xaa;
6791 CHECK(ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
6792 CHECK(ecount == 0);
6793 CHECK(ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
6794 CHECK(ecount == 1);
6795 CHECK(ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
6796 CHECK(ecount == 2);
6797 CHECK(ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
6798 CHECK(ecount == 3);
6799 CHECK(ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
6800 CHECK(ec_pubkey_create(ctx, &pubkey, key) == 1);
6801 CHECK(ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
6802 CHECK(ecount == 4);
6803 CHECK(ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
6804 CHECK(ecount == 5);
6805 CHECK(ecdsa_verify(ctx, &sig, msg, NULL) == 0);
6806 CHECK(ecount == 6);
6807 CHECK(ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
6808 CHECK(ecount == 6);
6809 CHECK(ec_pubkey_create(ctx, &pubkey, NULL) == 0);
6810 CHECK(ecount == 7);
6811 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
6812 CHECK(ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
6813 CHECK(ecount == 8);
6814 siglen = 72;
6815 CHECK(ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
6816 CHECK(ecount == 9);
6817 CHECK(ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
6818 CHECK(ecount == 10);
6819 CHECK(ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
6820 CHECK(ecount == 11);
6821 CHECK(ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
6822 CHECK(ecount == 11);
6823 CHECK(ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
6824 CHECK(ecount == 12);
6825 CHECK(ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
6826 CHECK(ecount == 13);
6827 CHECK(ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
6828 CHECK(ecount == 13);
6829 siglen = 10;
6830 /* Too little room for a signature does not fail via ARGCHECK. */
6831 CHECK(ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
6832 CHECK(ecount == 13);
6833 ecount = 0;
6834 CHECK(ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
6835 CHECK(ecount == 1);
6836 CHECK(ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
6837 CHECK(ecount == 2);
6838 CHECK(ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
6839 CHECK(ecount == 3);
6840 CHECK(ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
6841 CHECK(ecount == 3);
6842 CHECK(ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
6843 CHECK(ecount == 4);
6844 CHECK(ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
6845 CHECK(ecount == 5);
6846 CHECK(ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
6847 CHECK(ecount == 5);
6848 memset(signature, 255, 64);
6849 CHECK(ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
6850 CHECK(ecount == 5);
6851 context_set_illegal_callback(ctx, NULL, NULL);
6852 }
6853
6854 /* Nonce function corner cases. */
6855 for (t = 0; t < 2; t++) {
6856 static const unsigned char zero[32] = {0x00};
6857 int i;
6858 unsigned char key[32];
6859 unsigned char msg[32];
6860 ecdsa_signature sig2;
6861 scalar sr[512], ss;
6862 const unsigned char *extra;
6863 extra = t == 0 ? NULL : zero;
6864 memset(msg, 0, 32);
6865 msg[31] = 1;
6866 /* High key results in signature failure. */
6867 memset(key, 0xFF, 32);
6868 CHECK(ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
6869 CHECK(is_empty_signature(&sig));
6870 /* Zero key results in signature failure. */
6871 memset(key, 0, 32);
6872 CHECK(ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
6873 CHECK(is_empty_signature(&sig));
6874 /* Nonce function failure results in signature failure. */
6875 key[31] = 1;
6876 CHECK(ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
6877 CHECK(is_empty_signature(&sig));
6878 /* The retry loop successfully makes its way to the first good value. */
6879 CHECK(ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
6880 CHECK(!is_empty_signature(&sig));
6881 CHECK(ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
6882 CHECK(!is_empty_signature(&sig2));
6883 CHECK(memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
6884 /* The default nonce function is deterministic. */
6885 CHECK(ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
6886 CHECK(!is_empty_signature(&sig2));
6887 CHECK(memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
6888 /* The default nonce function changes output with different messages. */
6889 for(i = 0; i < 256; i++) {
6890 int j;
6891 msg[0] = i;
6892 CHECK(ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
6893 CHECK(!is_empty_signature(&sig2));
6894 ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
6895 for (j = 0; j < i; j++) {
6896 CHECK(!scalar_eq(&sr[i], &sr[j]));
6897 }
6898 }
6899 msg[0] = 0;
6900 msg[31] = 2;
6901 /* The default nonce function changes output with different keys. */
6902 for(i = 256; i < 512; i++) {
6903 int j;
6904 key[0] = i - 256;
6905 CHECK(ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
6906 CHECK(!is_empty_signature(&sig2));
6907 ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
6908 for (j = 0; j < i; j++) {
6909 CHECK(!scalar_eq(&sr[i], &sr[j]));
6910 }
6911 }
6912 key[0] = 0;
6913 }
6914
6915 {
6916 /* Check that optional nonce arguments do not have equivalent effect. */
6917 const unsigned char zeros[32] = {0};
6918 unsigned char nonce[32];
6919 unsigned char nonce2[32];
6920 unsigned char nonce3[32];
6921 unsigned char nonce4[32];
6922 VG_UNDEF(nonce,32);
6923 VG_UNDEF(nonce2,32);
6924 VG_UNDEF(nonce3,32);
6925 VG_UNDEF(nonce4,32);
6926 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
6927 VG_CHECK(nonce,32);
6928 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
6929 VG_CHECK(nonce2,32);
6930 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (c_void *)zeros, 0) == 1);
6931 VG_CHECK(nonce3,32);
6932 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (c_void *)zeros, 0) == 1);
6933 VG_CHECK(nonce4,32);
6934 CHECK(memcmp_var(nonce, nonce2, 32) != 0);
6935 CHECK(memcmp_var(nonce, nonce3, 32) != 0);
6936 CHECK(memcmp_var(nonce, nonce4, 32) != 0);
6937 CHECK(memcmp_var(nonce2, nonce3, 32) != 0);
6938 CHECK(memcmp_var(nonce2, nonce4, 32) != 0);
6939 CHECK(memcmp_var(nonce3, nonce4, 32) != 0);
6940 }
6941
6942 /* Privkey export where pubkey is the point at infinity. */
6943 {
6944 unsigned char privkey[300];
6945 unsigned char seckey[32] = {
6946 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6947 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
6948 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
6949 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
6950 };
6951 size_t outlen = 300;
6952 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
6953 outlen = 300;
6954 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
6955 }
6956 */
6957}
6958
6959pub fn run_ecdsa_edge_cases() {
6960
6961 todo!();
6962 /*
6963 test_ecdsa_edge_cases();
6964 */
6965}
6966
6967#[cfg(ENABLE_OPENSSL_TESTS)]
6968pub fn get_openssl_key(key32: *const u8) -> *mut EC_KEY {
6969
6970 todo!();
6971 /*
6972 unsigned char privkey[300];
6973 size_t privkeylen;
6974 const unsigned char* pbegin = privkey;
6975 int compr = testrand_bits(1);
6976 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
6977 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
6978 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
6979 CHECK(EC_KEY_check_key(ec_key));
6980 return ec_key;
6981 */
6982}
6983
6984#[cfg(ENABLE_OPENSSL_TESTS)]
6985pub fn test_ecdsa_openssl() {
6986
6987 todo!();
6988 /*
6989 gej qj;
6990 ge q;
6991 scalar sigr, sigs;
6992 scalar one;
6993 scalar msg2;
6994 scalar key, msg;
6995 EC_KEY *ec_key;
6996 unsigned int sigsize = 80;
6997 size_t secp_sigsize = 80;
6998 unsigned char message[32];
6999 unsigned char signature[80];
7000 unsigned char key32[32];
7001 testrand256_test(message);
7002 scalar_set_b32(&msg, message, NULL);
7003 random_scalar_order_test(&key);
7004 scalar_get_b32(key32, &key);
7005 ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
7006 ge_set_gej(&q, &qj);
7007 ec_key = get_openssl_key(key32);
7008 CHECK(ec_key != NULL);
7009 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
7010 CHECK(ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
7011 CHECK(ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
7012 scalar_set_int(&one, 1);
7013 scalar_add(&msg2, &msg, &one);
7014 CHECK(!ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
7015
7016 random_sign(&sigr, &sigs, &key, &msg, NULL);
7017 CHECK(ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
7018 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
7019
7020 EC_KEY_free(ec_key);
7021 */
7022}
7023
7024#[cfg(ENABLE_OPENSSL_TESTS)]
7025pub fn run_ecdsa_openssl() {
7026
7027 todo!();
7028 /*
7029 int i;
7030 for (i = 0; i < 10*count; i++) {
7031 test_ecdsa_openssl();
7032 }
7033 */
7034}
7035
7036lazy_static!{
7037 /*
7038 #ifdef ENABLE_MODULE_ECDH
7039 # include "modules/ecdh/tests_impl.h"
7040 #endif
7041
7042 #ifdef ENABLE_MODULE_RECOVERY
7043 # include "modules/recovery/tests_impl.h"
7044 #endif
7045
7046 #ifdef ENABLE_MODULE_EXTRAKEYS
7047 # include "modules/extrakeys/tests_impl.h"
7048 #endif
7049
7050 #ifdef ENABLE_MODULE_SCHNORRSIG
7051 # include "modules/schnorrsig/tests_impl.h"
7052 #endif
7053 */
7054}
7055
7056pub fn run_memczero_test() {
7057
7058 todo!();
7059 /*
7060 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
7061 unsigned char buf2[sizeof(buf1)];
7062
7063 /* memczero(..., ..., 0) is a noop. */
7064 memcpy(buf2, buf1, sizeof(buf1));
7065 memczero(buf1, sizeof(buf1), 0);
7066 CHECK(memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7067
7068 /* memczero(..., ..., 1) zeros the buffer. */
7069 memset(buf2, 0, sizeof(buf2));
7070 memczero(buf1, sizeof(buf1) , 1);
7071 CHECK(memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7072 */
7073}
7074
7075pub fn int_cmov_test() {
7076
7077 todo!();
7078 /*
7079 int r = INT_MAX;
7080 int a = 0;
7081
7082 int_cmov(&r, &a, 0);
7083 CHECK(r == INT_MAX);
7084
7085 r = 0; a = INT_MAX;
7086 int_cmov(&r, &a, 1);
7087 CHECK(r == INT_MAX);
7088
7089 a = 0;
7090 int_cmov(&r, &a, 1);
7091 CHECK(r == 0);
7092
7093 a = 1;
7094 int_cmov(&r, &a, 1);
7095 CHECK(r == 1);
7096
7097 r = 1; a = 0;
7098 int_cmov(&r, &a, 0);
7099 CHECK(r == 1);
7100 */
7101}
7102
7103pub fn fe_cmov_test() {
7104
7105 todo!();
7106 /*
7107 static const Fe zero = FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7108 static const Fe one = FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7109 static const Fe max = FE_CONST(
7110 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7111 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7112 );
7113 Fe r = max;
7114 Fe a = zero;
7115
7116 fe_cmov(&r, &a, 0);
7117 CHECK(memcmp_var(&r, &max, sizeof(r)) == 0);
7118
7119 r = zero; a = max;
7120 fe_cmov(&r, &a, 1);
7121 CHECK(memcmp_var(&r, &max, sizeof(r)) == 0);
7122
7123 a = zero;
7124 fe_cmov(&r, &a, 1);
7125 CHECK(memcmp_var(&r, &zero, sizeof(r)) == 0);
7126
7127 a = one;
7128 fe_cmov(&r, &a, 1);
7129 CHECK(memcmp_var(&r, &one, sizeof(r)) == 0);
7130
7131 r = one; a = zero;
7132 fe_cmov(&r, &a, 0);
7133 CHECK(memcmp_var(&r, &one, sizeof(r)) == 0);
7134 */
7135}
7136
7137pub fn fe_storage_cmov_test() {
7138
7139 todo!();
7140 /*
7141 static const fe_storage zero = FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7142 static const fe_storage one = FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7143 static const fe_storage max = FE_STORAGE_CONST(
7144 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7145 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7146 );
7147 fe_storage r = max;
7148 fe_storage a = zero;
7149
7150 fe_storage_cmov(&r, &a, 0);
7151 CHECK(memcmp_var(&r, &max, sizeof(r)) == 0);
7152
7153 r = zero; a = max;
7154 fe_storage_cmov(&r, &a, 1);
7155 CHECK(memcmp_var(&r, &max, sizeof(r)) == 0);
7156
7157 a = zero;
7158 fe_storage_cmov(&r, &a, 1);
7159 CHECK(memcmp_var(&r, &zero, sizeof(r)) == 0);
7160
7161 a = one;
7162 fe_storage_cmov(&r, &a, 1);
7163 CHECK(memcmp_var(&r, &one, sizeof(r)) == 0);
7164
7165 r = one; a = zero;
7166 fe_storage_cmov(&r, &a, 0);
7167 CHECK(memcmp_var(&r, &one, sizeof(r)) == 0);
7168 */
7169}
7170
7171pub fn scalar_cmov_test() {
7172
7173 todo!();
7174 /*
7175 static const scalar zero = SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7176 static const scalar one = SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7177 static const scalar max = SCALAR_CONST(
7178 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7179 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7180 );
7181 scalar r = max;
7182 scalar a = zero;
7183
7184 scalar_cmov(&r, &a, 0);
7185 CHECK(memcmp_var(&r, &max, sizeof(r)) == 0);
7186
7187 r = zero; a = max;
7188 scalar_cmov(&r, &a, 1);
7189 CHECK(memcmp_var(&r, &max, sizeof(r)) == 0);
7190
7191 a = zero;
7192 scalar_cmov(&r, &a, 1);
7193 CHECK(memcmp_var(&r, &zero, sizeof(r)) == 0);
7194
7195 a = one;
7196 scalar_cmov(&r, &a, 1);
7197 CHECK(memcmp_var(&r, &one, sizeof(r)) == 0);
7198
7199 r = one; a = zero;
7200 scalar_cmov(&r, &a, 0);
7201 CHECK(memcmp_var(&r, &one, sizeof(r)) == 0);
7202 */
7203}
7204
7205pub fn ge_storage_cmov_test() {
7206
7207 todo!();
7208 /*
7209 static const ge_storage zero = GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7210 static const ge_storage one = GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7211 static const ge_storage max = GE_STORAGE_CONST(
7212 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7213 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7214 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7215 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7216 );
7217 ge_storage r = max;
7218 ge_storage a = zero;
7219
7220 ge_storage_cmov(&r, &a, 0);
7221 CHECK(memcmp_var(&r, &max, sizeof(r)) == 0);
7222
7223 r = zero; a = max;
7224 ge_storage_cmov(&r, &a, 1);
7225 CHECK(memcmp_var(&r, &max, sizeof(r)) == 0);
7226
7227 a = zero;
7228 ge_storage_cmov(&r, &a, 1);
7229 CHECK(memcmp_var(&r, &zero, sizeof(r)) == 0);
7230
7231 a = one;
7232 ge_storage_cmov(&r, &a, 1);
7233 CHECK(memcmp_var(&r, &one, sizeof(r)) == 0);
7234
7235 r = one; a = zero;
7236 ge_storage_cmov(&r, &a, 0);
7237 CHECK(memcmp_var(&r, &one, sizeof(r)) == 0);
7238 */
7239}
7240
7241pub fn run_cmov_tests() {
7242
7243 todo!();
7244 /*
7245 int_cmov_test();
7246 fe_cmov_test();
7247 fe_storage_cmov_test();
7248 scalar_cmov_test();
7249 ge_storage_cmov_test();
7250 */
7251}
7252
7253pub fn secp256k1_tests_main(
7254 argc: i32,
7255 argv: *mut *mut u8) -> i32 {
7256
7257 todo!();
7258 /*
7259 /* Disable buffering for stdout to improve reliability of getting
7260 * diagnostic information. Happens right at the start of main because
7261 * setbuf must be used before any other operation on the stream. */
7262 setbuf(stdout, NULL);
7263 /* Also disable buffering for stderr because it's not guaranteed that it's
7264 * unbuffered on all systems. */
7265 setbuf(stderr, NULL);
7266
7267 /* find iteration count */
7268 if (argc > 1) {
7269 count = strtol(argv[1], NULL, 0);
7270 } else {
7271 const char* env = getenv("TEST_ITERS");
7272 if (env && strlen(env) > 0) {
7273 count = strtol(env, NULL, 0);
7274 }
7275 }
7276 if (count <= 0) {
7277 fputs("An iteration count of 0 or less is not allowed.\n", stderr);
7278 return EXIT_FAILURE;
7279 }
7280 printf("test count = %i\n", count);
7281
7282 /* find random seed */
7283 testrand_init(argc > 2 ? argv[2] : NULL);
7284
7285 /* initialize */
7286 run_context_tests(0);
7287 run_context_tests(1);
7288 run_scratch_tests();
7289 ctx = context_create(CONTEXT_SIGN | CONTEXT_VERIFY);
7290 if (testrand_bits(1)) {
7291 unsigned char rand32[32];
7292 testrand256(rand32);
7293 CHECK(context_randomize(ctx, testrand_bits(1) ? rand32 : NULL));
7294 }
7295
7296 run_rand_bits();
7297 run_rand_int();
7298
7299 run_ctz_tests();
7300 run_modinv_tests();
7301 run_inverse_tests();
7302
7303 run_sha256_tests();
7304 run_hmac_sha256_tests();
7305 run_rfc6979_hmac_sha256_tests();
7306 run_tagged_sha256_tests();
7307
7308 /* scalar tests */
7309 run_scalar_tests();
7310
7311 /* field tests */
7312 run_field_misc();
7313 run_field_convert();
7314 run_fe_mul();
7315 run_sqr();
7316 run_sqrt();
7317
7318 /* group tests */
7319 run_ge();
7320 run_group_decompress();
7321
7322 /* ecmult tests */
7323 run_wnaf();
7324 run_point_times_order();
7325 run_ecmult_near_split_bound();
7326 run_ecmult_chain();
7327 run_ecmult_constants();
7328 run_ecmult_gen_blind();
7329 run_ecmult_const_tests();
7330 run_ecmult_multi_tests();
7331 run_ec_combine();
7332
7333 /* endomorphism tests */
7334 run_endomorphism_tests();
7335
7336 /* EC point parser test */
7337 run_ec_pubkey_parse_test();
7338
7339 /* EC key edge cases */
7340 run_eckey_edge_case_test();
7341
7342 /* EC key arithmetic test */
7343 run_eckey_negate_test();
7344
7345 #ifdef ENABLE_MODULE_ECDH
7346 /* ecdh tests */
7347 run_ecdh_tests();
7348 #endif
7349
7350 /* ecdsa tests */
7351 run_pubkey_comparison();
7352 run_random_pubkeys();
7353 run_ecdsa_der_parse();
7354 run_ecdsa_sign_verify();
7355 run_ecdsa_end_to_end();
7356 run_ecdsa_edge_cases();
7357 #ifdef ENABLE_OPENSSL_TESTS
7358 run_ecdsa_openssl();
7359 #endif
7360
7361 #ifdef ENABLE_MODULE_RECOVERY
7362 /* ECDSA pubkey recovery tests */
7363 run_recovery_tests();
7364 #endif
7365
7366 #ifdef ENABLE_MODULE_EXTRAKEYS
7367 run_extrakeys_tests();
7368 #endif
7369
7370 #ifdef ENABLE_MODULE_SCHNORRSIG
7371 run_schnorrsig_tests();
7372 #endif
7373
7374 /* util tests */
7375 run_memczero_test();
7376
7377 run_cmov_tests();
7378
7379 testrand_finish();
7380
7381 /* shutdown */
7382 context_destroy(ctx);
7383
7384 printf("no problems found\n");
7385 return 0;
7386 */
7387}