Merge pull request #246 from jonasnick/temp-merge-1187
Upstream PRs 1174, 1154, 1178, 1177, 1171, 1158, 1183, 1185, 1186, 1188, 1187
This commit is contained in:
		
						commit
						7aa9887128
					
				| @ -1,6 +1,7 @@ | ||||
| env: | ||||
|   ### compiler options | ||||
|   HOST: | ||||
|   WRAPPER_CMD: | ||||
|   # Specific warnings can be disabled with -Wno-error=foo. | ||||
|   # -pedantic-errors is not equivalent to -Werror=pedantic and thus not implied by -Werror according to the GCC manual. | ||||
|   WERROR_CFLAGS: -Werror -pedantic-errors | ||||
| @ -41,6 +42,8 @@ cat_logs_snippet: &CAT_LOGS | ||||
|   always: | ||||
|     cat_tests_log_script: | ||||
|       - cat tests.log || true | ||||
|     cat_noverify_tests_log_script: | ||||
|       - cat noverify_tests.log || true | ||||
|     cat_exhaustive_tests_log_script: | ||||
|       - cat exhaustive_tests.log || true | ||||
|     cat_valgrind_ctime_test_log_script: | ||||
|  | ||||
							
								
								
									
										3
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										3
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -47,8 +47,6 @@ coverage.*.html | ||||
| *.gcno | ||||
| *.gcov | ||||
| 
 | ||||
| src/libsecp256k1-config.h | ||||
| src/libsecp256k1-config.h.in | ||||
| build-aux/ar-lib | ||||
| build-aux/config.guess | ||||
| build-aux/config.sub | ||||
| @ -63,7 +61,6 @@ build-aux/m4/ltversion.m4 | ||||
| build-aux/missing | ||||
| build-aux/compile | ||||
| build-aux/test-driver | ||||
| src/stamp-h1 | ||||
| libsecp256k1.pc | ||||
| contrib/gh-pr-create.sh | ||||
| 
 | ||||
|  | ||||
							
								
								
									
										25
									
								
								CHANGELOG.md
									
									
									
									
									
								
							
							
						
						
									
										25
									
								
								CHANGELOG.md
									
									
									
									
									
								
							| @ -3,29 +3,40 @@ Instead, it is the changelog of the upstream library [libsecp256k1](https://gith | ||||
| 
 | ||||
| # Changelog | ||||
| 
 | ||||
| The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). | ||||
| All notable changes to this project will be documented in this file. | ||||
| 
 | ||||
| The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), | ||||
| and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). | ||||
| 
 | ||||
| ## [Unreleased] | ||||
| 
 | ||||
| ## [0.2.0] - 2022-12-12 | ||||
| 
 | ||||
| ### Added | ||||
| #### Added | ||||
|  - Added usage examples for common use cases in a new `examples/` directory. | ||||
|  - Added `secp256k1_selftest`, to be used in conjunction with `secp256k1_context_static`. | ||||
|  - Added support for 128-bit wide multiplication on MSVC for x86_64 and arm64, giving roughly a 20% speedup on those platforms. | ||||
| 
 | ||||
| ### Changed | ||||
|  - Enabled modules schnorrsig, extrakeys and ECDH by default in `./configure`. | ||||
| #### Changed | ||||
|  - Enabled modules `schnorrsig`, `extrakeys` and `ecdh` by default in `./configure`. | ||||
|  - The `secp256k1_nonce_function_rfc6979` nonce function, used by default by `secp256k1_ecdsa_sign`, now reduces the message hash modulo the group order to match the specification. This only affects improper use of ECDSA signing API. | ||||
| 
 | ||||
| ### Deprecated | ||||
| #### Deprecated | ||||
|  - Deprecated context flags `SECP256K1_CONTEXT_VERIFY` and `SECP256K1_CONTEXT_SIGN`. Use `SECP256K1_CONTEXT_NONE` instead. | ||||
|  - Renamed `secp256k1_context_no_precomp` to `secp256k1_context_static`. | ||||
|  - Module `schnorrsig`: renamed `secp256k1_schnorrsig_sign` to `secp256k1_schnorrsig_sign32`. | ||||
| 
 | ||||
| ### ABI Compatibility | ||||
| #### ABI Compatibility | ||||
| 
 | ||||
| Since this is the first release, we do not compare application binary interfaces. | ||||
| However, there are unreleased versions of libsecp256k1 that are *not* ABI compatible with this version. | ||||
| However, there are earlier unreleased versions of libsecp256k1 that are *not* ABI compatible with this version. | ||||
| 
 | ||||
| ## [0.1.0] - 2013-03-05 to 2021-12-25 | ||||
| 
 | ||||
| This version was in fact never released. | ||||
| The number was given by the build system since the introduction of autotools in Jan 2014 (ea0fe5a5bf0c04f9cc955b2966b614f5f378c6f6). | ||||
| Therefore, this version number does not uniquely identify a set of source files. | ||||
| 
 | ||||
| [unreleased]: https://github.com/bitcoin-core/secp256k1/compare/v0.2.0...HEAD | ||||
| [0.2.0]: https://github.com/bitcoin-core/secp256k1/compare/423b6d19d373f1224fd671a982584d7e7900bc93..v0.2.0 | ||||
| [0.1.0]: https://github.com/bitcoin-core/secp256k1/commit/423b6d19d373f1224fd671a982584d7e7900bc93 | ||||
|  | ||||
							
								
								
									
										36
									
								
								Makefile.am
									
									
									
									
									
								
							
							
						
						
									
										36
									
								
								Makefile.am
									
									
									
									
									
								
							| @ -75,7 +75,7 @@ noinst_HEADERS += examples/random.h | ||||
| PRECOMPUTED_LIB = libsecp256k1_precomputed.la | ||||
| noinst_LTLIBRARIES = $(PRECOMPUTED_LIB) | ||||
| libsecp256k1_precomputed_la_SOURCES =  src/precomputed_ecmult.c src/precomputed_ecmult_gen.c | ||||
| libsecp256k1_precomputed_la_CPPFLAGS = $(SECP_INCLUDES) | ||||
| libsecp256k1_precomputed_la_CPPFLAGS = $(SECP_INCLUDES) $(SECP_CONFIG_DEFINES) | ||||
| 
 | ||||
| if USE_EXTERNAL_ASM | ||||
| COMMON_LIB = libsecp256k1_common.la | ||||
| @ -94,7 +94,7 @@ endif | ||||
| endif | ||||
| 
 | ||||
| libsecp256k1_la_SOURCES = src/secp256k1.c | ||||
| libsecp256k1_la_CPPFLAGS = $(SECP_INCLUDES) | ||||
| libsecp256k1_la_CPPFLAGS = $(SECP_INCLUDES) $(SECP_CONFIG_DEFINES) | ||||
| libsecp256k1_la_LIBADD = $(SECP_LIBS) $(COMMON_LIB) $(PRECOMPUTED_LIB) | ||||
| libsecp256k1_la_LDFLAGS = -no-undefined -version-info $(LIB_VERSION_CURRENT):$(LIB_VERSION_REVISION):$(LIB_VERSION_AGE) | ||||
| 
 | ||||
| @ -107,37 +107,43 @@ if USE_BENCHMARK | ||||
| noinst_PROGRAMS += bench bench_internal bench_ecmult | ||||
| bench_SOURCES = src/bench.c | ||||
| bench_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB) | ||||
| bench_CPPFLAGS = $(SECP_CONFIG_DEFINES) | ||||
| bench_internal_SOURCES = src/bench_internal.c | ||||
| bench_internal_LDADD = $(SECP_LIBS) $(COMMON_LIB) $(PRECOMPUTED_LIB) | ||||
| bench_internal_CPPFLAGS = $(SECP_INCLUDES) | ||||
| bench_internal_CPPFLAGS = $(SECP_INCLUDES) $(SECP_CONFIG_DEFINES) | ||||
| bench_ecmult_SOURCES = src/bench_ecmult.c | ||||
| bench_ecmult_LDADD = $(SECP_LIBS) $(COMMON_LIB) $(PRECOMPUTED_LIB) | ||||
| bench_ecmult_CPPFLAGS = $(SECP_INCLUDES) | ||||
| bench_ecmult_CPPFLAGS = $(SECP_INCLUDES) $(SECP_CONFIG_DEFINES) | ||||
| endif | ||||
| 
 | ||||
| TESTS = | ||||
| if USE_TESTS | ||||
| noinst_PROGRAMS += tests | ||||
| tests_SOURCES = src/tests.c | ||||
| tests_CPPFLAGS = $(SECP_INCLUDES) $(SECP_TEST_INCLUDES) | ||||
| TESTS += noverify_tests | ||||
| noinst_PROGRAMS += noverify_tests | ||||
| noverify_tests_SOURCES = src/tests.c | ||||
| noverify_tests_CPPFLAGS = $(SECP_INCLUDES) $(SECP_TEST_INCLUDES) $(SECP_CONFIG_DEFINES) | ||||
| noverify_tests_LDADD = $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB) $(PRECOMPUTED_LIB) | ||||
| noverify_tests_LDFLAGS = -static | ||||
| if VALGRIND_ENABLED | ||||
| tests_CPPFLAGS += -DVALGRIND | ||||
| noverify_tests_CPPFLAGS += -DVALGRIND | ||||
| noinst_PROGRAMS += valgrind_ctime_test | ||||
| valgrind_ctime_test_SOURCES = src/valgrind_ctime_test.c | ||||
| valgrind_ctime_test_LDADD = libsecp256k1.la $(SECP_LIBS) $(COMMON_LIB) | ||||
| endif | ||||
| if !ENABLE_COVERAGE | ||||
| tests_CPPFLAGS += -DVERIFY | ||||
| endif | ||||
| tests_LDADD = $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB) $(PRECOMPUTED_LIB) | ||||
| tests_LDFLAGS = -static | ||||
| TESTS += tests | ||||
| noinst_PROGRAMS += tests | ||||
| tests_SOURCES  = $(noverify_tests_SOURCES) | ||||
| tests_CPPFLAGS = $(noverify_tests_CPPFLAGS) -DVERIFY | ||||
| tests_LDADD    = $(noverify_tests_LDADD) | ||||
| tests_LDFLAGS  = $(noverify_tests_LDFLAGS) | ||||
| endif | ||||
| endif | ||||
| 
 | ||||
| if USE_EXHAUSTIVE_TESTS | ||||
| noinst_PROGRAMS += exhaustive_tests | ||||
| exhaustive_tests_SOURCES = src/tests_exhaustive.c | ||||
| exhaustive_tests_CPPFLAGS = $(SECP_INCLUDES) | ||||
| exhaustive_tests_CPPFLAGS = $(SECP_INCLUDES) $(SECP_CONFIG_DEFINES) | ||||
| if !ENABLE_COVERAGE | ||||
| exhaustive_tests_CPPFLAGS += -DVERIFY | ||||
| endif | ||||
| @ -197,11 +203,11 @@ EXTRA_PROGRAMS = precompute_ecmult precompute_ecmult_gen | ||||
| CLEANFILES = $(EXTRA_PROGRAMS) | ||||
| 
 | ||||
| precompute_ecmult_SOURCES = src/precompute_ecmult.c | ||||
| precompute_ecmult_CPPFLAGS = $(SECP_INCLUDES) | ||||
| precompute_ecmult_CPPFLAGS = $(SECP_INCLUDES) $(SECP_CONFIG_DEFINES) | ||||
| precompute_ecmult_LDADD = $(SECP_LIBS) $(COMMON_LIB) | ||||
| 
 | ||||
| precompute_ecmult_gen_SOURCES = src/precompute_ecmult_gen.c | ||||
| precompute_ecmult_gen_CPPFLAGS = $(SECP_INCLUDES) | ||||
| precompute_ecmult_gen_CPPFLAGS = $(SECP_INCLUDES) $(SECP_CONFIG_DEFINES) | ||||
| precompute_ecmult_gen_LDADD = $(SECP_LIBS) $(COMMON_LIB) | ||||
| 
 | ||||
| # See Automake manual, Section "Errors with distclean".
 | ||||
|  | ||||
| @ -20,7 +20,7 @@ if test x"$has_valgrind" != x"yes"; then | ||||
|     #if defined(NVALGRIND) | ||||
|     #  error "Valgrind does not support this platform." | ||||
|     #endif | ||||
|   ]])], [has_valgrind=yes; AC_DEFINE(HAVE_VALGRIND,1,[Define this symbol if valgrind is installed, and it supports the host platform])]) | ||||
|   ]])], [has_valgrind=yes]) | ||||
| fi | ||||
| AC_MSG_RESULT($has_valgrind) | ||||
| ]) | ||||
|  | ||||
							
								
								
									
										17
									
								
								ci/cirrus.sh
									
									
									
									
									
								
							
							
						
						
									
										17
									
								
								ci/cirrus.sh
									
									
									
									
									
								
							| @ -1,7 +1,6 @@ | ||||
| #!/bin/sh | ||||
| 
 | ||||
| set -e | ||||
| set -x | ||||
| set -eux | ||||
| 
 | ||||
| export LC_ALL=C | ||||
| 
 | ||||
| @ -11,15 +10,21 @@ print_environment() { | ||||
|     set +x | ||||
|     # There are many ways to print variable names and their content. This one | ||||
|     # does not rely on bash. | ||||
|     for i in WERROR_CFLAGS MAKEFLAGS BUILD \ | ||||
|     for var in WERROR_CFLAGS MAKEFLAGS BUILD \ | ||||
|             ECMULTWINDOW ECMULTGENPRECISION ASM WIDEMUL WITH_VALGRIND EXTRAFLAGS \ | ||||
|             EXPERIMENTAL ECDH RECOVERY SCHNORRSIG \ | ||||
|             ECDSA_S2C GENERATOR RANGEPROOF WHITELIST MUSIG ECDSAADAPTOR BPPP \ | ||||
|             SECP256K1_TEST_ITERS BENCH SECP256K1_BENCH_ITERS CTIMETEST\ | ||||
|             EXAMPLES \ | ||||
|             WRAPPER_CMD CC AR NM HOST | ||||
|             HOST WRAPPER_CMD \ | ||||
|             CC CFLAGS CPPFLAGS AR NM | ||||
|     do | ||||
|         eval 'printf "%s %s " "$i=\"${'"$i"'}\""' | ||||
|         eval "isset=\${$var+x}" | ||||
|         if [ -n "$isset" ]; then | ||||
|             eval "val=\${$var}" | ||||
|             # shellcheck disable=SC2154 | ||||
|             printf '%s="%s" ' "$var" "$val" | ||||
|         fi | ||||
|     done | ||||
|     echo "$0" | ||||
|     set -x | ||||
| @ -37,7 +42,7 @@ esac | ||||
| 
 | ||||
| env >> test_env.log | ||||
| 
 | ||||
| if [ -n "$CC" ]; then | ||||
| if [ -n "${CC+x}" ]; then | ||||
|     # The MSVC compiler "cl" doesn't understand "-v" | ||||
|     $CC -v || true | ||||
| fi | ||||
|  | ||||
							
								
								
									
										50
									
								
								configure.ac
									
									
									
									
									
								
							
							
						
						
									
										50
									
								
								configure.ac
									
									
									
									
									
								
							| @ -273,7 +273,7 @@ fi | ||||
| AM_CONDITIONAL([VALGRIND_ENABLED],[test "$enable_valgrind" = "yes"]) | ||||
| 
 | ||||
| if test x"$enable_coverage" = x"yes"; then | ||||
|     AC_DEFINE(COVERAGE, 1, [Define this symbol to compile out all VERIFY code]) | ||||
|     SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DCOVERAGE=1" | ||||
|     SECP_CFLAGS="-O0 --coverage $SECP_CFLAGS" | ||||
|     LDFLAGS="--coverage $LDFLAGS" | ||||
| else | ||||
| @ -285,13 +285,13 @@ fi | ||||
| 
 | ||||
| AC_MSG_CHECKING([for __builtin_popcount]) | ||||
| AC_LINK_IFELSE([AC_LANG_SOURCE([[void myfunc() {__builtin_popcount(0);}]])], | ||||
|     [ AC_MSG_RESULT([yes]);AC_DEFINE(HAVE_BUILTIN_POPCOUNT,1,[Define this symbol if __builtin_popcount is available]) ], | ||||
|     [ AC_MSG_RESULT([yes]); SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DHAVE_BUILTIN_POPCOUNT=1"], | ||||
|     [ AC_MSG_RESULT([no]) | ||||
|     ]) | ||||
| 
 | ||||
| AC_MSG_CHECKING([for  __builtin_clzll]) | ||||
| AC_LINK_IFELSE([AC_LANG_SOURCE([[void myfunc() { __builtin_clzll(1);}]])], | ||||
|     [ AC_MSG_RESULT([yes]);AC_DEFINE(HAVE_BUILTIN_CLZLL,1,[Define this symbol if  __builtin_clzll is available]) ], | ||||
|     [ AC_MSG_RESULT([yes]); SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DHAVE_BUILTIN_CLZLL=1"], | ||||
|     [ AC_MSG_RESULT([no]) | ||||
|     ]) | ||||
| 
 | ||||
| @ -327,7 +327,7 @@ enable_external_asm=no | ||||
| 
 | ||||
| case $set_asm in | ||||
| x86_64) | ||||
|   AC_DEFINE(USE_ASM_X86_64, 1, [Define this symbol to enable x86_64 assembly optimizations]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_ASM_X86_64=1" | ||||
|   ;; | ||||
| arm) | ||||
|   enable_external_asm=yes | ||||
| @ -340,20 +340,20 @@ no) | ||||
| esac | ||||
| 
 | ||||
| if test x"$enable_external_asm" = x"yes"; then | ||||
|   AC_DEFINE(USE_EXTERNAL_ASM, 1, [Define this symbol if an external (non-inline) assembly implementation is used]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_EXTERNAL_ASM=1" | ||||
| fi | ||||
| 
 | ||||
| 
 | ||||
| # Select wide multiplication implementation | ||||
| case $set_widemul in | ||||
| int128_struct) | ||||
|   AC_DEFINE(USE_FORCE_WIDEMUL_INT128_STRUCT, 1, [Define this symbol to force the use of the structure for simulating (unsigned) int128 based wide multiplication]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_FORCE_WIDEMUL_INT128_STRUCT=1" | ||||
|   ;; | ||||
| int128) | ||||
|   AC_DEFINE(USE_FORCE_WIDEMUL_INT128, 1, [Define this symbol to force the use of the (unsigned) __int128 based wide multiplication implementation]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_FORCE_WIDEMUL_INT128=1" | ||||
|   ;; | ||||
| int64) | ||||
|   AC_DEFINE(USE_FORCE_WIDEMUL_INT64, 1, [Define this symbol to force the use of the (u)int64_t based wide multiplication implementation]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_FORCE_WIDEMUL_INT64=1" | ||||
|   ;; | ||||
| auto) | ||||
|   ;; | ||||
| @ -380,7 +380,7 @@ case $set_ecmult_window in | ||||
|     # not in range | ||||
|     AC_MSG_ERROR($error_window_size) | ||||
|   fi | ||||
|   AC_DEFINE_UNQUOTED(ECMULT_WINDOW_SIZE, $set_ecmult_window, [Set window size for ecmult precomputation]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DECMULT_WINDOW_SIZE=$set_ecmult_window" | ||||
|   ;; | ||||
| esac | ||||
| 
 | ||||
| @ -393,7 +393,7 @@ fi | ||||
| 
 | ||||
| case $set_ecmult_gen_precision in | ||||
| 2|4|8) | ||||
|   AC_DEFINE_UNQUOTED(ECMULT_GEN_PREC_BITS, $set_ecmult_gen_precision, [Set ecmult gen precision bits]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DECMULT_GEN_PREC_BITS=$set_ecmult_gen_precision" | ||||
|   ;; | ||||
| *) | ||||
|   AC_MSG_ERROR(['ecmult gen precision not 2, 4, 8 or "auto"']) | ||||
| @ -418,65 +418,65 @@ SECP_CFLAGS="$SECP_CFLAGS $WERROR_CFLAGS" | ||||
| # tested first. | ||||
| 
 | ||||
| if test x"$enable_module_ecdh" = x"yes"; then | ||||
|   AC_DEFINE(ENABLE_MODULE_ECDH, 1, [Define this symbol to enable the ECDH module]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_ECDH=1" | ||||
| fi | ||||
| 
 | ||||
| if test x"$enable_module_musig" = x"yes"; then | ||||
|   AC_DEFINE(ENABLE_MODULE_MUSIG, 1, [Define this symbol to enable the MuSig module]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_MUSIG=1" | ||||
|   enable_module_schnorrsig=yes | ||||
| fi | ||||
| 
 | ||||
| if test x"$enable_module_recovery" = x"yes"; then | ||||
|   AC_DEFINE(ENABLE_MODULE_RECOVERY, 1, [Define this symbol to enable the ECDSA pubkey recovery module]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_RECOVERY=1" | ||||
| fi | ||||
| 
 | ||||
| if test x"$enable_module_whitelist" = x"yes"; then | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_WHITELIST=1" | ||||
|   enable_module_rangeproof=yes | ||||
|   AC_DEFINE(ENABLE_MODULE_WHITELIST, 1, [Define this symbol to enable the key whitelisting module]) | ||||
| fi | ||||
| 
 | ||||
| if test x"$enable_module_surjectionproof" = x"yes"; then | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_SURJECTIONPROOF=1" | ||||
|   enable_module_rangeproof=yes | ||||
|   AC_DEFINE(ENABLE_MODULE_SURJECTIONPROOF, 1, [Define this symbol to enable the surjection proof module]) | ||||
| fi | ||||
| 
 | ||||
| if test x"$enable_module_rangeproof" = x"yes"; then | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_RANGEPROOF=1" | ||||
|   enable_module_generator=yes | ||||
|   AC_DEFINE(ENABLE_MODULE_RANGEPROOF, 1, [Define this symbol to enable the Pedersen / zero knowledge range proof module]) | ||||
| fi | ||||
| 
 | ||||
| if test x"$enable_module_bppp" = x"yes"; then | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_BPPP=1" | ||||
|   enable_module_generator=yes | ||||
|   AC_DEFINE(ENABLE_MODULE_BPPP, 1, [Define this symbol to enable the Bulletproofs++ module]) | ||||
| fi | ||||
| 
 | ||||
| if test x"$enable_module_generator" = x"yes"; then | ||||
|   AC_DEFINE(ENABLE_MODULE_GENERATOR, 1, [Define this symbol to enable the NUMS generator module]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_GENERATOR=1" | ||||
| fi | ||||
| 
 | ||||
| if test x"$enable_module_schnorrsig" = x"yes"; then | ||||
|   AC_DEFINE(ENABLE_MODULE_SCHNORRSIG, 1, [Define this symbol to enable the schnorrsig module]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_SCHNORRSIG=1" | ||||
|   enable_module_extrakeys=yes | ||||
| fi | ||||
| 
 | ||||
| if test x"$enable_module_extrakeys" = x"yes"; then | ||||
|   AC_DEFINE(ENABLE_MODULE_EXTRAKEYS, 1, [Define this symbol to enable the extrakeys module]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_EXTRAKEYS=1" | ||||
| fi | ||||
| 
 | ||||
| if test x"$enable_module_ecdsa_s2c" = x"yes"; then | ||||
|   AC_DEFINE(ENABLE_MODULE_ECDSA_S2C, 1, [Define this symbol to enable the ECDSA sign-to-contract module]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_ECDSA_S2C=1" | ||||
| fi | ||||
| 
 | ||||
| if test x"$enable_external_default_callbacks" = x"yes"; then | ||||
|   AC_DEFINE(USE_EXTERNAL_DEFAULT_CALLBACKS, 1, [Define this symbol if an external implementation of the default callbacks is used]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_EXTERNAL_DEFAULT_CALLBACKS=1" | ||||
| fi | ||||
| 
 | ||||
| if test x"$use_reduced_surjection_proof_size" = x"yes"; then | ||||
|   AC_DEFINE(USE_REDUCED_SURJECTION_PROOF_SIZE, 1, [Define this symbol to reduce SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS to 16, disabling parsing and verification]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DUSE_REDUCED_SURJECTION_PROOF_SIZE=1" | ||||
| fi | ||||
| 
 | ||||
| if test x"$enable_module_ecdsa_adaptor" = x"yes"; then | ||||
|   AC_DEFINE(ENABLE_MODULE_ECDSA_ADAPTOR, 1, [Define this symbol to enable the ECDSA adaptor module]) | ||||
|   SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DENABLE_MODULE_ECDSA_ADAPTOR=1" | ||||
| fi | ||||
| 
 | ||||
| ### | ||||
| @ -526,13 +526,13 @@ fi | ||||
| ### Generate output | ||||
| ### | ||||
| 
 | ||||
| AC_CONFIG_HEADERS([src/libsecp256k1-config.h]) | ||||
| AC_CONFIG_FILES([Makefile libsecp256k1.pc]) | ||||
| AC_SUBST(SECP_INCLUDES) | ||||
| AC_SUBST(SECP_LIBS) | ||||
| AC_SUBST(SECP_TEST_LIBS) | ||||
| AC_SUBST(SECP_TEST_INCLUDES) | ||||
| AC_SUBST(SECP_CFLAGS) | ||||
| AC_SUBST(SECP_CONFIG_DEFINES) | ||||
| AM_CONDITIONAL([ENABLE_COVERAGE], [test x"$enable_coverage" = x"yes"]) | ||||
| AM_CONDITIONAL([USE_TESTS], [test x"$enable_tests" != x"no"]) | ||||
| AM_CONDITIONAL([USE_EXHAUSTIVE_TESTS], [test x"$enable_exhaustive_tests" != x"no"]) | ||||
|  | ||||
| @ -23,7 +23,7 @@ This process also assumes that there will be no minor releases for old major rel | ||||
|    git tag -s v$MAJOR.$MINOR.$PATCH -m "libsecp256k1 $MAJOR.$MINOR.$PATCH" $RELEASE_COMMIT | ||||
|    git push git@github.com:bitcoin-core/secp256k1.git v$MAJOR.$MINOR.$PATCH | ||||
|    ``` | ||||
| 3. Open a PR to the master branch with a commit (using message `"release: bump version after $MAJOR.$MINOR.$PATCH"`, for example) that sets `_PKG_VERSION_IS_RELEASE` to `false` and `_PKG_VERSION_PATCH` to `$PATCH + 1` and increases `_LIB_VERSION_REVISION`. If other maintainers are not present to approve the PR, it can be merged without ACKs. | ||||
| 3. Open a PR to the master branch with a commit (using message `"release cleanup: bump version after $MAJOR.$MINOR.$PATCH"`, for example) that sets `_PKG_VERSION_IS_RELEASE` to `false` and `_PKG_VERSION_PATCH` to `$PATCH + 1` and increases `_LIB_VERSION_REVISION`. If other maintainers are not present to approve the PR, it can be merged without ACKs. | ||||
| 4. Create a new GitHub release with a link to the corresponding entry in [CHANGELOG.md](../CHANGELOG.md). | ||||
| 
 | ||||
| ## Maintenance release | ||||
|  | ||||
| @ -849,7 +849,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul( | ||||
|  * kind of elliptic curve point multiplication and thus does not benefit from | ||||
|  * enhanced protection against side-channel leakage currently. | ||||
|  * | ||||
|  * It is safe call this function on a copy of secp256k1_context_static in writable | ||||
|  * It is safe to call this function on a copy of secp256k1_context_static in writable | ||||
|  * memory (e.g., obtained via secp256k1_context_clone). In that case, this | ||||
|  * function is guaranteed to return 1, but the call will have no effect because | ||||
|  * the static context (or a copy thereof) is not meant to be randomized. | ||||
|  | ||||
| @ -18,10 +18,6 @@ | ||||
|  *    imply normality. | ||||
|  */ | ||||
| 
 | ||||
| #if defined HAVE_CONFIG_H | ||||
| #include "libsecp256k1-config.h" | ||||
| #endif | ||||
| 
 | ||||
| #include "util.h" | ||||
| 
 | ||||
| #if defined(SECP256K1_WIDEMUL_INT128) | ||||
|  | ||||
| @ -7,10 +7,6 @@ | ||||
| #ifndef SECP256K1_FIELD_REPR_IMPL_H | ||||
| #define SECP256K1_FIELD_REPR_IMPL_H | ||||
| 
 | ||||
| #if defined HAVE_CONFIG_H | ||||
| #include "libsecp256k1-config.h" | ||||
| #endif | ||||
| 
 | ||||
| #include "util.h" | ||||
| #include "field.h" | ||||
| #include "modinv64_impl.h" | ||||
|  | ||||
| @ -7,10 +7,6 @@ | ||||
| #ifndef SECP256K1_FIELD_IMPL_H | ||||
| #define SECP256K1_FIELD_IMPL_H | ||||
| 
 | ||||
| #if defined HAVE_CONFIG_H | ||||
| #include "libsecp256k1-config.h" | ||||
| #endif | ||||
| 
 | ||||
| #include "util.h" | ||||
| 
 | ||||
| #if defined(SECP256K1_WIDEMUL_INT128) | ||||
|  | ||||
| @ -66,7 +66,12 @@ static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a, | ||||
|  */ | ||||
| static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int b); | ||||
| 
 | ||||
| /* Return the low 64-bits of a 128-bit value interpreted as an signed 64-bit value. */ | ||||
| /* Return the input value modulo 2^64. */ | ||||
| static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a); | ||||
| 
 | ||||
| /* Return the value as a signed 64-bit value.
 | ||||
|  * Requires the input to be between INT64_MIN and INT64_MAX. | ||||
|  */ | ||||
| static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a); | ||||
| 
 | ||||
| /* Write a signed 64-bit value to r. */ | ||||
|  | ||||
| @ -67,7 +67,12 @@ static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned | ||||
|    *r >>= n; | ||||
| } | ||||
| 
 | ||||
| static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a) { | ||||
|    return (uint64_t)*a; | ||||
| } | ||||
| 
 | ||||
| static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a) { | ||||
|    VERIFY_CHECK(INT64_MIN <= *a && *a <= INT64_MAX); | ||||
|    return *a; | ||||
| } | ||||
| 
 | ||||
|  | ||||
| @ -170,8 +170,14 @@ static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned | ||||
|    } | ||||
| } | ||||
| 
 | ||||
| static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a) { | ||||
|    return a->lo; | ||||
| } | ||||
| 
 | ||||
| static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a) { | ||||
|    return (int64_t)a->lo; | ||||
|    /* Verify that a represents a 64 bit signed value by checking that the high bits are a sign extension of the low bits. */ | ||||
|    VERIFY_CHECK(a->hi == -(a->lo >> 63)); | ||||
|    return (int64_t)secp256k1_i128_to_u64(a); | ||||
| } | ||||
| 
 | ||||
| static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a) { | ||||
|  | ||||
| @ -7,10 +7,6 @@ | ||||
| #ifndef SECP256K1_MODINV32_H | ||||
| #define SECP256K1_MODINV32_H | ||||
| 
 | ||||
| #if defined HAVE_CONFIG_H | ||||
| #include "libsecp256k1-config.h" | ||||
| #endif | ||||
| 
 | ||||
| #include "util.h" | ||||
| 
 | ||||
| /* A signed 30-bit limb representation of integers.
 | ||||
|  | ||||
| @ -7,10 +7,6 @@ | ||||
| #ifndef SECP256K1_MODINV64_H | ||||
| #define SECP256K1_MODINV64_H | ||||
| 
 | ||||
| #if defined HAVE_CONFIG_H | ||||
| #include "libsecp256k1-config.h" | ||||
| #endif | ||||
| 
 | ||||
| #include "util.h" | ||||
| 
 | ||||
| #ifndef SECP256K1_WIDEMUL_INT128 | ||||
|  | ||||
| @ -39,13 +39,13 @@ static const secp256k1_modinv64_signed62 SECP256K1_SIGNED62_ONE = {{1}}; | ||||
| 
 | ||||
| /* Compute a*factor and put it in r. All but the top limb in r will be in range [0,2^62). */ | ||||
| static void secp256k1_modinv64_mul_62(secp256k1_modinv64_signed62 *r, const secp256k1_modinv64_signed62 *a, int alen, int64_t factor) { | ||||
|     const int64_t M62 = (int64_t)(UINT64_MAX >> 2); | ||||
|     const uint64_t M62 = UINT64_MAX >> 2; | ||||
|     secp256k1_int128 c, d; | ||||
|     int i; | ||||
|     secp256k1_i128_from_i64(&c, 0); | ||||
|     for (i = 0; i < 4; ++i) { | ||||
|         if (i < alen) secp256k1_i128_accum_mul(&c, a->v[i], factor); | ||||
|         r->v[i] = secp256k1_i128_to_i64(&c) & M62; secp256k1_i128_rshift(&c, 62); | ||||
|         r->v[i] = secp256k1_i128_to_u64(&c) & M62; secp256k1_i128_rshift(&c, 62); | ||||
|     } | ||||
|     if (4 < alen) secp256k1_i128_accum_mul(&c, a->v[4], factor); | ||||
|     secp256k1_i128_from_i64(&d, secp256k1_i128_to_i64(&c)); | ||||
| @ -317,7 +317,7 @@ static int64_t secp256k1_modinv64_divsteps_62_var(int64_t eta, uint64_t f0, uint | ||||
|  * This implements the update_de function from the explanation. | ||||
|  */ | ||||
| static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp256k1_modinv64_signed62 *e, const secp256k1_modinv64_trans2x2 *t, const secp256k1_modinv64_modinfo* modinfo) { | ||||
|     const int64_t M62 = (int64_t)(UINT64_MAX >> 2); | ||||
|     const uint64_t M62 = UINT64_MAX >> 2; | ||||
|     const int64_t d0 = d->v[0], d1 = d->v[1], d2 = d->v[2], d3 = d->v[3], d4 = d->v[4]; | ||||
|     const int64_t e0 = e->v[0], e1 = e->v[1], e2 = e->v[2], e3 = e->v[3], e4 = e->v[4]; | ||||
|     const int64_t u = t->u, v = t->v, q = t->q, r = t->r; | ||||
| @ -330,8 +330,8 @@ static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp | ||||
|     VERIFY_CHECK(secp256k1_modinv64_mul_cmp_62(e, 5, &modinfo->modulus, 1) < 0);  /* e <    modulus */ | ||||
|     VERIFY_CHECK((secp256k1_modinv64_abs(u) + secp256k1_modinv64_abs(v)) >= 0); /* |u|+|v| doesn't overflow */ | ||||
|     VERIFY_CHECK((secp256k1_modinv64_abs(q) + secp256k1_modinv64_abs(r)) >= 0); /* |q|+|r| doesn't overflow */ | ||||
|     VERIFY_CHECK((secp256k1_modinv64_abs(u) + secp256k1_modinv64_abs(v)) <= M62 + 1); /* |u|+|v| <= 2^62 */ | ||||
|     VERIFY_CHECK((secp256k1_modinv64_abs(q) + secp256k1_modinv64_abs(r)) <= M62 + 1); /* |q|+|r| <= 2^62 */ | ||||
|     VERIFY_CHECK((secp256k1_modinv64_abs(u) + secp256k1_modinv64_abs(v)) <= (int64_t)1 << 62); /* |u|+|v| <= 2^62 */ | ||||
|     VERIFY_CHECK((secp256k1_modinv64_abs(q) + secp256k1_modinv64_abs(r)) <= (int64_t)1 << 62); /* |q|+|r| <= 2^62 */ | ||||
| #endif | ||||
|     /* [md,me] start as zero; plus [u,q] if d is negative; plus [v,r] if e is negative. */ | ||||
|     sd = d4 >> 63; | ||||
| @ -344,14 +344,14 @@ static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp | ||||
|     secp256k1_i128_mul(&ce, q, d0); | ||||
|     secp256k1_i128_accum_mul(&ce, r, e0); | ||||
|     /* Correct md,me so that t*[d,e]+modulus*[md,me] has 62 zero bottom bits. */ | ||||
|     md -= (modinfo->modulus_inv62 * (uint64_t)secp256k1_i128_to_i64(&cd) + md) & M62; | ||||
|     me -= (modinfo->modulus_inv62 * (uint64_t)secp256k1_i128_to_i64(&ce) + me) & M62; | ||||
|     md -= (modinfo->modulus_inv62 * secp256k1_i128_to_u64(&cd) + md) & M62; | ||||
|     me -= (modinfo->modulus_inv62 * secp256k1_i128_to_u64(&ce) + me) & M62; | ||||
|     /* Update the beginning of computation for t*[d,e]+modulus*[md,me] now md,me are known. */ | ||||
|     secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[0], md); | ||||
|     secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[0], me); | ||||
|     /* Verify that the low 62 bits of the computation are indeed zero, and then throw them away. */ | ||||
|     VERIFY_CHECK((secp256k1_i128_to_i64(&cd) & M62) == 0); secp256k1_i128_rshift(&cd, 62); | ||||
|     VERIFY_CHECK((secp256k1_i128_to_i64(&ce) & M62) == 0); secp256k1_i128_rshift(&ce, 62); | ||||
|     VERIFY_CHECK((secp256k1_i128_to_u64(&cd) & M62) == 0); secp256k1_i128_rshift(&cd, 62); | ||||
|     VERIFY_CHECK((secp256k1_i128_to_u64(&ce) & M62) == 0); secp256k1_i128_rshift(&ce, 62); | ||||
|     /* Compute limb 1 of t*[d,e]+modulus*[md,me], and store it as output limb 0 (= down shift). */ | ||||
|     secp256k1_i128_accum_mul(&cd, u, d1); | ||||
|     secp256k1_i128_accum_mul(&cd, v, e1); | ||||
| @ -361,8 +361,8 @@ static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp | ||||
|         secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[1], md); | ||||
|         secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[1], me); | ||||
|     } | ||||
|     d->v[0] = secp256k1_i128_to_i64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); | ||||
|     e->v[0] = secp256k1_i128_to_i64(&ce) & M62; secp256k1_i128_rshift(&ce, 62); | ||||
|     d->v[0] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); | ||||
|     e->v[0] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62); | ||||
|     /* Compute limb 2 of t*[d,e]+modulus*[md,me], and store it as output limb 1. */ | ||||
|     secp256k1_i128_accum_mul(&cd, u, d2); | ||||
|     secp256k1_i128_accum_mul(&cd, v, e2); | ||||
| @ -372,8 +372,8 @@ static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp | ||||
|         secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[2], md); | ||||
|         secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[2], me); | ||||
|     } | ||||
|     d->v[1] = secp256k1_i128_to_i64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); | ||||
|     e->v[1] = secp256k1_i128_to_i64(&ce) & M62; secp256k1_i128_rshift(&ce, 62); | ||||
|     d->v[1] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); | ||||
|     e->v[1] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62); | ||||
|     /* Compute limb 3 of t*[d,e]+modulus*[md,me], and store it as output limb 2. */ | ||||
|     secp256k1_i128_accum_mul(&cd, u, d3); | ||||
|     secp256k1_i128_accum_mul(&cd, v, e3); | ||||
| @ -383,8 +383,8 @@ static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp | ||||
|         secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[3], md); | ||||
|         secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[3], me); | ||||
|     } | ||||
|     d->v[2] = secp256k1_i128_to_i64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); | ||||
|     e->v[2] = secp256k1_i128_to_i64(&ce) & M62; secp256k1_i128_rshift(&ce, 62); | ||||
|     d->v[2] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); | ||||
|     e->v[2] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62); | ||||
|     /* Compute limb 4 of t*[d,e]+modulus*[md,me], and store it as output limb 3. */ | ||||
|     secp256k1_i128_accum_mul(&cd, u, d4); | ||||
|     secp256k1_i128_accum_mul(&cd, v, e4); | ||||
| @ -392,8 +392,8 @@ static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp | ||||
|     secp256k1_i128_accum_mul(&ce, r, e4); | ||||
|     secp256k1_i128_accum_mul(&cd, modinfo->modulus.v[4], md); | ||||
|     secp256k1_i128_accum_mul(&ce, modinfo->modulus.v[4], me); | ||||
|     d->v[3] = secp256k1_i128_to_i64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); | ||||
|     e->v[3] = secp256k1_i128_to_i64(&ce) & M62; secp256k1_i128_rshift(&ce, 62); | ||||
|     d->v[3] = secp256k1_i128_to_u64(&cd) & M62; secp256k1_i128_rshift(&cd, 62); | ||||
|     e->v[3] = secp256k1_i128_to_u64(&ce) & M62; secp256k1_i128_rshift(&ce, 62); | ||||
|     /* What remains is limb 5 of t*[d,e]+modulus*[md,me]; store it as output limb 4. */ | ||||
|     d->v[4] = secp256k1_i128_to_i64(&cd); | ||||
|     e->v[4] = secp256k1_i128_to_i64(&ce); | ||||
| @ -410,7 +410,7 @@ static void secp256k1_modinv64_update_de_62(secp256k1_modinv64_signed62 *d, secp | ||||
|  * This implements the update_fg function from the explanation. | ||||
|  */ | ||||
| static void secp256k1_modinv64_update_fg_62(secp256k1_modinv64_signed62 *f, secp256k1_modinv64_signed62 *g, const secp256k1_modinv64_trans2x2 *t) { | ||||
|     const int64_t M62 = (int64_t)(UINT64_MAX >> 2); | ||||
|     const uint64_t M62 = UINT64_MAX >> 2; | ||||
|     const int64_t f0 = f->v[0], f1 = f->v[1], f2 = f->v[2], f3 = f->v[3], f4 = f->v[4]; | ||||
|     const int64_t g0 = g->v[0], g1 = g->v[1], g2 = g->v[2], g3 = g->v[3], g4 = g->v[4]; | ||||
|     const int64_t u = t->u, v = t->v, q = t->q, r = t->r; | ||||
| @ -421,36 +421,36 @@ static void secp256k1_modinv64_update_fg_62(secp256k1_modinv64_signed62 *f, secp | ||||
|     secp256k1_i128_mul(&cg, q, f0); | ||||
|     secp256k1_i128_accum_mul(&cg, r, g0); | ||||
|     /* Verify that the bottom 62 bits of the result are zero, and then throw them away. */ | ||||
|     VERIFY_CHECK((secp256k1_i128_to_i64(&cf) & M62) == 0); secp256k1_i128_rshift(&cf, 62); | ||||
|     VERIFY_CHECK((secp256k1_i128_to_i64(&cg) & M62) == 0); secp256k1_i128_rshift(&cg, 62); | ||||
|     VERIFY_CHECK((secp256k1_i128_to_u64(&cf) & M62) == 0); secp256k1_i128_rshift(&cf, 62); | ||||
|     VERIFY_CHECK((secp256k1_i128_to_u64(&cg) & M62) == 0); secp256k1_i128_rshift(&cg, 62); | ||||
|     /* Compute limb 1 of t*[f,g], and store it as output limb 0 (= down shift). */ | ||||
|     secp256k1_i128_accum_mul(&cf, u, f1); | ||||
|     secp256k1_i128_accum_mul(&cf, v, g1); | ||||
|     secp256k1_i128_accum_mul(&cg, q, f1); | ||||
|     secp256k1_i128_accum_mul(&cg, r, g1); | ||||
|     f->v[0] = secp256k1_i128_to_i64(&cf) & M62; secp256k1_i128_rshift(&cf, 62); | ||||
|     g->v[0] = secp256k1_i128_to_i64(&cg) & M62; secp256k1_i128_rshift(&cg, 62); | ||||
|     f->v[0] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62); | ||||
|     g->v[0] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62); | ||||
|     /* Compute limb 2 of t*[f,g], and store it as output limb 1. */ | ||||
|     secp256k1_i128_accum_mul(&cf, u, f2); | ||||
|     secp256k1_i128_accum_mul(&cf, v, g2); | ||||
|     secp256k1_i128_accum_mul(&cg, q, f2); | ||||
|     secp256k1_i128_accum_mul(&cg, r, g2); | ||||
|     f->v[1] = secp256k1_i128_to_i64(&cf) & M62; secp256k1_i128_rshift(&cf, 62); | ||||
|     g->v[1] = secp256k1_i128_to_i64(&cg) & M62; secp256k1_i128_rshift(&cg, 62); | ||||
|     f->v[1] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62); | ||||
|     g->v[1] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62); | ||||
|     /* Compute limb 3 of t*[f,g], and store it as output limb 2. */ | ||||
|     secp256k1_i128_accum_mul(&cf, u, f3); | ||||
|     secp256k1_i128_accum_mul(&cf, v, g3); | ||||
|     secp256k1_i128_accum_mul(&cg, q, f3); | ||||
|     secp256k1_i128_accum_mul(&cg, r, g3); | ||||
|     f->v[2] = secp256k1_i128_to_i64(&cf) & M62; secp256k1_i128_rshift(&cf, 62); | ||||
|     g->v[2] = secp256k1_i128_to_i64(&cg) & M62; secp256k1_i128_rshift(&cg, 62); | ||||
|     f->v[2] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62); | ||||
|     g->v[2] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62); | ||||
|     /* Compute limb 4 of t*[f,g], and store it as output limb 3. */ | ||||
|     secp256k1_i128_accum_mul(&cf, u, f4); | ||||
|     secp256k1_i128_accum_mul(&cf, v, g4); | ||||
|     secp256k1_i128_accum_mul(&cg, q, f4); | ||||
|     secp256k1_i128_accum_mul(&cg, r, g4); | ||||
|     f->v[3] = secp256k1_i128_to_i64(&cf) & M62; secp256k1_i128_rshift(&cf, 62); | ||||
|     g->v[3] = secp256k1_i128_to_i64(&cg) & M62; secp256k1_i128_rshift(&cg, 62); | ||||
|     f->v[3] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62); | ||||
|     g->v[3] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62); | ||||
|     /* What remains is limb 5 of t*[f,g]; store it as output limb 4. */ | ||||
|     f->v[4] = secp256k1_i128_to_i64(&cf); | ||||
|     g->v[4] = secp256k1_i128_to_i64(&cg); | ||||
| @ -463,7 +463,7 @@ static void secp256k1_modinv64_update_fg_62(secp256k1_modinv64_signed62 *f, secp | ||||
|  * This implements the update_fg function from the explanation. | ||||
|  */ | ||||
| static void secp256k1_modinv64_update_fg_62_var(int len, secp256k1_modinv64_signed62 *f, secp256k1_modinv64_signed62 *g, const secp256k1_modinv64_trans2x2 *t) { | ||||
|     const int64_t M62 = (int64_t)(UINT64_MAX >> 2); | ||||
|     const uint64_t M62 = UINT64_MAX >> 2; | ||||
|     const int64_t u = t->u, v = t->v, q = t->q, r = t->r; | ||||
|     int64_t fi, gi; | ||||
|     secp256k1_int128 cf, cg; | ||||
| @ -477,8 +477,8 @@ static void secp256k1_modinv64_update_fg_62_var(int len, secp256k1_modinv64_sign | ||||
|     secp256k1_i128_mul(&cg, q, fi); | ||||
|     secp256k1_i128_accum_mul(&cg, r, gi); | ||||
|     /* Verify that the bottom 62 bits of the result are zero, and then throw them away. */ | ||||
|     VERIFY_CHECK((secp256k1_i128_to_i64(&cf) & M62) == 0); secp256k1_i128_rshift(&cf, 62); | ||||
|     VERIFY_CHECK((secp256k1_i128_to_i64(&cg) & M62) == 0); secp256k1_i128_rshift(&cg, 62); | ||||
|     VERIFY_CHECK((secp256k1_i128_to_u64(&cf) & M62) == 0); secp256k1_i128_rshift(&cf, 62); | ||||
|     VERIFY_CHECK((secp256k1_i128_to_u64(&cg) & M62) == 0); secp256k1_i128_rshift(&cg, 62); | ||||
|     /* Now iteratively compute limb i=1..len of t*[f,g], and store them in output limb i-1 (shifting
 | ||||
|      * down by 62 bits). */ | ||||
|     for (i = 1; i < len; ++i) { | ||||
| @ -488,8 +488,8 @@ static void secp256k1_modinv64_update_fg_62_var(int len, secp256k1_modinv64_sign | ||||
|         secp256k1_i128_accum_mul(&cf, v, gi); | ||||
|         secp256k1_i128_accum_mul(&cg, q, fi); | ||||
|         secp256k1_i128_accum_mul(&cg, r, gi); | ||||
|         f->v[i - 1] = secp256k1_i128_to_i64(&cf) & M62; secp256k1_i128_rshift(&cf, 62); | ||||
|         g->v[i - 1] = secp256k1_i128_to_i64(&cg) & M62; secp256k1_i128_rshift(&cg, 62); | ||||
|         f->v[i - 1] = secp256k1_i128_to_u64(&cf) & M62; secp256k1_i128_rshift(&cf, 62); | ||||
|         g->v[i - 1] = secp256k1_i128_to_u64(&cg) & M62; secp256k1_i128_rshift(&cg, 62); | ||||
|     } | ||||
|     /* What remains is limb (len) of t*[f,g]; store it as output limb (len-1). */ | ||||
|     f->v[len - 1] = secp256k1_i128_to_i64(&cf); | ||||
|  | ||||
| @ -25,51 +25,51 @@ static void test_bppp_generators_api(void) { | ||||
|     int32_t ecount = 0; | ||||
| 
 | ||||
|     /* The BP generator API requires no precomp */ | ||||
|     secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
| 
 | ||||
|     /* Create */ | ||||
|     gens = secp256k1_bppp_generators_create(ctx, 10); | ||||
|     gens = secp256k1_bppp_generators_create(CTX, 10); | ||||
|     CHECK(gens != NULL && ecount == 0); | ||||
|     gens_orig = gens; /* Preserve for round-trip test */ | ||||
| 
 | ||||
|     /* Serialize */ | ||||
|     ecount = 0; | ||||
|     CHECK(!secp256k1_bppp_generators_serialize(ctx, NULL, gens_ser, &len)); | ||||
|     CHECK(!secp256k1_bppp_generators_serialize(CTX, NULL, gens_ser, &len)); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(!secp256k1_bppp_generators_serialize(ctx, gens, NULL, &len)); | ||||
|     CHECK(!secp256k1_bppp_generators_serialize(CTX, gens, NULL, &len)); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(!secp256k1_bppp_generators_serialize(ctx, gens, gens_ser, NULL)); | ||||
|     CHECK(!secp256k1_bppp_generators_serialize(CTX, gens, gens_ser, NULL)); | ||||
|     CHECK(ecount == 3); | ||||
|     len = 0; | ||||
|     CHECK(!secp256k1_bppp_generators_serialize(ctx, gens, gens_ser, &len)); | ||||
|     CHECK(!secp256k1_bppp_generators_serialize(CTX, gens, gens_ser, &len)); | ||||
|     CHECK(ecount == 4); | ||||
|     len = sizeof(gens_ser) - 1; | ||||
|     CHECK(!secp256k1_bppp_generators_serialize(ctx, gens, gens_ser, &len)); | ||||
|     CHECK(!secp256k1_bppp_generators_serialize(CTX, gens, gens_ser, &len)); | ||||
|     CHECK(ecount == 5); | ||||
|     len = sizeof(gens_ser); | ||||
|     { | ||||
|         /* Output buffer can be greater than minimum needed */ | ||||
|         unsigned char gens_ser_tmp[331]; | ||||
|         size_t len_tmp = sizeof(gens_ser_tmp); | ||||
|         CHECK(secp256k1_bppp_generators_serialize(ctx, gens, gens_ser_tmp, &len_tmp)); | ||||
|         CHECK(secp256k1_bppp_generators_serialize(CTX, gens, gens_ser_tmp, &len_tmp)); | ||||
|         CHECK(len_tmp == sizeof(gens_ser_tmp) - 1); | ||||
|         CHECK(ecount == 5); | ||||
|     } | ||||
| 
 | ||||
|     /* Parse */ | ||||
|     CHECK(secp256k1_bppp_generators_serialize(ctx, gens, gens_ser, &len)); | ||||
|     CHECK(secp256k1_bppp_generators_serialize(CTX, gens, gens_ser, &len)); | ||||
|     ecount = 0; | ||||
|     gens = secp256k1_bppp_generators_parse(ctx, NULL, sizeof(gens_ser)); | ||||
|     gens = secp256k1_bppp_generators_parse(CTX, NULL, sizeof(gens_ser)); | ||||
|     CHECK(gens == NULL && ecount == 1); | ||||
|     /* Not a multiple of 33 */ | ||||
|     gens = secp256k1_bppp_generators_parse(ctx, gens_ser, sizeof(gens_ser) - 1); | ||||
|     gens = secp256k1_bppp_generators_parse(CTX, gens_ser, sizeof(gens_ser) - 1); | ||||
|     CHECK(gens == NULL && ecount == 1); | ||||
|     gens = secp256k1_bppp_generators_parse(ctx, gens_ser, sizeof(gens_ser)); | ||||
|     gens = secp256k1_bppp_generators_parse(CTX, gens_ser, sizeof(gens_ser)); | ||||
|     CHECK(gens != NULL && ecount == 1); | ||||
|     /* Not valid generators */ | ||||
|     memset(gens_ser, 1, sizeof(gens_ser)); | ||||
|     CHECK(secp256k1_bppp_generators_parse(ctx, gens_ser, sizeof(gens_ser)) == NULL); | ||||
|     CHECK(secp256k1_bppp_generators_parse(CTX, gens_ser, sizeof(gens_ser)) == NULL); | ||||
|     CHECK(ecount == 1); | ||||
| 
 | ||||
|     /* Check that round-trip succeeded */ | ||||
| @ -80,14 +80,17 @@ static void test_bppp_generators_api(void) { | ||||
| 
 | ||||
|     /* Destroy (we allow destroying a NULL context, it's just a noop. like free().) */ | ||||
|     ecount = 0; | ||||
|     secp256k1_bppp_generators_destroy(ctx, NULL); | ||||
|     secp256k1_bppp_generators_destroy(ctx, gens); | ||||
|     secp256k1_bppp_generators_destroy(ctx, gens_orig); | ||||
|     secp256k1_bppp_generators_destroy(CTX, NULL); | ||||
|     secp256k1_bppp_generators_destroy(CTX, gens); | ||||
|     secp256k1_bppp_generators_destroy(CTX, gens_orig); | ||||
|     CHECK(ecount == 0); | ||||
| 
 | ||||
|     secp256k1_context_set_error_callback(CTX, NULL, NULL); | ||||
|     secp256k1_context_set_illegal_callback(CTX, NULL, NULL); | ||||
| } | ||||
| 
 | ||||
| static void test_bppp_generators_fixed(void) { | ||||
|     secp256k1_bppp_generators *gens = secp256k1_bppp_generators_create(ctx, 3); | ||||
|     secp256k1_bppp_generators *gens = secp256k1_bppp_generators_create(CTX, 3); | ||||
|     unsigned char gens_ser[330]; | ||||
|     const unsigned char fixed_first_3[99] = { | ||||
|         0x0b, | ||||
| @ -109,14 +112,14 @@ static void test_bppp_generators_fixed(void) { | ||||
|     size_t len; | ||||
| 
 | ||||
|     len = 99; | ||||
|     CHECK(secp256k1_bppp_generators_serialize(ctx, gens, gens_ser, &len)); | ||||
|     CHECK(secp256k1_bppp_generators_serialize(CTX, gens, gens_ser, &len)); | ||||
|     CHECK(memcmp(gens_ser, fixed_first_3, sizeof(fixed_first_3)) == 0); | ||||
| 
 | ||||
|     len = sizeof(gens_ser); | ||||
|     CHECK(secp256k1_bppp_generators_serialize(ctx, gens, gens_ser, &len)); | ||||
|     CHECK(secp256k1_bppp_generators_serialize(CTX, gens, gens_ser, &len)); | ||||
|     CHECK(memcmp(gens_ser, fixed_first_3, sizeof(fixed_first_3)) == 0); | ||||
| 
 | ||||
|     secp256k1_bppp_generators_destroy(ctx, gens); | ||||
|     secp256k1_bppp_generators_destroy(CTX, gens); | ||||
| } | ||||
| 
 | ||||
| static void test_bppp_tagged_hash(void) { | ||||
| @ -224,19 +227,19 @@ void test_serialize_two_points(void) { | ||||
|     secp256k1_ge X, R; | ||||
|     int i; | ||||
| 
 | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         random_group_element_test(&X); | ||||
|         random_group_element_test(&R); | ||||
|         test_serialize_two_points_roundtrip(&X, &R); | ||||
|     } | ||||
| 
 | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         random_group_element_test(&X); | ||||
|         secp256k1_ge_set_infinity(&R); | ||||
|         test_serialize_two_points_roundtrip(&X, &R); | ||||
|     } | ||||
| 
 | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         secp256k1_ge_set_infinity(&X); | ||||
|         random_group_element_test(&R); | ||||
|         test_serialize_two_points_roundtrip(&X, &R); | ||||
| @ -258,7 +261,7 @@ void test_serialize_two_points(void) { | ||||
|         CHECK(!secp256k1_bppp_parse_one_of_points(&R_tmp, buf, 0)); | ||||
|     } | ||||
|     /* Check that sign bit is 0 for point at infinity */ | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         secp256k1_ge X_tmp, R_tmp; | ||||
|         unsigned char buf[65]; | ||||
|         int expect; | ||||
| @ -333,10 +336,10 @@ static void copy_vectors_into_scratch(secp256k1_scratch_space* scratch, | ||||
|                                       const secp256k1_ge *gens_vec, | ||||
|                                       size_t g_len, | ||||
|                                       size_t h_len) { | ||||
|     *ns = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, g_len * sizeof(secp256k1_scalar)); | ||||
|     *ls = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, h_len * sizeof(secp256k1_scalar)); | ||||
|     *cs = (secp256k1_scalar*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, h_len * sizeof(secp256k1_scalar)); | ||||
|     *gs = (secp256k1_ge*)secp256k1_scratch_alloc(&ctx->error_callback, scratch, (g_len + h_len) * sizeof(secp256k1_ge)); | ||||
|     *ns = (secp256k1_scalar*)secp256k1_scratch_alloc(&CTX->error_callback, scratch, g_len * sizeof(secp256k1_scalar)); | ||||
|     *ls = (secp256k1_scalar*)secp256k1_scratch_alloc(&CTX->error_callback, scratch, h_len * sizeof(secp256k1_scalar)); | ||||
|     *cs = (secp256k1_scalar*)secp256k1_scratch_alloc(&CTX->error_callback, scratch, h_len * sizeof(secp256k1_scalar)); | ||||
|     *gs = (secp256k1_ge*)secp256k1_scratch_alloc(&CTX->error_callback, scratch, (g_len + h_len) * sizeof(secp256k1_ge)); | ||||
|     CHECK(ns != NULL && ls != NULL && cs != NULL && gs != NULL); | ||||
|     memcpy(*ns, n_vec, g_len * sizeof(secp256k1_scalar)); | ||||
|     memcpy(*ls, l_vec, h_len * sizeof(secp256k1_scalar)); | ||||
| @ -366,10 +369,10 @@ static int secp256k1_bppp_rangeproof_norm_product_prove_const( | ||||
|     size_t g_len = n_vec_len, h_len = l_vec_len; | ||||
|     int res; | ||||
| 
 | ||||
|     scratch_checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch); | ||||
|     scratch_checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch); | ||||
|     copy_vectors_into_scratch(scratch, &ns, &ls, &cs, &gs, n_vec, l_vec, c_vec, g_vec, g_len, h_len); | ||||
|     res = secp256k1_bppp_rangeproof_norm_product_prove( | ||||
|         ctx, | ||||
|         CTX, | ||||
|         scratch, | ||||
|         proof, | ||||
|         proof_len, | ||||
| @ -384,7 +387,7 @@ static int secp256k1_bppp_rangeproof_norm_product_prove_const( | ||||
|         cs, | ||||
|         c_vec_len | ||||
|     ); | ||||
|     secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, scratch_checkpoint); | ||||
|     secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, scratch_checkpoint); | ||||
|     return res; | ||||
| } | ||||
| 
 | ||||
| @ -434,7 +437,7 @@ static int secp256k1_norm_arg_verify( | ||||
|     secp256k1_norm_arg_commit_initial_data(&transcript, rho, gens_vec, g_len, c_vec, c_vec_len, &comm); | ||||
| 
 | ||||
|     res = secp256k1_bppp_rangeproof_norm_product_verify( | ||||
|         ctx, | ||||
|         CTX, | ||||
|         scratch, | ||||
|         proof, | ||||
|         proof_len, | ||||
| @ -454,11 +457,11 @@ void norm_arg_verify_zero_len(void) { | ||||
|     secp256k1_scalar n_vec[64], l_vec[64], c_vec[64]; | ||||
|     secp256k1_scalar rho, mu; | ||||
|     secp256k1_ge commit; | ||||
|     secp256k1_scratch *scratch = secp256k1_scratch_space_create(ctx, 1000*10); /* shouldn't need much */ | ||||
|     secp256k1_scratch *scratch = secp256k1_scratch_space_create(CTX, 1000*10); /* shouldn't need much */ | ||||
|     unsigned char proof[1000]; | ||||
|     unsigned int n_vec_len = 1; | ||||
|     unsigned int c_vec_len = 1; | ||||
|     secp256k1_bppp_generators *gs = secp256k1_bppp_generators_create(ctx, n_vec_len + c_vec_len); | ||||
|     secp256k1_bppp_generators *gs = secp256k1_bppp_generators_create(CTX, n_vec_len + c_vec_len); | ||||
|     size_t plen = sizeof(proof); | ||||
| 
 | ||||
|     random_scalar_order(&rho); | ||||
| @ -467,14 +470,14 @@ void norm_arg_verify_zero_len(void) { | ||||
|     random_scalar_order(&n_vec[0]); | ||||
|     random_scalar_order(&c_vec[0]); | ||||
|     random_scalar_order(&l_vec[0]); | ||||
|     CHECK(secp256k1_bppp_commit(ctx, scratch, &commit, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &mu)); | ||||
|     CHECK(secp256k1_bppp_commit(CTX, scratch, &commit, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &mu)); | ||||
|     CHECK(secp256k1_norm_arg_prove(scratch, proof, &plen, &rho, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &commit)); | ||||
|     CHECK(secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, n_vec_len, c_vec, c_vec_len, &commit)); | ||||
|     CHECK(!secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, n_vec_len, c_vec, 0, &commit)); | ||||
| 
 | ||||
|     secp256k1_bppp_generators_destroy(ctx, gs); | ||||
|     secp256k1_bppp_generators_destroy(CTX, gs); | ||||
| 
 | ||||
|     secp256k1_scratch_space_destroy(ctx, scratch); | ||||
|     secp256k1_scratch_space_destroy(CTX, scratch); | ||||
| } | ||||
| 
 | ||||
| void norm_arg_test(unsigned int n, unsigned int m) { | ||||
| @ -483,8 +486,8 @@ void norm_arg_test(unsigned int n, unsigned int m) { | ||||
|     secp256k1_ge commit; | ||||
|     size_t i, plen; | ||||
|     int res; | ||||
|     secp256k1_bppp_generators *gs = secp256k1_bppp_generators_create(ctx, n + m); | ||||
|     secp256k1_scratch *scratch = secp256k1_scratch_space_create(ctx, 1000*1000); /* shouldn't need much */ | ||||
|     secp256k1_bppp_generators *gs = secp256k1_bppp_generators_create(CTX, n + m); | ||||
|     secp256k1_scratch *scratch = secp256k1_scratch_space_create(CTX, 1000*1000); /* shouldn't need much */ | ||||
|     unsigned char proof[1000]; | ||||
|     plen = 1000; | ||||
|     random_scalar_order(&rho); | ||||
| @ -499,7 +502,7 @@ void norm_arg_test(unsigned int n, unsigned int m) { | ||||
|         random_scalar_order(&c_vec[i]); | ||||
|     } | ||||
| 
 | ||||
|     res = secp256k1_bppp_commit(ctx, scratch, &commit, gs, n_vec, n, l_vec, m, c_vec, m, &mu); | ||||
|     res = secp256k1_bppp_commit(CTX, scratch, &commit, gs, n_vec, n, l_vec, m, c_vec, m, &mu); | ||||
|     CHECK(res == 1); | ||||
|     res = secp256k1_norm_arg_prove(scratch, proof, &plen, &rho, gs, n_vec, n, l_vec, m, c_vec, m, &commit); | ||||
|     CHECK(res == 1); | ||||
| @ -515,8 +518,8 @@ void norm_arg_test(unsigned int n, unsigned int m) { | ||||
|     res = secp256k1_norm_arg_verify(scratch, proof, plen, &rho, gs, n, c_vec, m, &commit); | ||||
|     CHECK(res == 0); | ||||
| 
 | ||||
|     secp256k1_scratch_space_destroy(ctx, scratch); | ||||
|     secp256k1_bppp_generators_destroy(ctx, gs); | ||||
|     secp256k1_scratch_space_destroy(CTX, scratch); | ||||
|     secp256k1_bppp_generators_destroy(CTX, gs); | ||||
| } | ||||
| 
 | ||||
| /* Parses generators from points compressed as pubkeys */ | ||||
| @ -524,19 +527,16 @@ secp256k1_bppp_generators* bppp_generators_parse_regular(const unsigned char* da | ||||
|     size_t n = data_len / 33; | ||||
|     secp256k1_bppp_generators* ret; | ||||
| 
 | ||||
|     VERIFY_CHECK(ctx != NULL); | ||||
|     ARG_CHECK(data != NULL); | ||||
| 
 | ||||
|     if (data_len % 33 != 0) { | ||||
|         return NULL; | ||||
|     } | ||||
| 
 | ||||
|     ret = (secp256k1_bppp_generators *)checked_malloc(&ctx->error_callback, sizeof(*ret)); | ||||
|     ret = (secp256k1_bppp_generators *)checked_malloc(&CTX->error_callback, sizeof(*ret)); | ||||
|     if (ret == NULL) { | ||||
|         return NULL; | ||||
|     } | ||||
|     ret->n = n; | ||||
|     ret->gens = (secp256k1_ge*)checked_malloc(&ctx->error_callback, n * sizeof(*ret->gens)); | ||||
|     ret->gens = (secp256k1_ge*)checked_malloc(&CTX->error_callback, n * sizeof(*ret->gens)); | ||||
|     if (ret->gens == NULL) { | ||||
|         free(ret); | ||||
|         return NULL; | ||||
| @ -572,16 +572,16 @@ int norm_arg_verify_vectors_helper(secp256k1_scratch *scratch, const unsigned ch | ||||
|         CHECK(!overflow); | ||||
|     } | ||||
|     CHECK(secp256k1_ge_parse_ext(&commit, commit33)); | ||||
|     ret = secp256k1_bppp_rangeproof_norm_product_verify(ctx, scratch, proof, plen, &transcript, &rho, gs, n_vec_len, c_vec, c_vec_len, &commit); | ||||
|     ret = secp256k1_bppp_rangeproof_norm_product_verify(CTX, scratch, proof, plen, &transcript, &rho, gs, n_vec_len, c_vec, c_vec_len, &commit); | ||||
| 
 | ||||
|     secp256k1_bppp_generators_destroy(ctx, gs); | ||||
|     secp256k1_bppp_generators_destroy(CTX, gs); | ||||
|     return ret; | ||||
| } | ||||
| 
 | ||||
| #define IDX_TO_TEST(i) (norm_arg_verify_vectors_helper(scratch, verify_vector_gens, verify_vector_##i##_proof, sizeof(verify_vector_##i##_proof), verify_vector_##i##_r32, verify_vector_##i##_n_vec_len, verify_vector_##i##_c_vec32, verify_vector_##i##_c_vec, sizeof(verify_vector_##i##_c_vec)/sizeof(secp256k1_scalar), verify_vector_##i##_commit33) == verify_vector_##i##_result) | ||||
| 
 | ||||
| void norm_arg_verify_vectors(void) { | ||||
|     secp256k1_scratch *scratch = secp256k1_scratch_space_create(ctx, 1000*1000); /* shouldn't need much */ | ||||
|     secp256k1_scratch *scratch = secp256k1_scratch_space_create(CTX, 1000*1000); /* shouldn't need much */ | ||||
|     size_t alloc = scratch->alloc_size; | ||||
| 
 | ||||
|     CHECK(IDX_TO_TEST(0)); | ||||
| @ -599,7 +599,7 @@ void norm_arg_verify_vectors(void) { | ||||
|     CHECK(IDX_TO_TEST(12)); | ||||
| 
 | ||||
|     CHECK(alloc == scratch->alloc_size); | ||||
|     secp256k1_scratch_space_destroy(ctx, scratch); | ||||
|     secp256k1_scratch_space_destroy(CTX, scratch); | ||||
| } | ||||
| #undef IDX_TO_TEST | ||||
| 
 | ||||
| @ -632,16 +632,16 @@ void norm_arg_prove_vectors_helper(secp256k1_scratch *scratch, const unsigned ch | ||||
| 
 | ||||
|     CHECK(secp256k1_bppp_rangeproof_norm_product_prove_const(scratch, myproof, &myplen, &transcript, &rho, gs->gens, gs->n, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len) == result); | ||||
|     if (!result) { | ||||
|         secp256k1_bppp_generators_destroy(ctx, gs); | ||||
|         secp256k1_bppp_generators_destroy(CTX, gs); | ||||
|         return; | ||||
|     } | ||||
|     CHECK(plen == myplen); | ||||
|     CHECK(secp256k1_memcmp_var(proof, myproof, plen) == 0); | ||||
| 
 | ||||
|     CHECK(secp256k1_bppp_commit(ctx, scratch, &commit, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &mu)); | ||||
|     CHECK(secp256k1_bppp_commit(CTX, scratch, &commit, gs, n_vec, n_vec_len, l_vec, c_vec_len, c_vec, c_vec_len, &mu)); | ||||
|     secp256k1_sha256_initialize(&transcript); | ||||
|     CHECK(secp256k1_bppp_rangeproof_norm_product_verify(ctx, scratch, proof, plen, &transcript, &rho, gs, n_vec_len, c_vec, c_vec_len, &commit)); | ||||
|     secp256k1_bppp_generators_destroy(ctx, gs); | ||||
|     CHECK(secp256k1_bppp_rangeproof_norm_product_verify(CTX, scratch, proof, plen, &transcript, &rho, gs, n_vec_len, c_vec, c_vec_len, &commit)); | ||||
|     secp256k1_bppp_generators_destroy(CTX, gs); | ||||
| } | ||||
| 
 | ||||
| 
 | ||||
| @ -652,7 +652,7 @@ void norm_arg_prove_vectors_helper(secp256k1_scratch *scratch, const unsigned ch | ||||
|     prove_vector_##i##_result)) | ||||
| 
 | ||||
| void norm_arg_prove_vectors(void) { | ||||
|     secp256k1_scratch *scratch = secp256k1_scratch_space_create(ctx, 1000*1000); /* shouldn't need much */ | ||||
|     secp256k1_scratch *scratch = secp256k1_scratch_space_create(CTX, 1000*1000); /* shouldn't need much */ | ||||
|     size_t alloc = scratch->alloc_size; | ||||
| 
 | ||||
|     IDX_TO_TEST(0); | ||||
| @ -662,7 +662,7 @@ void norm_arg_prove_vectors(void) { | ||||
|     IDX_TO_TEST(4); | ||||
| 
 | ||||
|     CHECK(alloc == scratch->alloc_size); | ||||
|     secp256k1_scratch_space_destroy(ctx, scratch); | ||||
|     secp256k1_scratch_space_destroy(CTX, scratch); | ||||
| } | ||||
| 
 | ||||
| #undef IDX_TO_TEST | ||||
|  | ||||
| @ -60,7 +60,7 @@ void test_ecdh_generator_basepoint(void) { | ||||
| 
 | ||||
|     s_one[31] = 1; | ||||
|     /* Check against pubkey creation when the basepoint is the generator */ | ||||
|     for (i = 0; i < 2 * count; ++i) { | ||||
|     for (i = 0; i < 2 * COUNT; ++i) { | ||||
|         secp256k1_sha256 sha; | ||||
|         unsigned char s_b32[32]; | ||||
|         unsigned char output_ecdh[65]; | ||||
| @ -72,20 +72,20 @@ void test_ecdh_generator_basepoint(void) { | ||||
|         random_scalar_order(&s); | ||||
|         secp256k1_scalar_get_b32(s_b32, &s); | ||||
| 
 | ||||
|         CHECK(secp256k1_ec_pubkey_create(ctx, &point[0], s_one) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_create(ctx, &point[1], s_b32) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_create(CTX, &point[0], s_one) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_create(CTX, &point[1], s_b32) == 1); | ||||
| 
 | ||||
|         /* compute using ECDH function with custom hash function */ | ||||
|         CHECK(secp256k1_ecdh(ctx, output_ecdh, &point[0], s_b32, ecdh_hash_function_custom, NULL) == 1); | ||||
|         CHECK(secp256k1_ecdh(CTX, output_ecdh, &point[0], s_b32, ecdh_hash_function_custom, NULL) == 1); | ||||
|         /* compute "explicitly" */ | ||||
|         CHECK(secp256k1_ec_pubkey_serialize(ctx, point_ser, &point_ser_len, &point[1], SECP256K1_EC_UNCOMPRESSED) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_serialize(CTX, point_ser, &point_ser_len, &point[1], SECP256K1_EC_UNCOMPRESSED) == 1); | ||||
|         /* compare */ | ||||
|         CHECK(secp256k1_memcmp_var(output_ecdh, point_ser, 65) == 0); | ||||
| 
 | ||||
|         /* compute using ECDH function with default hash function */ | ||||
|         CHECK(secp256k1_ecdh(ctx, output_ecdh, &point[0], s_b32, NULL, NULL) == 1); | ||||
|         CHECK(secp256k1_ecdh(CTX, output_ecdh, &point[0], s_b32, NULL, NULL) == 1); | ||||
|         /* compute "explicitly" */ | ||||
|         CHECK(secp256k1_ec_pubkey_serialize(ctx, point_ser, &point_ser_len, &point[1], SECP256K1_EC_COMPRESSED) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_serialize(CTX, point_ser, &point_ser_len, &point[1], SECP256K1_EC_COMPRESSED) == 1); | ||||
|         secp256k1_sha256_initialize(&sha); | ||||
|         secp256k1_sha256_write(&sha, point_ser, point_ser_len); | ||||
|         secp256k1_sha256_finalize(&sha, output_ser); | ||||
| @ -110,17 +110,17 @@ void test_bad_scalar(void) { | ||||
|     /* Create random point */ | ||||
|     random_scalar_order(&rand); | ||||
|     secp256k1_scalar_get_b32(s_rand, &rand); | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &point, s_rand) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_rand) == 1); | ||||
| 
 | ||||
|     /* Try to multiply it by bad values */ | ||||
|     CHECK(secp256k1_ecdh(ctx, output, &point, s_zero, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdh(ctx, output, &point, s_overflow, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdh(CTX, output, &point, s_zero, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdh(CTX, output, &point, s_overflow, NULL, NULL) == 0); | ||||
|     /* ...and a good one */ | ||||
|     s_overflow[31] -= 1; | ||||
|     CHECK(secp256k1_ecdh(ctx, output, &point, s_overflow, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ecdh(CTX, output, &point, s_overflow, NULL, NULL) == 1); | ||||
| 
 | ||||
|     /* Hash function failure results in ecdh failure */ | ||||
|     CHECK(secp256k1_ecdh(ctx, output, &point, s_overflow, ecdh_hash_function_test_fail, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdh(CTX, output, &point, s_overflow, ecdh_hash_function_test_fail, NULL) == 0); | ||||
| } | ||||
| 
 | ||||
| /** Test that ECDH(sG, 1/s) == ECDH((1/s)G, s) == ECDH(G, 1) for a few random s. */ | ||||
| @ -136,21 +136,21 @@ void test_result_basepoint(void) { | ||||
| 
 | ||||
|     unsigned char s_one[32] = { 0 }; | ||||
|     s_one[31] = 1; | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &point, s_one) == 1); | ||||
|     CHECK(secp256k1_ecdh(ctx, out_base, &point, s_one, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_one) == 1); | ||||
|     CHECK(secp256k1_ecdh(CTX, out_base, &point, s_one, NULL, NULL) == 1); | ||||
| 
 | ||||
|     for (i = 0; i < 2 * count; i++) { | ||||
|     for (i = 0; i < 2 * COUNT; i++) { | ||||
|         random_scalar_order(&rand); | ||||
|         secp256k1_scalar_get_b32(s, &rand); | ||||
|         secp256k1_scalar_inverse(&rand, &rand); | ||||
|         secp256k1_scalar_get_b32(s_inv, &rand); | ||||
| 
 | ||||
|         CHECK(secp256k1_ec_pubkey_create(ctx, &point, s) == 1); | ||||
|         CHECK(secp256k1_ecdh(ctx, out, &point, s_inv, NULL, NULL) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_create(CTX, &point, s) == 1); | ||||
|         CHECK(secp256k1_ecdh(CTX, out, &point, s_inv, NULL, NULL) == 1); | ||||
|         CHECK(secp256k1_memcmp_var(out, out_base, 32) == 0); | ||||
| 
 | ||||
|         CHECK(secp256k1_ec_pubkey_create(ctx, &point, s_inv) == 1); | ||||
|         CHECK(secp256k1_ecdh(ctx, out_inv, &point, s, NULL, NULL) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_create(CTX, &point, s_inv) == 1); | ||||
|         CHECK(secp256k1_ecdh(CTX, out_inv, &point, s, NULL, NULL) == 1); | ||||
|         CHECK(secp256k1_memcmp_var(out_inv, out_base, 32) == 0); | ||||
|     } | ||||
| } | ||||
|  | ||||
| @ -14,7 +14,7 @@ void rand_point(secp256k1_ge *point) { | ||||
|     secp256k1_gej pointj; | ||||
|     rand_scalar(&x); | ||||
| 
 | ||||
|     secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pointj, &x); | ||||
|     secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pointj, &x); | ||||
|     secp256k1_ge_set_gej(point, &pointj); | ||||
| } | ||||
| 
 | ||||
| @ -41,8 +41,8 @@ void dleq_tests(void) { | ||||
| 
 | ||||
|     rand_point(&gen2); | ||||
|     rand_scalar(&sk); | ||||
|     secp256k1_dleq_pair(&ctx->ecmult_gen_ctx, &p1, &p2, &sk, &gen2); | ||||
|     CHECK(secp256k1_dleq_prove(ctx, &s, &e, &sk, &gen2, &p1, &p2, NULL, NULL) == 1); | ||||
|     secp256k1_dleq_pair(&CTX->ecmult_gen_ctx, &p1, &p2, &sk, &gen2); | ||||
|     CHECK(secp256k1_dleq_prove(CTX, &s, &e, &sk, &gen2, &p1, &p2, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_dleq_verify(&s, &e, &p1, &gen2, &p2) == 1); | ||||
| 
 | ||||
|     { | ||||
| @ -61,9 +61,9 @@ void dleq_tests(void) { | ||||
|     { | ||||
|         secp256k1_ge p_inf; | ||||
|         secp256k1_ge_set_infinity(&p_inf); | ||||
|         CHECK(secp256k1_dleq_prove(ctx, &s, &e, &sk, &p_inf, &p1, &p2, NULL, NULL) == 0); | ||||
|         CHECK(secp256k1_dleq_prove(ctx, &s, &e, &sk, &gen2, &p_inf, &p2, NULL, NULL) == 0); | ||||
|         CHECK(secp256k1_dleq_prove(ctx, &s, &e, &sk, &gen2, &p1, &p_inf, NULL, NULL) == 0); | ||||
|         CHECK(secp256k1_dleq_prove(CTX, &s, &e, &sk, &p_inf, &p1, &p2, NULL, NULL) == 0); | ||||
|         CHECK(secp256k1_dleq_prove(CTX, &s, &e, &sk, &gen2, &p_inf, &p2, NULL, NULL) == 0); | ||||
|         CHECK(secp256k1_dleq_prove(CTX, &s, &e, &sk, &gen2, &p1, &p_inf, NULL, NULL) == 0); | ||||
|     } | ||||
| 
 | ||||
|     /* Nonce tests */ | ||||
| @ -85,7 +85,7 @@ void dleq_tests(void) { | ||||
|     args[2] = p1_33; | ||||
|     args[3] = p2_33; | ||||
|     args[4] = aux_rand; | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         dleq_nonce_bitflip(args, 0, sizeof(sk32)); | ||||
|         dleq_nonce_bitflip(args, 1, sizeof(gen2_33)); | ||||
|         dleq_nonce_bitflip(args, 2, sizeof(p1_33)); | ||||
| @ -117,7 +117,7 @@ void test_ecdsa_adaptor_spec_vectors_check_verify(const unsigned char *adaptor_s | ||||
|     CHECK(secp256k1_eckey_pubkey_parse(&pubkey_ge, pubkey33, 33) == 1); | ||||
|     secp256k1_pubkey_save(&pubkey, &pubkey_ge); | ||||
| 
 | ||||
|     CHECK(expected == secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig162, &pubkey, msg32, &encryption_key)); | ||||
|     CHECK(expected == secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig162, &pubkey, msg32, &encryption_key)); | ||||
| } | ||||
| 
 | ||||
| /* Helper function for test_ecdsa_adaptor_spec_vectors
 | ||||
| @ -126,8 +126,8 @@ void test_ecdsa_adaptor_spec_vectors_check_decrypt(const unsigned char *adaptor_ | ||||
|     unsigned char signature[64]; | ||||
|     secp256k1_ecdsa_signature s; | ||||
| 
 | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &s, decryption_key32, adaptor_sig162) == 1); | ||||
|     CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &s) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &s, decryption_key32, adaptor_sig162) == 1); | ||||
|     CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, &s) == 1); | ||||
| 
 | ||||
|     CHECK(expected == !(secp256k1_memcmp_var(signature, signature64, 64))); | ||||
| } | ||||
| @ -143,8 +143,8 @@ void test_ecdsa_adaptor_spec_vectors_check_recover(const unsigned char *adaptor_ | ||||
|     CHECK(secp256k1_eckey_pubkey_parse(&encryption_key_ge, encryption_key33, 33) == 1); | ||||
|     secp256k1_pubkey_save(&encryption_key, &encryption_key_ge); | ||||
| 
 | ||||
|     CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature64) == 1); | ||||
|     CHECK(expected == secp256k1_ecdsa_adaptor_recover(ctx, deckey32, &sig, adaptor_sig162, &encryption_key)); | ||||
|     CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature64) == 1); | ||||
|     CHECK(expected == secp256k1_ecdsa_adaptor_recover(CTX, deckey32, &sig, adaptor_sig162, &encryption_key)); | ||||
|     if (decryption_key32 != NULL) { | ||||
|         CHECK(expected == !(secp256k1_memcmp_var(deckey32, decryption_key32, 32))); | ||||
|     } | ||||
| @ -777,7 +777,7 @@ void run_nonce_function_ecdsa_adaptor_tests(void) { | ||||
|     args[2] = pk; | ||||
|     args[3] = algo; | ||||
|     args[4] = aux_rand; | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         nonce_function_ecdsa_adaptor_bitflip(args, 0, sizeof(msg), algolen); | ||||
|         nonce_function_ecdsa_adaptor_bitflip(args, 1, sizeof(key), algolen); | ||||
|         nonce_function_ecdsa_adaptor_bitflip(args, 2, sizeof(pk), algolen); | ||||
| @ -800,7 +800,7 @@ void run_nonce_function_ecdsa_adaptor_tests(void) { | ||||
|     CHECK(nonce_function_ecdsa_adaptor(nonce, msg, key, pk, dleq_algo, sizeof(dleq_algo), NULL) == 1); | ||||
| 
 | ||||
|     /* Different algolen gives different nonce */ | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         unsigned char nonce2[32]; | ||||
|         uint32_t offset = secp256k1_testrand_int(algolen - 1); | ||||
|         size_t algolen_tmp = (algolen + offset) % algolen; | ||||
| @ -824,83 +824,85 @@ void test_ecdsa_adaptor_api(void) { | ||||
|     unsigned char deckey[32]; | ||||
| 
 | ||||
|     /** setup **/ | ||||
|     secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static); | ||||
|     int ecount; | ||||
| 
 | ||||
|     secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount); | ||||
| 
 | ||||
|     secp256k1_testrand256(sk); | ||||
|     secp256k1_testrand256(msg); | ||||
|     secp256k1_testrand256(deckey); | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, sk) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &enckey, deckey) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, sk) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &enckey, deckey) == 1); | ||||
|     memset(&zero_pk, 0, sizeof(zero_pk)); | ||||
| 
 | ||||
|     /** main test body **/ | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig, sk, &enckey, msg, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig, sk, &enckey, msg, NULL, NULL) == 1); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(sttc, asig, sk, &enckey, msg, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(STATIC_CTX, asig, sk, &enckey, msg, NULL, NULL) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, NULL, sk, &enckey, msg, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, NULL, sk, &enckey, msg, NULL, NULL) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig, sk, &enckey, NULL, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig, sk, &enckey, NULL, NULL, NULL) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig, NULL, &enckey, msg, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig, NULL, &enckey, msg, NULL, NULL) == 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig, sk, NULL, msg, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig, sk, NULL, msg, NULL, NULL) == 0); | ||||
|     CHECK(ecount == 5); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig, sk, &zero_pk, msg, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig, sk, &zero_pk, msg, NULL, NULL) == 0); | ||||
|     CHECK(ecount == 6); | ||||
| 
 | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig, sk, &enckey, msg, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig, &pubkey, msg, &enckey) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig, sk, &enckey, msg, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig, &pubkey, msg, &enckey) == 1); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(ctx, NULL, &pubkey, msg, &enckey) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(CTX, NULL, &pubkey, msg, &enckey) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig, &pubkey, NULL, &enckey) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig, &pubkey, NULL, &enckey) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig, &pubkey, msg, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig, &pubkey, msg, NULL) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig, NULL, msg, &enckey) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig, NULL, msg, &enckey) == 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig, &zero_pk, msg, &enckey) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig, &zero_pk, msg, &enckey) == 0); | ||||
|     CHECK(ecount == 5); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig, &pubkey, msg, &zero_pk) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig, &pubkey, msg, &zero_pk) == 0); | ||||
|     CHECK(ecount == 6); | ||||
| 
 | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig, deckey, asig) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig, deckey, asig) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, NULL, deckey, asig) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig, deckey, asig) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig, deckey, asig) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, NULL, deckey, asig) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig, NULL, asig) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig, NULL, asig) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig, deckey, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig, deckey, NULL) == 0); | ||||
|     CHECK(ecount == 3); | ||||
| 
 | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig, deckey, asig) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(ctx, deckey, &sig, asig, &enckey) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig, deckey, asig) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(CTX, deckey, &sig, asig, &enckey) == 1); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(sttc, deckey, &sig, asig, &enckey) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(STATIC_CTX, deckey, &sig, asig, &enckey) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(ctx, NULL, &sig, asig, &enckey) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(CTX, NULL, &sig, asig, &enckey) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(ctx, deckey, NULL, asig, &enckey) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(CTX, deckey, NULL, asig, &enckey) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(ctx, deckey, &sig, NULL, &enckey) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(CTX, deckey, &sig, NULL, &enckey) == 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(ctx, deckey, &sig, asig, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(CTX, deckey, &sig, asig, NULL) == 0); | ||||
|     CHECK(ecount == 5); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(ctx, deckey, &sig, asig, &zero_pk) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(CTX, deckey, &sig, asig, &zero_pk) == 0); | ||||
|     CHECK(ecount == 6); | ||||
| 
 | ||||
|     secp256k1_context_destroy(sttc); | ||||
|     secp256k1_context_set_error_callback(CTX, NULL, NULL); | ||||
|     secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL); | ||||
|     secp256k1_context_set_illegal_callback(CTX, NULL, NULL); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL); | ||||
| } | ||||
| 
 | ||||
| void adaptor_tests(void) { | ||||
| @ -919,24 +921,24 @@ void adaptor_tests(void) { | ||||
|     secp256k1_testrand256(msg); | ||||
|     secp256k1_testrand256(deckey); | ||||
| 
 | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, seckey) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &enckey, deckey) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, seckey) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &enckey, deckey) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, adaptor_sig, seckey, &enckey, msg, NULL, NULL) == 1); | ||||
| 
 | ||||
|     { | ||||
|         /* Test overflowing seckey */ | ||||
|         memset(big, 0xFF, 32); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, adaptor_sig, big, &enckey, msg, NULL, NULL) == 0); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, adaptor_sig, big, &enckey, msg, NULL, NULL) == 0); | ||||
|         CHECK(secp256k1_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) == 0); | ||||
| 
 | ||||
|         /* Test different nonce functions */ | ||||
|         memset(adaptor_sig, 1, sizeof(adaptor_sig)); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_failing, NULL) == 0); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_failing, NULL) == 0); | ||||
|         CHECK(secp256k1_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) == 0); | ||||
|         memset(&adaptor_sig, 1, sizeof(adaptor_sig)); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_0, NULL) == 0); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_0, NULL) == 0); | ||||
|         CHECK(secp256k1_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) == 0); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_overflowing, NULL) == 1); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, adaptor_sig, seckey, &enckey, msg, ecdsa_adaptor_nonce_function_overflowing, NULL) == 1); | ||||
|         CHECK(secp256k1_memcmp_var(adaptor_sig, zeros162, sizeof(adaptor_sig)) != 0); | ||||
|     } | ||||
|     { | ||||
| @ -1008,14 +1010,14 @@ void adaptor_tests(void) { | ||||
|     } | ||||
| 
 | ||||
|     /* Test adaptor_sig_verify */ | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig, &pubkey, msg, &enckey) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig, &enckey, msg, &enckey) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig, &pubkey, msg, &pubkey) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig, &pubkey, msg, &enckey) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig, &enckey, msg, &enckey) == 0); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig, &pubkey, msg, &pubkey) == 0); | ||||
|     { | ||||
|         /* Test failed adaptor sig deserialization */ | ||||
|         unsigned char adaptor_sig_tmp[162]; | ||||
|         memset(&adaptor_sig_tmp, 0xFF, 162); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig_tmp, &pubkey, msg, &enckey) == 0); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig_tmp, &pubkey, msg, &enckey) == 0); | ||||
|     } | ||||
|     { | ||||
|         /* Test that any flipped bit in the adaptor signature will make
 | ||||
| @ -1023,13 +1025,13 @@ void adaptor_tests(void) { | ||||
|         unsigned char adaptor_sig_tmp[162]; | ||||
|         memcpy(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp)); | ||||
|         rand_flip_bit(&adaptor_sig_tmp[1], sizeof(adaptor_sig_tmp) - 1); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig_tmp, &pubkey, msg, &enckey) == 0); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig_tmp, &pubkey, msg, &enckey) == 0); | ||||
|     } | ||||
|     { | ||||
|         unsigned char msg_tmp[32]; | ||||
|         memcpy(msg_tmp, msg, sizeof(msg_tmp)); | ||||
|         rand_flip_bit(msg_tmp, sizeof(msg_tmp)); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig, &pubkey, msg_tmp, &enckey) == 0); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig, &pubkey, msg_tmp, &enckey) == 0); | ||||
|     } | ||||
|     { | ||||
|         /* Verification must check that the derived R' is not equal to the point at
 | ||||
| @ -1068,24 +1070,24 @@ void adaptor_tests(void) { | ||||
| 
 | ||||
|         /* X := G */ | ||||
|         seckey_tmp[31] = 1; | ||||
|         CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey_tmp, seckey_tmp) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey_tmp, seckey_tmp) == 1); | ||||
| 
 | ||||
|         /* sp := sigr */ | ||||
|         memcpy(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp)); | ||||
|         memcpy(&adaptor_sig_tmp[66], &adaptor_sig_tmp[1], 32); | ||||
| 
 | ||||
|         CHECK(secp256k1_ecdsa_adaptor_verify(ctx, adaptor_sig_tmp, &pubkey_tmp, msg_tmp, &enckey) == 0); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_verify(CTX, adaptor_sig_tmp, &pubkey_tmp, msg_tmp, &enckey) == 0); | ||||
|     } | ||||
| 
 | ||||
|     /* Test decryption */ | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig, deckey, adaptor_sig) == 1); | ||||
|     CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig, deckey, adaptor_sig) == 1); | ||||
|     CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1); | ||||
| 
 | ||||
|     { | ||||
|         /* Test overflowing decryption key */ | ||||
|         secp256k1_ecdsa_signature s; | ||||
|         memset(big, 0xFF, 32); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &s, big, adaptor_sig) == 0); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &s, big, adaptor_sig) == 0); | ||||
|         CHECK(secp256k1_memcmp_var(&s.data[0], zeros64, sizeof(&s.data[0])) == 0); | ||||
|     } | ||||
|     { | ||||
| @ -1093,13 +1095,13 @@ void adaptor_tests(void) { | ||||
|         unsigned char decryption_key_tmp[32]; | ||||
|         unsigned char adaptor_sig_tmp[162]; | ||||
| 
 | ||||
|         CHECK(secp256k1_ecdsa_adaptor_recover(ctx, decryption_key_tmp, &sig, adaptor_sig, &enckey) == 1); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_recover(CTX, decryption_key_tmp, &sig, adaptor_sig, &enckey) == 1); | ||||
|         CHECK(secp256k1_memcmp_var(deckey, decryption_key_tmp, sizeof(deckey)) == 0); | ||||
| 
 | ||||
|         /* Test failed sp deserialization */ | ||||
|         memcpy(adaptor_sig_tmp, adaptor_sig, sizeof(adaptor_sig_tmp)); | ||||
|         memset(&adaptor_sig_tmp[66], 0xFF, 32); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_recover(ctx, decryption_key_tmp, &sig, adaptor_sig_tmp, &enckey) == 0); | ||||
|         CHECK(secp256k1_ecdsa_adaptor_recover(CTX, decryption_key_tmp, &sig, adaptor_sig_tmp, &enckey) == 0); | ||||
|     } | ||||
| } | ||||
| 
 | ||||
| @ -1123,13 +1125,13 @@ void multi_hop_lock_tests(void) { | ||||
|     secp256k1_testrand256(seckey_a); | ||||
|     secp256k1_testrand256(seckey_b); | ||||
| 
 | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey_a, seckey_a)); | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey_b, seckey_b)); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey_a, seckey_a)); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey_b, seckey_b)); | ||||
| 
 | ||||
|     /* Carol setup */ | ||||
|     /* Proof of payment */ | ||||
|     secp256k1_testrand256(pop); | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey_pop, pop)); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey_pop, pop)); | ||||
| 
 | ||||
|     /* Alice setup */ | ||||
|     secp256k1_testrand256(tx_ab); | ||||
| @ -1137,39 +1139,39 @@ void multi_hop_lock_tests(void) { | ||||
|     rand_scalar(&t2); | ||||
|     secp256k1_scalar_add(&tp, &t1, &t2); | ||||
|     /* Left lock */ | ||||
|     secp256k1_pubkey_load(ctx, &l_ge, &pubkey_pop); | ||||
|     secp256k1_pubkey_load(CTX, &l_ge, &pubkey_pop); | ||||
|     CHECK(secp256k1_eckey_pubkey_tweak_add(&l_ge, &t1)); | ||||
|     secp256k1_pubkey_save(&l, &l_ge); | ||||
|     /* Right lock */ | ||||
|     secp256k1_pubkey_load(ctx, &r_ge, &pubkey_pop); | ||||
|     secp256k1_pubkey_load(CTX, &r_ge, &pubkey_pop); | ||||
|     CHECK(secp256k1_eckey_pubkey_tweak_add(&r_ge, &tp)); | ||||
|     secp256k1_pubkey_save(&r, &r_ge); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig_ab, seckey_a, &l, tx_ab, NULL, NULL)); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig_ab, seckey_a, &l, tx_ab, NULL, NULL)); | ||||
| 
 | ||||
|     /* Bob setup */ | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig_ab, &pubkey_a, tx_ab, &l)); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig_ab, &pubkey_a, tx_ab, &l)); | ||||
|     secp256k1_testrand256(tx_bc); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(ctx, asig_bc, seckey_b, &r, tx_bc, NULL, NULL)); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_encrypt(CTX, asig_bc, seckey_b, &r, tx_bc, NULL, NULL)); | ||||
| 
 | ||||
|     /* Carol decrypt */ | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(ctx, asig_bc, &pubkey_b, tx_bc, &r)); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_verify(CTX, asig_bc, &pubkey_b, tx_bc, &r)); | ||||
|     secp256k1_scalar_set_b32(&deckey, pop, NULL); | ||||
|     secp256k1_scalar_add(&deckey, &deckey, &tp); | ||||
|     secp256k1_scalar_get_b32(buf, &deckey); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig_bc, buf, asig_bc)); | ||||
|     CHECK(secp256k1_ecdsa_verify(ctx, &sig_bc, tx_bc, &pubkey_b)); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig_bc, buf, asig_bc)); | ||||
|     CHECK(secp256k1_ecdsa_verify(CTX, &sig_bc, tx_bc, &pubkey_b)); | ||||
| 
 | ||||
|     /* Bob recover and decrypt */ | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(ctx, buf, &sig_bc, asig_bc, &r)); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(CTX, buf, &sig_bc, asig_bc, &r)); | ||||
|     secp256k1_scalar_set_b32(&deckey, buf, NULL); | ||||
|     secp256k1_scalar_negate(&t2, &t2); | ||||
|     secp256k1_scalar_add(&deckey, &deckey, &t2); | ||||
|     secp256k1_scalar_get_b32(buf, &deckey); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(ctx, &sig_ab, buf, asig_ab)); | ||||
|     CHECK(secp256k1_ecdsa_verify(ctx, &sig_ab, tx_ab, &pubkey_a)); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_decrypt(CTX, &sig_ab, buf, asig_ab)); | ||||
|     CHECK(secp256k1_ecdsa_verify(CTX, &sig_ab, tx_ab, &pubkey_a)); | ||||
| 
 | ||||
|     /* Alice recover and derive proof of payment */ | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(ctx, buf, &sig_ab, asig_ab, &l)); | ||||
|     CHECK(secp256k1_ecdsa_adaptor_recover(CTX, buf, &sig_ab, asig_ab, &l)); | ||||
|     secp256k1_scalar_set_b32(&deckey, buf, NULL); | ||||
|     secp256k1_scalar_negate(&t1, &t1); | ||||
|     secp256k1_scalar_add(&deckey, &deckey, &t1); | ||||
| @ -1183,13 +1185,13 @@ void run_ecdsa_adaptor_tests(void) { | ||||
| 
 | ||||
|     test_ecdsa_adaptor_api(); | ||||
|     test_ecdsa_adaptor_spec_vectors(); | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         dleq_tests(); | ||||
|     } | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         adaptor_tests(); | ||||
|     } | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         multi_hop_lock_tests(); | ||||
|     } | ||||
| } | ||||
|  | ||||
| @ -43,39 +43,39 @@ void run_s2c_opening_test(void) { | ||||
|     secp256k1_ecdsa_s2c_opening opening; | ||||
|     int32_t ecount = 0; | ||||
| 
 | ||||
|     secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
| 
 | ||||
|     /* First parsing, then serializing works */ | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_parse(ctx, &opening, input) == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, output, &opening) == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_parse(ctx, &opening, input) == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_parse(CTX, &opening, input) == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_serialize(CTX, output, &opening) == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_parse(CTX, &opening, input) == 1); | ||||
|     CHECK(ecount == 0); | ||||
| 
 | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_parse(ctx, NULL, input) == 0); | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_parse(CTX, NULL, input) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_parse(ctx, &opening, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_parse(CTX, &opening, NULL) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_parse(ctx, &opening, input) == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_parse(CTX, &opening, input) == 1); | ||||
| 
 | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, NULL, &opening) == 0); | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_serialize(CTX, NULL, &opening) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, output, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_serialize(CTX, output, NULL) == 0); | ||||
| 
 | ||||
|     CHECK(ecount == 4); | ||||
|     /* Invalid pubkey makes parsing fail */ | ||||
|     input[0] = 0;  /* bad oddness bit */ | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_parse(ctx, &opening, input) == 0); | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_parse(CTX, &opening, input) == 0); | ||||
|     input[0] = 2; | ||||
|     input[31] = 1; /* point not on the curve */ | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_parse(ctx, &opening, input) == 0); | ||||
|     CHECK(secp256k1_ecdsa_s2c_opening_parse(CTX, &opening, input) == 0); | ||||
|     CHECK(ecount == 4); /* neither of the above are API errors */ | ||||
| 
 | ||||
|     /* Try parsing and serializing a bunch of openings */ | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         /* This is expected to fail in about 50% of iterations because the
 | ||||
|          * points' x-coordinates are uniformly random */ | ||||
|         if (secp256k1_ecdsa_s2c_opening_parse(ctx, &opening, input) == 1) { | ||||
|             CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, output, &opening) == 1); | ||||
|         if (secp256k1_ecdsa_s2c_opening_parse(CTX, &opening, input) == 1) { | ||||
|             CHECK(secp256k1_ecdsa_s2c_opening_serialize(CTX, output, &opening) == 1); | ||||
|             CHECK(secp256k1_memcmp_var(output, input, sizeof(output)) == 0); | ||||
|         } | ||||
|         secp256k1_testrand256(&input[1]); | ||||
| @ -83,11 +83,10 @@ void run_s2c_opening_test(void) { | ||||
|         input[0] = (input[1] & 1) + 2; | ||||
|     } | ||||
| 
 | ||||
|     secp256k1_context_set_illegal_callback(CTX, NULL, NULL); | ||||
| } | ||||
| 
 | ||||
| static void test_ecdsa_s2c_api(void) { | ||||
|     secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static); | ||||
| 
 | ||||
|     secp256k1_ecdsa_s2c_opening s2c_opening; | ||||
|     secp256k1_ecdsa_signature sig; | ||||
|     const unsigned char msg[32] = "mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm"; | ||||
| @ -98,96 +97,97 @@ static void test_ecdsa_s2c_api(void) { | ||||
|     secp256k1_pubkey pk; | ||||
| 
 | ||||
|     int32_t ecount; | ||||
|     secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount); | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sec)); | ||||
|     secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &pk, sec)); | ||||
| 
 | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(ctx, NULL, &s2c_opening, msg, sec, s2c_data) == 0); | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(CTX, NULL, &s2c_opening, msg, sec, s2c_data) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(ctx, &sig, NULL, msg, sec, s2c_data) == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(CTX, &sig, NULL, msg, sec, s2c_data) == 1); | ||||
|     CHECK(ecount == 1); /* NULL opening is not an API error */ | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(ctx, &sig, &s2c_opening, NULL, sec, s2c_data) == 0); | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(CTX, &sig, &s2c_opening, NULL, sec, s2c_data) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(ctx, &sig, &s2c_opening, msg, NULL, s2c_data) == 0); | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(CTX, &sig, &s2c_opening, msg, NULL, s2c_data) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(ctx, &sig, &s2c_opening, msg, sec, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(CTX, &sig, &s2c_opening, msg, sec, NULL) == 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(ctx, &sig, &s2c_opening, msg, sec, s2c_data) == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(CTX, &sig, &s2c_opening, msg, sec, s2c_data) == 1); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(sttc, &sig, &s2c_opening, msg, sec, s2c_data) == 0); | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(STATIC_CTX, &sig, &s2c_opening, msg, sec, s2c_data) == 0); | ||||
|     CHECK(ecount == 5); | ||||
| 
 | ||||
|     CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pk) == 1); | ||||
|     CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pk) == 1); | ||||
| 
 | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, NULL, s2c_data, &s2c_opening) == 0); | ||||
|     CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, NULL, s2c_data, &s2c_opening) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &sig, NULL, &s2c_opening) == 0); | ||||
|     CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &sig, NULL, &s2c_opening) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &sig, s2c_data, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &sig, s2c_data, NULL) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &sig, s2c_data, &s2c_opening) == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &sig, s2c_data, &s2c_opening) == 1); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &sig, sec, &s2c_opening) == 0); | ||||
|     CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &sig, sec, &s2c_opening) == 0); | ||||
|     CHECK(ecount == 3); /* wrong data is not an API error */ | ||||
| 
 | ||||
|     /* Signing with NULL s2c_opening gives the same result */ | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(ctx, &sig, NULL, msg, sec, s2c_data) == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &sig, s2c_data, &s2c_opening) == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_sign(CTX, &sig, NULL, msg, sec, s2c_data) == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &sig, s2c_data, &s2c_opening) == 1); | ||||
| 
 | ||||
|     /* anti-exfil */ | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_host_commit(ctx, NULL, hostrand) == 0); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_host_commit(CTX, NULL, hostrand) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_host_commit(ctx, hostrand_commitment, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_host_commit(CTX, hostrand_commitment, NULL) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_host_commit(ctx, hostrand_commitment, hostrand) == 1); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_host_commit(CTX, hostrand_commitment, hostrand) == 1); | ||||
|     CHECK(ecount == 2); | ||||
| 
 | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, NULL, msg, sec, hostrand_commitment) == 0); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(CTX, NULL, msg, sec, hostrand_commitment) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, NULL, sec, hostrand_commitment) == 0); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(CTX, &s2c_opening, NULL, sec, hostrand_commitment) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, msg, NULL, hostrand_commitment) == 0); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(CTX, &s2c_opening, msg, NULL, hostrand_commitment) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, msg, sec, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(CTX, &s2c_opening, msg, sec, NULL) == 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, msg, sec, hostrand_commitment) == 1); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(CTX, &s2c_opening, msg, sec, hostrand_commitment) == 1); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(sttc, &s2c_opening, msg, sec, hostrand_commitment) == 0); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(STATIC_CTX, &s2c_opening, msg, sec, hostrand_commitment) == 0); | ||||
|     CHECK(ecount == 5); | ||||
| 
 | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_anti_exfil_sign(ctx, NULL, msg, sec, hostrand) == 0); | ||||
|     CHECK(secp256k1_anti_exfil_sign(CTX, NULL, msg, sec, hostrand) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_anti_exfil_sign(ctx, &sig, NULL, sec, hostrand) == 0); | ||||
|     CHECK(secp256k1_anti_exfil_sign(CTX, &sig, NULL, sec, hostrand) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_anti_exfil_sign(ctx, &sig, msg, NULL, hostrand) == 0); | ||||
|     CHECK(secp256k1_anti_exfil_sign(CTX, &sig, msg, NULL, hostrand) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_anti_exfil_sign(ctx, &sig, msg, sec, NULL) == 0); | ||||
|     CHECK(secp256k1_anti_exfil_sign(CTX, &sig, msg, sec, NULL) == 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_anti_exfil_sign(ctx, &sig, msg, sec, hostrand) == 1); | ||||
|     CHECK(secp256k1_anti_exfil_sign(CTX, &sig, msg, sec, hostrand) == 1); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_anti_exfil_sign(sttc, &sig, msg, sec, hostrand) == 0); | ||||
|     CHECK(secp256k1_anti_exfil_sign(STATIC_CTX, &sig, msg, sec, hostrand) == 0); | ||||
|     CHECK(ecount == 5); | ||||
| 
 | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_anti_exfil_host_verify(ctx, NULL, msg, &pk, hostrand, &s2c_opening) == 0); | ||||
|     CHECK(secp256k1_anti_exfil_host_verify(CTX, NULL, msg, &pk, hostrand, &s2c_opening) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_anti_exfil_host_verify(ctx, &sig, NULL, &pk, hostrand, &s2c_opening) == 0); | ||||
|     CHECK(secp256k1_anti_exfil_host_verify(CTX, &sig, NULL, &pk, hostrand, &s2c_opening) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_anti_exfil_host_verify(ctx, &sig, msg, NULL, hostrand, &s2c_opening) == 0); | ||||
|     CHECK(secp256k1_anti_exfil_host_verify(CTX, &sig, msg, NULL, hostrand, &s2c_opening) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_anti_exfil_host_verify(ctx, &sig, msg, &pk, NULL, &s2c_opening) == 0); | ||||
|     CHECK(secp256k1_anti_exfil_host_verify(CTX, &sig, msg, &pk, NULL, &s2c_opening) == 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_anti_exfil_host_verify(ctx, &sig, msg, &pk, hostrand, NULL) == 0); | ||||
|     CHECK(secp256k1_anti_exfil_host_verify(CTX, &sig, msg, &pk, hostrand, NULL) == 0); | ||||
|     CHECK(ecount == 5); | ||||
|     CHECK(secp256k1_anti_exfil_host_verify(ctx, &sig, msg, &pk, hostrand, &s2c_opening) == 1); | ||||
|     CHECK(secp256k1_anti_exfil_host_verify(CTX, &sig, msg, &pk, hostrand, &s2c_opening) == 1); | ||||
|     CHECK(ecount == 5); | ||||
| 
 | ||||
|     secp256k1_context_destroy(sttc); | ||||
|     secp256k1_context_set_illegal_callback(CTX, NULL, NULL); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL); | ||||
| } | ||||
| 
 | ||||
| /* When using sign-to-contract commitments, the nonce function is fixed, so we can use fixtures to test. */ | ||||
| @ -229,10 +229,10 @@ static void test_ecdsa_s2c_fixed_vectors(void) { | ||||
|         unsigned char opening_ser[33]; | ||||
|         const ecdsa_s2c_test *test = &ecdsa_s2c_tests[i]; | ||||
|         secp256k1_ecdsa_signature signature; | ||||
|         CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, test->s2c_data) == 1); | ||||
|         CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, opening_ser, &s2c_opening) == 1); | ||||
|         CHECK(secp256k1_ecdsa_s2c_sign(CTX, &signature, &s2c_opening, message, privkey, test->s2c_data) == 1); | ||||
|         CHECK(secp256k1_ecdsa_s2c_opening_serialize(CTX, opening_ser, &s2c_opening) == 1); | ||||
|         CHECK(secp256k1_memcmp_var(test->expected_s2c_opening, opening_ser, sizeof(opening_ser)) == 0); | ||||
|         CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, test->s2c_data, &s2c_opening) == 1); | ||||
|         CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &signature, test->s2c_data, &s2c_opening) == 1); | ||||
|     } | ||||
| } | ||||
| 
 | ||||
| @ -251,7 +251,7 @@ static void test_ecdsa_s2c_sign_verify(void) { | ||||
|         secp256k1_scalar key; | ||||
|         random_scalar_order_test(&key); | ||||
|         secp256k1_scalar_get_b32(privkey, &key); | ||||
|         CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1); | ||||
| 
 | ||||
|         secp256k1_testrand256_test(message); | ||||
|         secp256k1_testrand256_test(noncedata); | ||||
| @ -262,28 +262,28 @@ static void test_ecdsa_s2c_sign_verify(void) { | ||||
|     { /* invalid privkeys */ | ||||
|         unsigned char zero_privkey[32] = {0}; | ||||
|         unsigned char overflow_privkey[32] = "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"; | ||||
|         CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, NULL, message, zero_privkey, s2c_data) == 0); | ||||
|         CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, NULL, message, overflow_privkey, s2c_data) == 0); | ||||
|         CHECK(secp256k1_ecdsa_s2c_sign(CTX, &signature, NULL, message, zero_privkey, s2c_data) == 0); | ||||
|         CHECK(secp256k1_ecdsa_s2c_sign(CTX, &signature, NULL, message, overflow_privkey, s2c_data) == 0); | ||||
|     } | ||||
|     /* Check that the sign-to-contract signature is valid, with s2c_data. Also check the commitment. */ | ||||
|     { | ||||
|         CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, s2c_data) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(ctx, &signature, message, &pubkey) == 1); | ||||
|         CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, s2c_data, &s2c_opening) == 1); | ||||
|         CHECK(secp256k1_ecdsa_s2c_sign(CTX, &signature, &s2c_opening, message, privkey, s2c_data) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(CTX, &signature, message, &pubkey) == 1); | ||||
|         CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &signature, s2c_data, &s2c_opening) == 1); | ||||
|     } | ||||
|     /* Check that an invalid commitment does not verify */ | ||||
|     { | ||||
|         unsigned char sigbytes[64]; | ||||
|         size_t i; | ||||
|         CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, message, privkey, s2c_data) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(ctx, &signature, message, &pubkey) == 1); | ||||
|         CHECK(secp256k1_ecdsa_s2c_sign(CTX, &signature, &s2c_opening, message, privkey, s2c_data) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(CTX, &signature, message, &pubkey) == 1); | ||||
| 
 | ||||
|         CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, sigbytes, &signature) == 1); | ||||
|         CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, sigbytes, &signature) == 1); | ||||
|         for(i = 0; i < 32; i++) { | ||||
|             /* change one byte */ | ||||
|             sigbytes[i] = (((int)sigbytes[i]) + 1) % 256; | ||||
|             CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1); | ||||
|             CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, s2c_data, &s2c_opening) == 0); | ||||
|             CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &signature, sigbytes) == 1); | ||||
|             CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &signature, s2c_data, &s2c_opening) == 0); | ||||
|             /* revert */ | ||||
|             sigbytes[i] = (((int)sigbytes[i]) + 255) % 256; | ||||
|         } | ||||
| @ -305,8 +305,8 @@ static void test_ecdsa_anti_exfil_signer_commit(void) { | ||||
|         secp256k1_ecdsa_s2c_opening s2c_opening; | ||||
|         unsigned char buf[33]; | ||||
|         const ecdsa_s2c_test *test = &ecdsa_s2c_tests[i]; | ||||
|         CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, message, privkey, test->s2c_data) == 1); | ||||
|         CHECK(secp256k1_ecdsa_s2c_opening_serialize(ctx, buf, &s2c_opening) == 1); | ||||
|         CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(CTX, &s2c_opening, message, privkey, test->s2c_data) == 1); | ||||
|         CHECK(secp256k1_ecdsa_s2c_opening_serialize(CTX, buf, &s2c_opening) == 1); | ||||
|         CHECK(secp256k1_memcmp_var(test->expected_s2c_exfil_opening, buf, sizeof(buf)) == 0); | ||||
|     } | ||||
| } | ||||
| @ -326,53 +326,53 @@ static void test_ecdsa_anti_exfil(void) { | ||||
|         secp256k1_scalar key; | ||||
|         random_scalar_order_test(&key); | ||||
|         secp256k1_scalar_get_b32(signer_privkey, &key); | ||||
|         CHECK(secp256k1_ec_pubkey_create(ctx, &signer_pubkey, signer_privkey) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_create(CTX, &signer_pubkey, signer_privkey) == 1); | ||||
|         secp256k1_testrand256_test(host_msg); | ||||
|         secp256k1_testrand256_test(host_nonce_contribution); | ||||
|     } | ||||
| 
 | ||||
|     /* Protocol step 1. */ | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_host_commit(ctx, host_commitment, host_nonce_contribution) == 1); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_host_commit(CTX, host_commitment, host_nonce_contribution) == 1); | ||||
|     /* Protocol step 2. */ | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(ctx, &s2c_opening, host_msg, signer_privkey, host_commitment) == 1); | ||||
|     CHECK(secp256k1_ecdsa_anti_exfil_signer_commit(CTX, &s2c_opening, host_msg, signer_privkey, host_commitment) == 1); | ||||
|     /* Protocol step 3: host_nonce_contribution send to signer to be used in step 4. */ | ||||
|     /* Protocol step 4. */ | ||||
|     CHECK(secp256k1_anti_exfil_sign(ctx, &signature, host_msg, signer_privkey, host_nonce_contribution) == 1); | ||||
|     CHECK(secp256k1_anti_exfil_sign(CTX, &signature, host_msg, signer_privkey, host_nonce_contribution) == 1); | ||||
|     /* Protocol step 5. */ | ||||
|     CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1); | ||||
|     CHECK(secp256k1_anti_exfil_host_verify(CTX, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1); | ||||
|     /* Protocol step 5 (explicitly) */ | ||||
|     CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, host_nonce_contribution, &s2c_opening) == 1); | ||||
|     CHECK(secp256k1_ecdsa_verify(ctx, &signature, host_msg, &signer_pubkey) == 1); | ||||
|     CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &signature, host_nonce_contribution, &s2c_opening) == 1); | ||||
|     CHECK(secp256k1_ecdsa_verify(CTX, &signature, host_msg, &signer_pubkey) == 1); | ||||
| 
 | ||||
|     { /* host_verify: commitment does not match */ | ||||
|         unsigned char sigbytes[64]; | ||||
|         size_t i; | ||||
|         CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, sigbytes, &signature) == 1); | ||||
|         CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, sigbytes, &signature) == 1); | ||||
|         for(i = 0; i < 32; i++) { | ||||
|             /* change one byte */ | ||||
|             sigbytes[i] += 1; | ||||
|             CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1); | ||||
|             CHECK(secp256k1_ecdsa_s2c_verify_commit(ctx, &signature, host_nonce_contribution, &s2c_opening) == 0); | ||||
|             CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); | ||||
|             CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &signature, sigbytes) == 1); | ||||
|             CHECK(secp256k1_ecdsa_s2c_verify_commit(CTX, &signature, host_nonce_contribution, &s2c_opening) == 0); | ||||
|             CHECK(secp256k1_anti_exfil_host_verify(CTX, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); | ||||
|             /* revert */ | ||||
|             sigbytes[i] -= 1; | ||||
|         } | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &signature, sigbytes) == 1); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &signature, sigbytes) == 1); | ||||
|     } | ||||
|     { /* host_verify: message does not match */ | ||||
|         unsigned char bad_msg[32]; | ||||
|         secp256k1_testrand256_test(bad_msg); | ||||
|         CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1); | ||||
|         CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, bad_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); | ||||
|         CHECK(secp256k1_anti_exfil_host_verify(CTX, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 1); | ||||
|         CHECK(secp256k1_anti_exfil_host_verify(CTX, &signature, bad_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); | ||||
|     } | ||||
|     { /* s2c_sign: host provided data that didn't match commitment */ | ||||
|         secp256k1_ecdsa_s2c_opening orig_opening = s2c_opening; | ||||
|         unsigned char bad_nonce_contribution[32] = { 1, 2, 3, 4 }; | ||||
|         CHECK(secp256k1_ecdsa_s2c_sign(ctx, &signature, &s2c_opening, host_msg, signer_privkey, bad_nonce_contribution) == 1); | ||||
|         CHECK(secp256k1_ecdsa_s2c_sign(CTX, &signature, &s2c_opening, host_msg, signer_privkey, bad_nonce_contribution) == 1); | ||||
|         /* good signature but the opening (original public nonce does not match the original */ | ||||
|         CHECK(secp256k1_ecdsa_verify(ctx, &signature, host_msg, &signer_pubkey) == 1); | ||||
|         CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); | ||||
|         CHECK(secp256k1_anti_exfil_host_verify(ctx, &signature, host_msg, &signer_pubkey, bad_nonce_contribution, &s2c_opening) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(CTX, &signature, host_msg, &signer_pubkey) == 1); | ||||
|         CHECK(secp256k1_anti_exfil_host_verify(CTX, &signature, host_msg, &signer_pubkey, host_nonce_contribution, &s2c_opening) == 0); | ||||
|         CHECK(secp256k1_anti_exfil_host_verify(CTX, &signature, host_msg, &signer_pubkey, bad_nonce_contribution, &s2c_opening) == 1); | ||||
|         CHECK(secp256k1_memcmp_var(&s2c_opening, &orig_opening, sizeof(s2c_opening)) != 0); | ||||
|     } | ||||
| } | ||||
|  | ||||
| @ -30,52 +30,52 @@ void test_xonly_pubkey(void) { | ||||
| 
 | ||||
|     int ecount; | ||||
| 
 | ||||
|     set_counting_callbacks(ctx, &ecount); | ||||
|     set_counting_callbacks(CTX, &ecount); | ||||
| 
 | ||||
|     secp256k1_testrand256(sk); | ||||
|     memset(ones32, 0xFF, 32); | ||||
|     secp256k1_testrand256(xy_sk); | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &pk, sk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, &pk) == 1); | ||||
| 
 | ||||
|     /* Test xonly_pubkey_from_pubkey */ | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, NULL, &pk_parity, &pk) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, &pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, NULL, &pk_parity, &pk) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, NULL) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, NULL, &pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, NULL) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     memset(&pk, 0, sizeof(pk)); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, &pk) == 0); | ||||
|     CHECK(ecount == 3); | ||||
| 
 | ||||
|     /* Choose a secret key such that the resulting pubkey and xonly_pubkey match. */ | ||||
|     memset(sk, 0, sizeof(sk)); | ||||
|     sk[0] = 1; | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &pk, sk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, &pk) == 1); | ||||
|     CHECK(secp256k1_memcmp_var(&pk, &xonly_pk, sizeof(pk)) == 0); | ||||
|     CHECK(pk_parity == 0); | ||||
| 
 | ||||
|     /* Choose a secret key such that pubkey and xonly_pubkey are each others
 | ||||
|      * negation. */ | ||||
|     sk[0] = 2; | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &pk, sk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, &pk) == 1); | ||||
|     CHECK(secp256k1_memcmp_var(&xonly_pk, &pk, sizeof(xonly_pk)) != 0); | ||||
|     CHECK(pk_parity == 1); | ||||
|     secp256k1_pubkey_load(ctx, &pk1, &pk); | ||||
|     secp256k1_pubkey_load(ctx, &pk2, (secp256k1_pubkey *) &xonly_pk); | ||||
|     secp256k1_pubkey_load(CTX, &pk1, &pk); | ||||
|     secp256k1_pubkey_load(CTX, &pk2, (secp256k1_pubkey *) &xonly_pk); | ||||
|     CHECK(secp256k1_fe_equal(&pk1.x, &pk2.x) == 1); | ||||
|     secp256k1_fe_negate(&y, &pk2.y, 1); | ||||
|     CHECK(secp256k1_fe_equal(&pk1.y, &y) == 1); | ||||
| 
 | ||||
|     /* Test xonly_pubkey_serialize and xonly_pubkey_parse */ | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(ctx, NULL, &xonly_pk) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(CTX, NULL, &xonly_pk) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, NULL) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(CTX, buf32, NULL) == 0); | ||||
|     CHECK(secp256k1_memcmp_var(buf32, zeros64, 32) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     { | ||||
| @ -83,46 +83,46 @@ void test_xonly_pubkey(void) { | ||||
|          * special casing. */ | ||||
|         secp256k1_xonly_pubkey pk_tmp; | ||||
|         memset(&pk_tmp, 0, sizeof(pk_tmp)); | ||||
|         CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &pk_tmp) == 0); | ||||
|         CHECK(secp256k1_xonly_pubkey_serialize(CTX, buf32, &pk_tmp) == 0); | ||||
|     } | ||||
|     /* pubkey_load called illegal callback */ | ||||
|     CHECK(ecount == 3); | ||||
| 
 | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &xonly_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(CTX, buf32, &xonly_pk) == 1); | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(ctx, NULL, buf32) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(CTX, NULL, buf32) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, NULL) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(CTX, &xonly_pk, NULL) == 0); | ||||
|     CHECK(ecount == 2); | ||||
| 
 | ||||
|     /* Serialization and parse roundtrip */ | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &xonly_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk_tmp, buf32) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, NULL, &pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(CTX, buf32, &xonly_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(CTX, &xonly_pk_tmp, buf32) == 1); | ||||
|     CHECK(secp256k1_memcmp_var(&xonly_pk, &xonly_pk_tmp, sizeof(xonly_pk)) == 0); | ||||
| 
 | ||||
|     /* Test parsing invalid field elements */ | ||||
|     memset(&xonly_pk, 1, sizeof(xonly_pk)); | ||||
|     /* Overflowing field element */ | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, ones32) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(CTX, &xonly_pk, ones32) == 0); | ||||
|     CHECK(secp256k1_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0); | ||||
|     memset(&xonly_pk, 1, sizeof(xonly_pk)); | ||||
|     /* There's no point with x-coordinate 0 on secp256k1 */ | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, zeros64) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(CTX, &xonly_pk, zeros64) == 0); | ||||
|     CHECK(secp256k1_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0); | ||||
|     /* If a random 32-byte string can not be parsed with ec_pubkey_parse
 | ||||
|      * (because interpreted as X coordinate it does not correspond to a point on | ||||
|      * the curve) then xonly_pubkey_parse should fail as well. */ | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         unsigned char rand33[33]; | ||||
|         secp256k1_testrand256(&rand33[1]); | ||||
|         rand33[0] = SECP256K1_TAG_PUBKEY_EVEN; | ||||
|         if (!secp256k1_ec_pubkey_parse(ctx, &pk, rand33, 33)) { | ||||
|         if (!secp256k1_ec_pubkey_parse(CTX, &pk, rand33, 33)) { | ||||
|             memset(&xonly_pk, 1, sizeof(xonly_pk)); | ||||
|             CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, &rand33[1]) == 0); | ||||
|             CHECK(secp256k1_xonly_pubkey_parse(CTX, &xonly_pk, &rand33[1]) == 0); | ||||
|             CHECK(secp256k1_memcmp_var(&xonly_pk, zeros64, sizeof(xonly_pk)) == 0); | ||||
|         } else { | ||||
|             CHECK(secp256k1_xonly_pubkey_parse(ctx, &xonly_pk, &rand33[1]) == 1); | ||||
|             CHECK(secp256k1_xonly_pubkey_parse(CTX, &xonly_pk, &rand33[1]) == 1); | ||||
|         } | ||||
|     } | ||||
|     CHECK(ecount == 2); | ||||
| @ -141,26 +141,26 @@ void test_xonly_pubkey_comparison(void) { | ||||
|     secp256k1_xonly_pubkey pk2; | ||||
|     int ecount = 0; | ||||
| 
 | ||||
|     set_counting_callbacks(ctx, &ecount); | ||||
|     set_counting_callbacks(CTX, &ecount); | ||||
| 
 | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk1, pk1_ser) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk2, pk2_ser) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk1, pk1_ser) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk2, pk2_ser) == 1); | ||||
| 
 | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(ctx, NULL, &pk2) < 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(CTX, NULL, &pk2) < 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk1, NULL) > 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk1, NULL) > 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk1, &pk2) < 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk2, &pk1) > 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk1, &pk1) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk2, &pk2) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk1, &pk2) < 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk2, &pk1) > 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk1, &pk1) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk2, &pk2) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     memset(&pk1, 0, sizeof(pk1)); /* illegal pubkey */ | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk1, &pk2) < 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk1, &pk2) < 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk1, &pk1) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk1, &pk1) == 0); | ||||
|     CHECK(ecount == 5); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(ctx, &pk2, &pk1) > 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_cmp(CTX, &pk2, &pk1) > 0); | ||||
|     CHECK(ecount == 6); | ||||
| } | ||||
| 
 | ||||
| @ -177,48 +177,48 @@ void test_xonly_pubkey_tweak(void) { | ||||
| 
 | ||||
|     int ecount; | ||||
| 
 | ||||
|     set_counting_callbacks(ctx, &ecount); | ||||
|     set_counting_callbacks(CTX, &ecount); | ||||
| 
 | ||||
|     memset(overflows, 0xff, sizeof(overflows)); | ||||
|     secp256k1_testrand256(tweak); | ||||
|     secp256k1_testrand256(sk); | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &internal_pk, sk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &internal_xonly_pk, &pk_parity, &internal_pk) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &internal_pk, sk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &internal_xonly_pk, &pk_parity, &internal_pk) == 1); | ||||
| 
 | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, NULL, &internal_xonly_pk, tweak) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, NULL, &internal_xonly_pk, tweak) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, NULL, tweak) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, NULL, tweak) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     /* NULL internal_xonly_pk zeroes the output_pk */ | ||||
|     CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, NULL) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, NULL) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     /* NULL tweak zeroes the output_pk */ | ||||
|     CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); | ||||
| 
 | ||||
|     /* Invalid tweak zeroes the output_pk */ | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, overflows) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, overflows) == 0); | ||||
|     CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk))  == 0); | ||||
| 
 | ||||
|     /* A zero tweak is fine */ | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, zeros64) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, zeros64) == 1); | ||||
| 
 | ||||
|     /* Fails if the resulting key was infinity */ | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         secp256k1_scalar scalar_tweak; | ||||
|         /* Because sk may be negated before adding, we need to try with tweak =
 | ||||
|          * sk as well as tweak = -sk. */ | ||||
|         secp256k1_scalar_set_b32(&scalar_tweak, sk, NULL); | ||||
|         secp256k1_scalar_negate(&scalar_tweak, &scalar_tweak); | ||||
|         secp256k1_scalar_get_b32(tweak, &scalar_tweak); | ||||
|         CHECK((secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, sk) == 0) | ||||
|               || (secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 0)); | ||||
|         CHECK((secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, sk) == 0) | ||||
|               || (secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, tweak) == 0)); | ||||
|         CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); | ||||
|     } | ||||
| 
 | ||||
| @ -226,7 +226,7 @@ void test_xonly_pubkey_tweak(void) { | ||||
|     memset(&internal_xonly_pk, 0, sizeof(internal_xonly_pk)); | ||||
|     secp256k1_testrand256(tweak); | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, tweak) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk))  == 0); | ||||
| } | ||||
| @ -246,49 +246,49 @@ void test_xonly_pubkey_tweak_check(void) { | ||||
| 
 | ||||
|     int ecount; | ||||
| 
 | ||||
|     set_counting_callbacks(ctx, &ecount); | ||||
|     set_counting_callbacks(CTX, &ecount); | ||||
| 
 | ||||
|     memset(overflows, 0xff, sizeof(overflows)); | ||||
|     secp256k1_testrand256(tweak); | ||||
|     secp256k1_testrand256(sk); | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &internal_pk, sk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &internal_xonly_pk, &pk_parity, &internal_pk) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &internal_pk, sk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &internal_xonly_pk, &pk_parity, &internal_pk) == 1); | ||||
| 
 | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &output_xonly_pk, &pk_parity, &output_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &output_xonly_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &output_xonly_pk, &pk_parity, &output_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(CTX, buf32, &output_xonly_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, buf32, pk_parity, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, buf32, pk_parity, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, NULL, pk_parity, &internal_xonly_pk, tweak) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, buf32, pk_parity, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, NULL, pk_parity, &internal_xonly_pk, tweak) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     /* invalid pk_parity value */ | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, 2, &internal_xonly_pk, tweak) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, buf32, 2, &internal_xonly_pk, tweak) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, NULL, tweak) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, buf32, pk_parity, NULL, tweak) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, &internal_xonly_pk, NULL) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, buf32, pk_parity, &internal_xonly_pk, NULL) == 0); | ||||
|     CHECK(ecount == 3); | ||||
| 
 | ||||
|     memset(tweak, 1, sizeof(tweak)); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &internal_xonly_pk, NULL, &internal_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &output_xonly_pk, &pk_parity, &output_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk32, &output_xonly_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk32, pk_parity, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &internal_xonly_pk, NULL, &internal_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, tweak) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &output_xonly_pk, &pk_parity, &output_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(CTX, output_pk32, &output_xonly_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk32, pk_parity, &internal_xonly_pk, tweak) == 1); | ||||
| 
 | ||||
|     /* Wrong pk_parity */ | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk32, !pk_parity, &internal_xonly_pk, tweak) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk32, !pk_parity, &internal_xonly_pk, tweak) == 0); | ||||
|     /* Wrong public key */ | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(ctx, buf32, &internal_xonly_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, buf32, pk_parity, &internal_xonly_pk, tweak) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(CTX, buf32, &internal_xonly_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, buf32, pk_parity, &internal_xonly_pk, tweak) == 0); | ||||
| 
 | ||||
|     /* Overflowing tweak not allowed */ | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk32, pk_parity, &internal_xonly_pk, overflows) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk, &internal_xonly_pk, overflows) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk32, pk_parity, &internal_xonly_pk, overflows) == 0); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk, &internal_xonly_pk, overflows) == 0); | ||||
|     CHECK(secp256k1_memcmp_var(&output_pk, zeros64, sizeof(output_pk)) == 0); | ||||
|     CHECK(ecount == 3); | ||||
| } | ||||
| @ -305,23 +305,23 @@ void test_xonly_pubkey_tweak_recursive(void) { | ||||
|     int i; | ||||
| 
 | ||||
|     secp256k1_testrand256(sk); | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &pk[0], sk) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &pk[0], sk) == 1); | ||||
|     /* Add tweaks */ | ||||
|     for (i = 0; i < N_PUBKEYS - 1; i++) { | ||||
|         secp256k1_xonly_pubkey xonly_pk; | ||||
|         memset(tweak[i], i + 1, sizeof(tweak[i])); | ||||
|         CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk[i]) == 1); | ||||
|         CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &pk[i + 1], &xonly_pk, tweak[i]) == 1); | ||||
|         CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, NULL, &pk[i]) == 1); | ||||
|         CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &pk[i + 1], &xonly_pk, tweak[i]) == 1); | ||||
|     } | ||||
| 
 | ||||
|     /* Verify tweaks */ | ||||
|     for (i = N_PUBKEYS - 1; i > 0; i--) { | ||||
|         secp256k1_xonly_pubkey xonly_pk; | ||||
|         int pk_parity; | ||||
|         CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk[i]) == 1); | ||||
|         CHECK(secp256k1_xonly_pubkey_serialize(ctx, pk_serialized, &xonly_pk) == 1); | ||||
|         CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, NULL, &pk[i - 1]) == 1); | ||||
|         CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, pk_serialized, pk_parity, &xonly_pk, tweak[i - 1]) == 1); | ||||
|         CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, &pk[i]) == 1); | ||||
|         CHECK(secp256k1_xonly_pubkey_serialize(CTX, pk_serialized, &xonly_pk) == 1); | ||||
|         CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, NULL, &pk[i - 1]) == 1); | ||||
|         CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, pk_serialized, pk_parity, &xonly_pk, tweak[i - 1]) == 1); | ||||
|     } | ||||
| } | ||||
| #undef N_PUBKEYS | ||||
| @ -336,10 +336,9 @@ void test_keypair(void) { | ||||
|     secp256k1_xonly_pubkey xonly_pk, xonly_pk_tmp; | ||||
|     int pk_parity, pk_parity_tmp; | ||||
|     int ecount; | ||||
|     secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static); | ||||
| 
 | ||||
|     set_counting_callbacks(ctx, &ecount); | ||||
|     set_counting_callbacks(sttc, &ecount); | ||||
|     set_counting_callbacks(CTX, &ecount); | ||||
|     set_counting_callbacks(STATIC_CTX, &ecount); | ||||
| 
 | ||||
|     CHECK(sizeof(zeros96) == sizeof(keypair)); | ||||
|     memset(overflows, 0xFF, sizeof(overflows)); | ||||
| @ -347,100 +346,102 @@ void test_keypair(void) { | ||||
|     /* Test keypair_create */ | ||||
|     ecount = 0; | ||||
|     secp256k1_testrand256(sk); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) != 0); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) != 0); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_keypair_create(ctx, NULL, sk) == 0); | ||||
|     CHECK(secp256k1_keypair_create(CTX, NULL, sk) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, NULL) == 0); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, NULL) == 0); | ||||
|     CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_keypair_create(sttc, &keypair, sk) == 0); | ||||
|     CHECK(secp256k1_keypair_create(STATIC_CTX, &keypair, sk) == 0); | ||||
|     CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0); | ||||
|     CHECK(ecount == 3); | ||||
| 
 | ||||
|     /* Invalid secret key */ | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, zeros96) == 0); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, zeros96) == 0); | ||||
|     CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, overflows) == 0); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, overflows) == 0); | ||||
|     CHECK(secp256k1_memcmp_var(zeros96, &keypair, sizeof(keypair)) == 0); | ||||
| 
 | ||||
|     /* Test keypair_pub */ | ||||
|     ecount = 0; | ||||
|     secp256k1_testrand256(sk); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_pub(ctx, &pk, &keypair) == 1); | ||||
|     CHECK(secp256k1_keypair_pub(ctx, NULL, &keypair) == 0); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_pub(CTX, &pk, &keypair) == 1); | ||||
|     CHECK(secp256k1_keypair_pub(CTX, NULL, &keypair) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_keypair_pub(ctx, &pk, NULL) == 0); | ||||
|     CHECK(secp256k1_keypair_pub(CTX, &pk, NULL) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_memcmp_var(zeros96, &pk, sizeof(pk)) == 0); | ||||
| 
 | ||||
|     /* Using an invalid keypair is fine for keypair_pub */ | ||||
|     memset(&keypair, 0, sizeof(keypair)); | ||||
|     CHECK(secp256k1_keypair_pub(ctx, &pk, &keypair) == 1); | ||||
|     CHECK(secp256k1_keypair_pub(CTX, &pk, &keypair) == 1); | ||||
|     CHECK(secp256k1_memcmp_var(zeros96, &pk, sizeof(pk)) == 0); | ||||
| 
 | ||||
|     /* keypair holds the same pubkey as pubkey_create */ | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_pub(ctx, &pk_tmp, &keypair) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &pk, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_pub(CTX, &pk_tmp, &keypair) == 1); | ||||
|     CHECK(secp256k1_memcmp_var(&pk, &pk_tmp, sizeof(pk)) == 0); | ||||
| 
 | ||||
|     /** Test keypair_xonly_pub **/ | ||||
|     ecount = 0; | ||||
|     secp256k1_testrand256(sk); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(ctx, &xonly_pk, &pk_parity, &keypair) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(ctx, NULL, &pk_parity, &keypair) == 0); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(CTX, &xonly_pk, &pk_parity, &keypair) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(CTX, NULL, &pk_parity, &keypair) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(ctx, &xonly_pk, NULL, &keypair) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(ctx, &xonly_pk, &pk_parity, NULL) == 0); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(CTX, &xonly_pk, NULL, &keypair) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(CTX, &xonly_pk, &pk_parity, NULL) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_memcmp_var(zeros96, &xonly_pk, sizeof(xonly_pk)) == 0); | ||||
|     /* Using an invalid keypair will set the xonly_pk to 0 (first reset
 | ||||
|      * xonly_pk). */ | ||||
|     CHECK(secp256k1_keypair_xonly_pub(ctx, &xonly_pk, &pk_parity, &keypair) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(CTX, &xonly_pk, &pk_parity, &keypair) == 1); | ||||
|     memset(&keypair, 0, sizeof(keypair)); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(ctx, &xonly_pk, &pk_parity, &keypair) == 0); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(CTX, &xonly_pk, &pk_parity, &keypair) == 0); | ||||
|     CHECK(secp256k1_memcmp_var(zeros96, &xonly_pk, sizeof(xonly_pk)) == 0); | ||||
|     CHECK(ecount == 3); | ||||
| 
 | ||||
|     /** keypair holds the same xonly pubkey as pubkey_create **/ | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &pk, sk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(ctx, &xonly_pk, &pk_parity, &pk) == 1); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(ctx, &xonly_pk_tmp, &pk_parity_tmp, &keypair) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &pk, sk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_from_pubkey(CTX, &xonly_pk, &pk_parity, &pk) == 1); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(CTX, &xonly_pk_tmp, &pk_parity_tmp, &keypair) == 1); | ||||
|     CHECK(secp256k1_memcmp_var(&xonly_pk, &xonly_pk_tmp, sizeof(pk)) == 0); | ||||
|     CHECK(pk_parity == pk_parity_tmp); | ||||
| 
 | ||||
|     /* Test keypair_seckey */ | ||||
|     ecount = 0; | ||||
|     secp256k1_testrand256(sk); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_sec(ctx, sk_tmp, &keypair) == 1); | ||||
|     CHECK(secp256k1_keypair_sec(ctx, NULL, &keypair) == 0); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_sec(CTX, sk_tmp, &keypair) == 1); | ||||
|     CHECK(secp256k1_keypair_sec(CTX, NULL, &keypair) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_keypair_sec(ctx, sk_tmp, NULL) == 0); | ||||
|     CHECK(secp256k1_keypair_sec(CTX, sk_tmp, NULL) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_memcmp_var(zeros96, sk_tmp, sizeof(sk_tmp)) == 0); | ||||
| 
 | ||||
|     /* keypair returns the same seckey it got */ | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_sec(ctx, sk_tmp, &keypair) == 1); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_sec(CTX, sk_tmp, &keypair) == 1); | ||||
|     CHECK(secp256k1_memcmp_var(sk, sk_tmp, sizeof(sk_tmp)) == 0); | ||||
| 
 | ||||
| 
 | ||||
|     /* Using an invalid keypair is fine for keypair_seckey */ | ||||
|     memset(&keypair, 0, sizeof(keypair)); | ||||
|     CHECK(secp256k1_keypair_sec(ctx, sk_tmp, &keypair) == 1); | ||||
|     CHECK(secp256k1_keypair_sec(CTX, sk_tmp, &keypair) == 1); | ||||
|     CHECK(secp256k1_memcmp_var(zeros96, sk_tmp, sizeof(sk_tmp)) == 0); | ||||
|     secp256k1_context_destroy(sttc); | ||||
| 
 | ||||
|     secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL); | ||||
| } | ||||
| 
 | ||||
| void test_keypair_add(void) { | ||||
| @ -452,49 +453,49 @@ void test_keypair_add(void) { | ||||
|     int i; | ||||
|     int ecount = 0; | ||||
| 
 | ||||
|     set_counting_callbacks(ctx, &ecount); | ||||
|     set_counting_callbacks(CTX, &ecount); | ||||
| 
 | ||||
|     CHECK(sizeof(zeros96) == sizeof(keypair)); | ||||
|     secp256k1_testrand256(sk); | ||||
|     secp256k1_testrand256(tweak); | ||||
|     memset(overflows, 0xFF, 32); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
| 
 | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(ctx, NULL, tweak) == 0); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(CTX, NULL, tweak) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, NULL) == 0); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, NULL) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     /* This does not set the keypair to zeroes */ | ||||
|     CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair)) != 0); | ||||
| 
 | ||||
|     /* Invalid tweak zeroes the keypair */ | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, overflows) == 0); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, overflows) == 0); | ||||
|     CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair))  == 0); | ||||
| 
 | ||||
|     /* A zero tweak is fine */ | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, zeros96) == 1); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, zeros96) == 1); | ||||
| 
 | ||||
|     /* Fails if the resulting keypair was (sk=0, pk=infinity) */ | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         secp256k1_scalar scalar_tweak; | ||||
|         secp256k1_keypair keypair_tmp; | ||||
|         secp256k1_testrand256(sk); | ||||
|         CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|         CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|         memcpy(&keypair_tmp, &keypair, sizeof(keypair)); | ||||
|         /* Because sk may be negated before adding, we need to try with tweak =
 | ||||
|          * sk as well as tweak = -sk. */ | ||||
|         secp256k1_scalar_set_b32(&scalar_tweak, sk, NULL); | ||||
|         secp256k1_scalar_negate(&scalar_tweak, &scalar_tweak); | ||||
|         secp256k1_scalar_get_b32(tweak, &scalar_tweak); | ||||
|         CHECK((secp256k1_keypair_xonly_tweak_add(ctx, &keypair, sk) == 0) | ||||
|               || (secp256k1_keypair_xonly_tweak_add(ctx, &keypair_tmp, tweak) == 0)); | ||||
|         CHECK((secp256k1_keypair_xonly_tweak_add(CTX, &keypair, sk) == 0) | ||||
|               || (secp256k1_keypair_xonly_tweak_add(CTX, &keypair_tmp, tweak) == 0)); | ||||
|         CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair)) == 0 | ||||
|               || secp256k1_memcmp_var(&keypair_tmp, zeros96, sizeof(keypair_tmp)) == 0); | ||||
|     } | ||||
| @ -503,23 +504,23 @@ void test_keypair_add(void) { | ||||
|     memset(&keypair, 0, sizeof(keypair)); | ||||
|     secp256k1_testrand256(tweak); | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 0); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_memcmp_var(&keypair, zeros96, sizeof(keypair))  == 0); | ||||
|     /* Only seckey part of keypair invalid */ | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|     memset(&keypair, 0, 32); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 0); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     /* Only pubkey part of keypair invalid */ | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|     memset(&keypair.data[32], 0, 64); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 0); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 0); | ||||
|     CHECK(ecount == 3); | ||||
| 
 | ||||
|     /* Check that the keypair_tweak_add implementation is correct */ | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     for (i = 0; i < count; i++) { | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         secp256k1_xonly_pubkey internal_pk; | ||||
|         secp256k1_xonly_pubkey output_pk; | ||||
|         secp256k1_pubkey output_pk_xy; | ||||
| @ -529,22 +530,22 @@ void test_keypair_add(void) { | ||||
|         int pk_parity; | ||||
| 
 | ||||
|         secp256k1_testrand256(tweak); | ||||
|         CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1); | ||||
|         CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1); | ||||
|         CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1); | ||||
|         CHECK(secp256k1_keypair_xonly_pub(CTX, &internal_pk, NULL, &keypair) == 1); | ||||
|         CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1); | ||||
|         CHECK(secp256k1_keypair_xonly_pub(CTX, &output_pk, &pk_parity, &keypair) == 1); | ||||
| 
 | ||||
|         /* Check that it passes xonly_pubkey_tweak_add_check */ | ||||
|         CHECK(secp256k1_xonly_pubkey_serialize(ctx, pk32, &output_pk) == 1); | ||||
|         CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, pk32, pk_parity, &internal_pk, tweak) == 1); | ||||
|         CHECK(secp256k1_xonly_pubkey_serialize(CTX, pk32, &output_pk) == 1); | ||||
|         CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, pk32, pk_parity, &internal_pk, tweak) == 1); | ||||
| 
 | ||||
|         /* Check that the resulting pubkey matches xonly_pubkey_tweak_add */ | ||||
|         CHECK(secp256k1_keypair_pub(ctx, &output_pk_xy, &keypair) == 1); | ||||
|         CHECK(secp256k1_xonly_pubkey_tweak_add(ctx, &output_pk_expected, &internal_pk, tweak) == 1); | ||||
|         CHECK(secp256k1_keypair_pub(CTX, &output_pk_xy, &keypair) == 1); | ||||
|         CHECK(secp256k1_xonly_pubkey_tweak_add(CTX, &output_pk_expected, &internal_pk, tweak) == 1); | ||||
|         CHECK(secp256k1_memcmp_var(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0); | ||||
| 
 | ||||
|         /* Check that the secret key in the keypair is tweaked correctly */ | ||||
|         CHECK(secp256k1_keypair_sec(ctx, sk32, &keypair) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_create(ctx, &output_pk_expected, sk32) == 1); | ||||
|         CHECK(secp256k1_keypair_sec(CTX, sk32, &keypair) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_create(CTX, &output_pk_expected, sk32) == 1); | ||||
|         CHECK(secp256k1_memcmp_var(&output_pk_xy, &output_pk_expected, sizeof(output_pk_xy)) == 0); | ||||
|     } | ||||
| } | ||||
| @ -577,7 +578,7 @@ void test_hsort(void) { | ||||
| 
 | ||||
|     /* Test hsort with length n array and random elements in
 | ||||
|      * [-interval/2, interval/2] */ | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         int n = secp256k1_testrand_int(NUM); | ||||
|         int interval = secp256k1_testrand_int(64); | ||||
|         for (j = 0; j < n; j++) { | ||||
| @ -604,26 +605,26 @@ void test_pubkey_comparison(void) { | ||||
|     secp256k1_pubkey pk2; | ||||
|     int ecount = 0; | ||||
| 
 | ||||
|     set_counting_callbacks(ctx, &ecount); | ||||
|     set_counting_callbacks(CTX, &ecount); | ||||
| 
 | ||||
|     CHECK(secp256k1_ec_pubkey_parse(ctx, &pk1, pk1_ser, sizeof(pk1_ser)) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk2_ser, sizeof(pk2_ser)) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1); | ||||
| 
 | ||||
|     CHECK(secp256k1_pubkey_cmp(ctx, NULL, &pk2) < 0); | ||||
|     CHECK(secp256k1_pubkey_cmp(CTX, NULL, &pk2) < 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_pubkey_cmp(ctx, &pk1, NULL) > 0); | ||||
|     CHECK(secp256k1_pubkey_cmp(CTX, &pk1, NULL) > 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_pubkey_cmp(ctx, &pk1, &pk2) < 0); | ||||
|     CHECK(secp256k1_pubkey_cmp(ctx, &pk2, &pk1) > 0); | ||||
|     CHECK(secp256k1_pubkey_cmp(ctx, &pk1, &pk1) == 0); | ||||
|     CHECK(secp256k1_pubkey_cmp(ctx, &pk2, &pk2) == 0); | ||||
|     CHECK(secp256k1_pubkey_cmp(CTX, &pk1, &pk2) < 0); | ||||
|     CHECK(secp256k1_pubkey_cmp(CTX, &pk2, &pk1) > 0); | ||||
|     CHECK(secp256k1_pubkey_cmp(CTX, &pk1, &pk1) == 0); | ||||
|     CHECK(secp256k1_pubkey_cmp(CTX, &pk2, &pk2) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     memset(&pk1, 0, sizeof(pk1)); /* illegal pubkey */ | ||||
|     CHECK(secp256k1_pubkey_cmp(ctx, &pk1, &pk2) < 0); | ||||
|     CHECK(secp256k1_pubkey_cmp(CTX, &pk1, &pk2) < 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_pubkey_cmp(ctx, &pk1, &pk1) == 0); | ||||
|     CHECK(secp256k1_pubkey_cmp(CTX, &pk1, &pk1) == 0); | ||||
|     CHECK(ecount == 5); | ||||
|     CHECK(secp256k1_pubkey_cmp(ctx, &pk2, &pk1) > 0); | ||||
|     CHECK(secp256k1_pubkey_cmp(CTX, &pk2, &pk1) > 0); | ||||
|     CHECK(ecount == 6); | ||||
| 
 | ||||
| } | ||||
| @ -635,7 +636,7 @@ void test_sort_helper(secp256k1_pubkey *pk, size_t *pk_order, size_t n_pk) { | ||||
|     for (i = 0; i < n_pk; i++) { | ||||
|         pk_test[i] = &pk[pk_order[i]]; | ||||
|     } | ||||
|     secp256k1_pubkey_sort(ctx, pk_test, n_pk); | ||||
|     secp256k1_pubkey_sort(CTX, pk_test, n_pk); | ||||
|     for (i = 0; i < n_pk; i++) { | ||||
|         CHECK(secp256k1_memcmp_var(pk_test[i], &pk[i], sizeof(*pk_test[i])) == 0); | ||||
|     } | ||||
| @ -656,8 +657,8 @@ void rand_pk(secp256k1_pubkey *pk) { | ||||
|     unsigned char seckey[32]; | ||||
|     secp256k1_keypair keypair; | ||||
|     secp256k1_testrand256(seckey); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, seckey) == 1); | ||||
|     CHECK(secp256k1_keypair_pub(ctx, pk, &keypair) == 1); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, seckey) == 1); | ||||
|     CHECK(secp256k1_keypair_pub(CTX, pk, &keypair) == 1); | ||||
| } | ||||
| 
 | ||||
| void test_sort_api(void) { | ||||
| @ -665,7 +666,7 @@ void test_sort_api(void) { | ||||
|     secp256k1_pubkey pks[2]; | ||||
|     const secp256k1_pubkey *pks_ptr[2]; | ||||
| 
 | ||||
|     set_counting_callbacks(ctx, &ecount); | ||||
|     set_counting_callbacks(CTX, &ecount); | ||||
| 
 | ||||
|     pks_ptr[0] = &pks[0]; | ||||
|     pks_ptr[1] = &pks[1]; | ||||
| @ -673,16 +674,16 @@ void test_sort_api(void) { | ||||
|     rand_pk(&pks[0]); | ||||
|     rand_pk(&pks[1]); | ||||
| 
 | ||||
|     CHECK(secp256k1_pubkey_sort(ctx, pks_ptr, 2) == 1); | ||||
|     CHECK(secp256k1_pubkey_sort(ctx, NULL, 2) == 0); | ||||
|     CHECK(secp256k1_pubkey_sort(CTX, pks_ptr, 2) == 1); | ||||
|     CHECK(secp256k1_pubkey_sort(CTX, NULL, 2) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_pubkey_sort(ctx, pks_ptr, 0) == 1); | ||||
|     CHECK(secp256k1_pubkey_sort(CTX, pks_ptr, 0) == 1); | ||||
|     /* Test illegal public keys */ | ||||
|     memset(&pks[0], 0, sizeof(pks[0])); | ||||
|     CHECK(secp256k1_pubkey_sort(ctx, pks_ptr, 2) == 1); | ||||
|     CHECK(secp256k1_pubkey_sort(CTX, pks_ptr, 2) == 1); | ||||
|     CHECK(ecount == 2); | ||||
|     memset(&pks[1], 0, sizeof(pks[1])); | ||||
|     CHECK(secp256k1_pubkey_sort(ctx, pks_ptr, 2) == 1); | ||||
|     CHECK(secp256k1_pubkey_sort(CTX, pks_ptr, 2) == 1); | ||||
|     CHECK(ecount > 2); | ||||
| 
 | ||||
| } | ||||
| @ -700,7 +701,7 @@ void test_sort(void) { | ||||
|     size_t pk_order[5] = { 0, 1, 2, 3, 4 }; | ||||
| 
 | ||||
|     for (i = 0; i < 5; i++) { | ||||
|         CHECK(secp256k1_ec_pubkey_parse(ctx, &pk[i], pk_ser[i], sizeof(pk_ser[i]))); | ||||
|         CHECK(secp256k1_ec_pubkey_parse(CTX, &pk[i], pk_ser[i], sizeof(pk_ser[i]))); | ||||
|     } | ||||
| 
 | ||||
|     permute(pk_order, 1); | ||||
| @ -709,25 +710,25 @@ void test_sort(void) { | ||||
|     test_sort_helper(pk, pk_order, 2); | ||||
|     permute(pk_order, 3); | ||||
|     test_sort_helper(pk, pk_order, 3); | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         permute(pk_order, 4); | ||||
|         test_sort_helper(pk, pk_order, 4); | ||||
|     } | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         permute(pk_order, 5); | ||||
|         test_sort_helper(pk, pk_order, 5); | ||||
|     } | ||||
|     /* Check that sorting also works for random pubkeys */ | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         int j; | ||||
|         const secp256k1_pubkey *pk_ptr[5]; | ||||
|         for (j = 0; j < 5; j++) { | ||||
|             rand_pk(&pk[j]); | ||||
|             pk_ptr[j] = &pk[j]; | ||||
|         } | ||||
|         secp256k1_pubkey_sort(ctx, pk_ptr, 5); | ||||
|         secp256k1_pubkey_sort(CTX, pk_ptr, 5); | ||||
|         for (j = 1; j < 5; j++) { | ||||
|             CHECK(secp256k1_pubkey_sort_cmp(&pk_ptr[j - 1], &pk_ptr[j], ctx) <= 0); | ||||
|             CHECK(secp256k1_pubkey_sort_cmp(&pk_ptr[j - 1], &pk_ptr[j], CTX) <= 0); | ||||
|         } | ||||
|     } | ||||
| } | ||||
| @ -768,10 +769,10 @@ void test_sort_vectors(void) { | ||||
|     sorted[5] = &pubkeys[2]; | ||||
| 
 | ||||
|     for (i = 0; i < N_PUBKEYS; i++) { | ||||
|         CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkeys[i], pk_ser[i], sizeof(pk_ser[i]))); | ||||
|         CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkeys[i], pk_ser[i], sizeof(pk_ser[i]))); | ||||
|         pks_ptr[i] = &pubkeys[i]; | ||||
|     } | ||||
|     CHECK(secp256k1_pubkey_sort(ctx, pks_ptr, N_PUBKEYS) == 1); | ||||
|     CHECK(secp256k1_pubkey_sort(CTX, pks_ptr, N_PUBKEYS) == 1); | ||||
|     for (i = 0; i < N_PUBKEYS; i++) { | ||||
|         CHECK(secp256k1_memcmp_var(pks_ptr[i], sorted[i], sizeof(secp256k1_pubkey)) == 0); | ||||
|     } | ||||
|  | ||||
| @ -21,51 +21,53 @@ void test_generator_api(void) { | ||||
|     unsigned char key[32]; | ||||
|     unsigned char blind[32]; | ||||
|     unsigned char sergen[33]; | ||||
|     secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static); | ||||
|     secp256k1_generator gen; | ||||
|     int32_t ecount = 0; | ||||
| 
 | ||||
|     secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_testrand256(key); | ||||
|     secp256k1_testrand256(blind); | ||||
| 
 | ||||
|     CHECK(secp256k1_generator_generate(ctx, &gen, key) == 1); | ||||
|     CHECK(secp256k1_generator_generate(CTX, &gen, key) == 1); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_generator_generate(ctx, NULL, key) == 0); | ||||
|     CHECK(secp256k1_generator_generate(CTX, NULL, key) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_generator_generate(ctx, &gen, NULL) == 0); | ||||
|     CHECK(secp256k1_generator_generate(CTX, &gen, NULL) == 0); | ||||
|     CHECK(ecount == 2); | ||||
| 
 | ||||
|     CHECK(secp256k1_generator_generate_blinded(ctx, &gen, key, blind) == 1); | ||||
|     CHECK(secp256k1_generator_generate_blinded(CTX, &gen, key, blind) == 1); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_generator_generate_blinded(sttc, &gen, key, blind) == 0); | ||||
|     CHECK(secp256k1_generator_generate_blinded(STATIC_CTX, &gen, key, blind) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_generator_generate_blinded(ctx, NULL, key, blind) == 0); | ||||
|     CHECK(secp256k1_generator_generate_blinded(CTX, NULL, key, blind) == 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_generator_generate_blinded(ctx, &gen, NULL, blind) == 0); | ||||
|     CHECK(secp256k1_generator_generate_blinded(CTX, &gen, NULL, blind) == 0); | ||||
|     CHECK(ecount == 5); | ||||
|     CHECK(secp256k1_generator_generate_blinded(ctx, &gen, key, NULL) == 0); | ||||
|     CHECK(secp256k1_generator_generate_blinded(CTX, &gen, key, NULL) == 0); | ||||
|     CHECK(ecount == 6); | ||||
| 
 | ||||
|     CHECK(secp256k1_generator_serialize(ctx, sergen, &gen) == 1); | ||||
|     CHECK(secp256k1_generator_serialize(CTX, sergen, &gen) == 1); | ||||
|     CHECK(ecount == 6); | ||||
|     CHECK(secp256k1_generator_serialize(ctx, NULL, &gen) == 0); | ||||
|     CHECK(secp256k1_generator_serialize(CTX, NULL, &gen) == 0); | ||||
|     CHECK(ecount == 7); | ||||
|     CHECK(secp256k1_generator_serialize(ctx, sergen, NULL) == 0); | ||||
|     CHECK(secp256k1_generator_serialize(CTX, sergen, NULL) == 0); | ||||
|     CHECK(ecount == 8); | ||||
| 
 | ||||
|     CHECK(secp256k1_generator_serialize(ctx, sergen, &gen) == 1); | ||||
|     CHECK(secp256k1_generator_parse(ctx, &gen, sergen) == 1); | ||||
|     CHECK(secp256k1_generator_serialize(CTX, sergen, &gen) == 1); | ||||
|     CHECK(secp256k1_generator_parse(CTX, &gen, sergen) == 1); | ||||
|     CHECK(ecount == 8); | ||||
|     CHECK(secp256k1_generator_parse(ctx, NULL, sergen) == 0); | ||||
|     CHECK(secp256k1_generator_parse(CTX, NULL, sergen) == 0); | ||||
|     CHECK(ecount == 9); | ||||
|     CHECK(secp256k1_generator_parse(ctx, &gen, NULL) == 0); | ||||
|     CHECK(secp256k1_generator_parse(CTX, &gen, NULL) == 0); | ||||
|     CHECK(ecount == 10); | ||||
| 
 | ||||
|     secp256k1_context_destroy(sttc); | ||||
|     secp256k1_context_set_error_callback(CTX, NULL, NULL); | ||||
|     secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL); | ||||
|     secp256k1_context_set_illegal_callback(CTX, NULL, NULL); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL); | ||||
| } | ||||
| 
 | ||||
| void test_shallue_van_de_woestijne(void) { | ||||
| @ -171,11 +173,11 @@ void test_generator_generate(void) { | ||||
|     for (i = 1; i <= 32; i++) { | ||||
|         memset(v, 0, 31); | ||||
|         v[31] = i; | ||||
|         CHECK(secp256k1_generator_generate_blinded(ctx, &gen, v, s)); | ||||
|         CHECK(secp256k1_generator_generate_blinded(CTX, &gen, v, s)); | ||||
|         secp256k1_generator_load(&ge, &gen); | ||||
|         secp256k1_ge_to_storage(&ges, &ge); | ||||
|         CHECK(secp256k1_memcmp_var(&ges, &results[i - 1], sizeof(secp256k1_ge_storage)) == 0); | ||||
|         CHECK(secp256k1_generator_generate(ctx, &gen, v)); | ||||
|         CHECK(secp256k1_generator_generate(CTX, &gen, v)); | ||||
|         secp256k1_generator_load(&ge, &gen); | ||||
|         secp256k1_ge_to_storage(&ges, &ge); | ||||
|         CHECK(secp256k1_memcmp_var(&ges, &results[i - 1], sizeof(secp256k1_ge_storage)) == 0); | ||||
| @ -185,9 +187,9 @@ void test_generator_generate(void) { | ||||
|      * valid scalar. Check that an invalid blinder causes the call to fail | ||||
|      * but not crash. */ | ||||
|     memset(v, 0xff, 32); | ||||
|     CHECK(secp256k1_generator_generate(ctx, &gen, v)); | ||||
|     CHECK(secp256k1_generator_generate(CTX, &gen, v)); | ||||
|     memset(s, 0xff, 32); | ||||
|     CHECK(!secp256k1_generator_generate_blinded(ctx, &gen, v, s)); | ||||
|     CHECK(!secp256k1_generator_generate_blinded(CTX, &gen, v, s)); | ||||
| } | ||||
| 
 | ||||
| void test_generator_fixed_vector(void) { | ||||
| @ -199,18 +201,17 @@ void test_generator_fixed_vector(void) { | ||||
|     unsigned char result[33]; | ||||
|     secp256k1_generator parse; | ||||
| 
 | ||||
|     CHECK(secp256k1_generator_parse(ctx, &parse, two_g)); | ||||
|     CHECK(secp256k1_generator_serialize(ctx, result, &parse)); | ||||
|     CHECK(secp256k1_generator_parse(CTX, &parse, two_g)); | ||||
|     CHECK(secp256k1_generator_serialize(CTX, result, &parse)); | ||||
|     CHECK(secp256k1_memcmp_var(two_g, result, 33) == 0); | ||||
| 
 | ||||
|     result[0] = 0x0a; | ||||
|     CHECK(secp256k1_generator_parse(ctx, &parse, result)); | ||||
|     CHECK(secp256k1_generator_parse(CTX, &parse, result)); | ||||
|     result[0] = 0x08; | ||||
|     CHECK(!secp256k1_generator_parse(ctx, &parse, result)); | ||||
|     CHECK(!secp256k1_generator_parse(CTX, &parse, result)); | ||||
| } | ||||
| 
 | ||||
| static void test_pedersen_api(void) { | ||||
|     secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static); | ||||
|     secp256k1_pedersen_commitment commit; | ||||
|     const secp256k1_pedersen_commitment *commit_ptr = &commit; | ||||
|     unsigned char blind[32]; | ||||
| @ -220,60 +221,63 @@ static void test_pedersen_api(void) { | ||||
|     uint64_t val = secp256k1_testrand32(); | ||||
|     int32_t ecount = 0; | ||||
| 
 | ||||
|     secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount); | ||||
| 
 | ||||
|     secp256k1_testrand256(blind); | ||||
|     CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, val, secp256k1_generator_h) != 0); | ||||
|     CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, val, secp256k1_generator_h) != 0); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_pedersen_commit(sttc, &commit, blind, val, secp256k1_generator_h) == 0); | ||||
|     CHECK(secp256k1_pedersen_commit(STATIC_CTX, &commit, blind, val, secp256k1_generator_h) == 0); | ||||
|     CHECK(ecount == 1); | ||||
| 
 | ||||
|     CHECK(secp256k1_pedersen_commit(ctx, NULL, blind, val, secp256k1_generator_h) == 0); | ||||
|     CHECK(secp256k1_pedersen_commit(CTX, NULL, blind, val, secp256k1_generator_h) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_pedersen_commit(ctx, &commit, NULL, val, secp256k1_generator_h) == 0); | ||||
|     CHECK(secp256k1_pedersen_commit(CTX, &commit, NULL, val, secp256k1_generator_h) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, val, NULL) == 0); | ||||
|     CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, val, NULL) == 0); | ||||
|     CHECK(ecount == 4); | ||||
| 
 | ||||
|     CHECK(secp256k1_pedersen_blind_sum(ctx, blind_out, &blind_ptr, 1, 1) != 0); | ||||
|     CHECK(secp256k1_pedersen_blind_sum(CTX, blind_out, &blind_ptr, 1, 1) != 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_pedersen_blind_sum(ctx, NULL, &blind_ptr, 1, 1) == 0); | ||||
|     CHECK(secp256k1_pedersen_blind_sum(CTX, NULL, &blind_ptr, 1, 1) == 0); | ||||
|     CHECK(ecount == 5); | ||||
|     CHECK(secp256k1_pedersen_blind_sum(ctx, blind_out, NULL, 1, 1) == 0); | ||||
|     CHECK(secp256k1_pedersen_blind_sum(CTX, blind_out, NULL, 1, 1) == 0); | ||||
|     CHECK(ecount == 6); | ||||
|     CHECK(secp256k1_pedersen_blind_sum(ctx, blind_out, &blind_ptr, 0, 1) == 0); | ||||
|     CHECK(secp256k1_pedersen_blind_sum(CTX, blind_out, &blind_ptr, 0, 1) == 0); | ||||
|     CHECK(ecount == 7); | ||||
|     CHECK(secp256k1_pedersen_blind_sum(ctx, blind_out, &blind_ptr, 0, 0) != 0); | ||||
|     CHECK(secp256k1_pedersen_blind_sum(CTX, blind_out, &blind_ptr, 0, 0) != 0); | ||||
|     CHECK(ecount == 7); | ||||
| 
 | ||||
|     CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, val, secp256k1_generator_h) != 0); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(ctx, &commit_ptr, 1, &commit_ptr, 1) != 0); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(ctx, NULL, 0, &commit_ptr, 1) == 0); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(ctx, &commit_ptr, 1, NULL, 0) == 0); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(ctx, NULL, 0, NULL, 0) != 0); | ||||
|     CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, val, secp256k1_generator_h) != 0); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(CTX, &commit_ptr, 1, &commit_ptr, 1) != 0); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(CTX, NULL, 0, &commit_ptr, 1) == 0); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(CTX, &commit_ptr, 1, NULL, 0) == 0); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(CTX, NULL, 0, NULL, 0) != 0); | ||||
|     CHECK(ecount == 7); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(ctx, NULL, 1, &commit_ptr, 1) == 0); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(CTX, NULL, 1, &commit_ptr, 1) == 0); | ||||
|     CHECK(ecount == 8); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(ctx, &commit_ptr, 1, NULL, 1) == 0); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(CTX, &commit_ptr, 1, NULL, 1) == 0); | ||||
|     CHECK(ecount == 9); | ||||
| 
 | ||||
|     CHECK(secp256k1_pedersen_blind_generator_blind_sum(ctx, &val, &blind_ptr, &blind_out_ptr, 1, 0) != 0); | ||||
|     CHECK(secp256k1_pedersen_blind_generator_blind_sum(CTX, &val, &blind_ptr, &blind_out_ptr, 1, 0) != 0); | ||||
|     CHECK(ecount == 9); | ||||
|     CHECK(secp256k1_pedersen_blind_generator_blind_sum(ctx, &val, &blind_ptr, &blind_out_ptr, 1, 1) == 0); | ||||
|     CHECK(secp256k1_pedersen_blind_generator_blind_sum(CTX, &val, &blind_ptr, &blind_out_ptr, 1, 1) == 0); | ||||
|     CHECK(ecount == 10); | ||||
|     CHECK(secp256k1_pedersen_blind_generator_blind_sum(ctx, &val, &blind_ptr, &blind_out_ptr, 0, 0) == 0); | ||||
|     CHECK(secp256k1_pedersen_blind_generator_blind_sum(CTX, &val, &blind_ptr, &blind_out_ptr, 0, 0) == 0); | ||||
|     CHECK(ecount == 11); | ||||
|     CHECK(secp256k1_pedersen_blind_generator_blind_sum(ctx, NULL, &blind_ptr, &blind_out_ptr, 1, 0) == 0); | ||||
|     CHECK(secp256k1_pedersen_blind_generator_blind_sum(CTX, NULL, &blind_ptr, &blind_out_ptr, 1, 0) == 0); | ||||
|     CHECK(ecount == 12); | ||||
|     CHECK(secp256k1_pedersen_blind_generator_blind_sum(ctx, &val, NULL, &blind_out_ptr, 1, 0) == 0); | ||||
|     CHECK(secp256k1_pedersen_blind_generator_blind_sum(CTX, &val, NULL, &blind_out_ptr, 1, 0) == 0); | ||||
|     CHECK(ecount == 13); | ||||
|     CHECK(secp256k1_pedersen_blind_generator_blind_sum(ctx, &val, &blind_ptr, NULL, 1, 0) == 0); | ||||
|     CHECK(secp256k1_pedersen_blind_generator_blind_sum(CTX, &val, &blind_ptr, NULL, 1, 0) == 0); | ||||
|     CHECK(ecount == 14); | ||||
| 
 | ||||
|     secp256k1_context_destroy(sttc); | ||||
|     secp256k1_context_set_error_callback(CTX, NULL, NULL); | ||||
|     secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL); | ||||
|     secp256k1_context_set_illegal_callback(CTX, NULL, NULL); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL); | ||||
| } | ||||
| 
 | ||||
| static void test_pedersen(void) { | ||||
| @ -310,14 +314,14 @@ static void test_pedersen(void) { | ||||
|         random_scalar_order(&s); | ||||
|         secp256k1_scalar_get_b32(&blinds[i * 32], &s); | ||||
|     } | ||||
|     CHECK(secp256k1_pedersen_blind_sum(ctx, &blinds[(total - 1) * 32], bptr, total - 1, inputs)); | ||||
|     CHECK(secp256k1_pedersen_blind_sum(CTX, &blinds[(total - 1) * 32], bptr, total - 1, inputs)); | ||||
|     for (i = 0; i < total; i++) { | ||||
|         CHECK(secp256k1_pedersen_commit(ctx, &commits[i], &blinds[i * 32], values[i], secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_pedersen_commit(CTX, &commits[i], &blinds[i * 32], values[i], secp256k1_generator_h)); | ||||
|     } | ||||
|     CHECK(secp256k1_pedersen_verify_tally(ctx, cptr, inputs, &cptr[inputs], outputs)); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(ctx, &cptr[inputs], outputs, cptr, inputs)); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(CTX, cptr, inputs, &cptr[inputs], outputs)); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(CTX, &cptr[inputs], outputs, cptr, inputs)); | ||||
|     if (inputs > 0 && values[0] > 0) { | ||||
|         CHECK(!secp256k1_pedersen_verify_tally(ctx, cptr, inputs - 1, &cptr[inputs], outputs)); | ||||
|         CHECK(!secp256k1_pedersen_verify_tally(CTX, cptr, inputs - 1, &cptr[inputs], outputs)); | ||||
|     } | ||||
|     random_scalar_order(&s); | ||||
|     for (i = 0; i < 4; i++) { | ||||
| @ -327,10 +331,10 @@ static void test_pedersen(void) { | ||||
|     values[1] = 0; | ||||
|     values[2] = 1; | ||||
|     for (i = 0; i < 3; i++) { | ||||
|         CHECK(secp256k1_pedersen_commit(ctx, &commits[i], &blinds[i * 32], values[i], secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_pedersen_commit(CTX, &commits[i], &blinds[i * 32], values[i], secp256k1_generator_h)); | ||||
|     } | ||||
|     CHECK(secp256k1_pedersen_verify_tally(ctx, &cptr[0], 1, &cptr[0], 1)); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(ctx, &cptr[1], 1, &cptr[1], 1)); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(CTX, &cptr[0], 1, &cptr[0], 1)); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(CTX, &cptr[1], 1, &cptr[1], 1)); | ||||
| } | ||||
| 
 | ||||
| void test_pedersen_commitment_fixed_vector(void) { | ||||
| @ -342,14 +346,14 @@ void test_pedersen_commitment_fixed_vector(void) { | ||||
|     unsigned char result[33]; | ||||
|     secp256k1_pedersen_commitment parse; | ||||
| 
 | ||||
|     CHECK(secp256k1_pedersen_commitment_parse(ctx, &parse, two_g)); | ||||
|     CHECK(secp256k1_pedersen_commitment_serialize(ctx, result, &parse)); | ||||
|     CHECK(secp256k1_pedersen_commitment_parse(CTX, &parse, two_g)); | ||||
|     CHECK(secp256k1_pedersen_commitment_serialize(CTX, result, &parse)); | ||||
|     CHECK(secp256k1_memcmp_var(two_g, result, 33) == 0); | ||||
| 
 | ||||
|     result[0] = 0x08; | ||||
|     CHECK(secp256k1_pedersen_commitment_parse(ctx, &parse, result)); | ||||
|     CHECK(secp256k1_pedersen_commitment_parse(CTX, &parse, result)); | ||||
|     result[0] = 0x0c; | ||||
|     CHECK(!secp256k1_pedersen_commitment_parse(ctx, &parse, result)); | ||||
|     CHECK(!secp256k1_pedersen_commitment_parse(CTX, &parse, result)); | ||||
| } | ||||
| 
 | ||||
| 
 | ||||
| @ -362,7 +366,7 @@ void run_generator_tests(void) { | ||||
|     test_generator_generate(); | ||||
|     test_pedersen_api(); | ||||
|     test_pedersen_commitment_fixed_vector(); | ||||
|     for (i = 0; i < count / 2 + 1; i++) { | ||||
|     for (i = 0; i < COUNT / 2 + 1; i++) { | ||||
|         test_pedersen(); | ||||
|     } | ||||
| } | ||||
|  | ||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -16,7 +16,7 @@ | ||||
| 
 | ||||
| #include "../../../include/secp256k1_rangeproof.h" | ||||
| 
 | ||||
| static void test_rangeproof_api(const secp256k1_context *sttc, const int32_t *ecount) { | ||||
| static void test_rangeproof_api(const int32_t *ecount) { | ||||
|     unsigned char proof[5134]; | ||||
|     unsigned char blind[32]; | ||||
|     secp256k1_pedersen_commitment commit; | ||||
| @ -30,83 +30,83 @@ static void test_rangeproof_api(const secp256k1_context *sttc, const int32_t *ec | ||||
|     size_t ext_commit_len = sizeof(ext_commit); | ||||
| 
 | ||||
|     secp256k1_testrand256(blind); | ||||
|     CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, val, secp256k1_generator_h)); | ||||
|     CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, val, secp256k1_generator_h)); | ||||
| 
 | ||||
|     CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 1); | ||||
|     CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 1); | ||||
|     CHECK(*ecount == 0); | ||||
|     CHECK(secp256k1_rangeproof_sign(sttc, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(secp256k1_rangeproof_sign(STATIC_CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(*ecount == 1); | ||||
| 
 | ||||
|     CHECK(secp256k1_rangeproof_sign(ctx, NULL, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(secp256k1_rangeproof_sign(CTX, NULL, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(*ecount == 2); | ||||
|     CHECK(secp256k1_rangeproof_sign(ctx, proof, NULL, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(secp256k1_rangeproof_sign(CTX, proof, NULL, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(*ecount == 3); | ||||
|     CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, NULL, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, NULL, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(*ecount == 4); | ||||
|     CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, NULL, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, NULL, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(*ecount == 5); | ||||
|     CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, NULL, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, NULL, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(*ecount == 6); | ||||
|     CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, vmin - 1, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, vmin - 1, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(*ecount == 6); | ||||
|     CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(*ecount == 7); | ||||
|     CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, ext_commit, ext_commit_len, secp256k1_generator_h) != 0); | ||||
|     CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, ext_commit, ext_commit_len, secp256k1_generator_h) != 0); | ||||
|     CHECK(*ecount == 7); | ||||
|     CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|     CHECK(*ecount == 8); | ||||
|     CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, 0, secp256k1_generator_h) != 0); | ||||
|     CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, 0, secp256k1_generator_h) != 0); | ||||
|     CHECK(*ecount == 8); | ||||
|     CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, 0, NULL) == 0); | ||||
|     CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, NULL, 0, NULL, 0, NULL) == 0); | ||||
|     CHECK(*ecount == 9); | ||||
| 
 | ||||
|     CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) != 0); | ||||
|     CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, val, message, mlen, ext_commit, ext_commit_len, secp256k1_generator_h) != 0); | ||||
|     { | ||||
|         int exp; | ||||
|         int mantissa; | ||||
|         uint64_t min_value; | ||||
|         uint64_t max_value; | ||||
|         CHECK(secp256k1_rangeproof_info(ctx, &exp, &mantissa, &min_value, &max_value, proof, len) != 0); | ||||
|         CHECK(secp256k1_rangeproof_info(CTX, &exp, &mantissa, &min_value, &max_value, proof, len) != 0); | ||||
|         CHECK(exp == 0); | ||||
|         CHECK(((uint64_t) 1 << mantissa) > val - vmin); | ||||
|         CHECK(((uint64_t) 1 << (mantissa - 1)) <= val - vmin); | ||||
|         CHECK(min_value == vmin); | ||||
|         CHECK(max_value >= val); | ||||
| 
 | ||||
|         CHECK(secp256k1_rangeproof_info(ctx, NULL, &mantissa, &min_value, &max_value, proof, len) == 0); | ||||
|         CHECK(secp256k1_rangeproof_info(CTX, NULL, &mantissa, &min_value, &max_value, proof, len) == 0); | ||||
|         CHECK(*ecount == 10); | ||||
|         CHECK(secp256k1_rangeproof_info(ctx, &exp, NULL, &min_value, &max_value, proof, len) == 0); | ||||
|         CHECK(secp256k1_rangeproof_info(CTX, &exp, NULL, &min_value, &max_value, proof, len) == 0); | ||||
|         CHECK(*ecount == 11); | ||||
|         CHECK(secp256k1_rangeproof_info(ctx, &exp, &mantissa, NULL, &max_value, proof, len) == 0); | ||||
|         CHECK(secp256k1_rangeproof_info(CTX, &exp, &mantissa, NULL, &max_value, proof, len) == 0); | ||||
|         CHECK(*ecount == 12); | ||||
|         CHECK(secp256k1_rangeproof_info(ctx, &exp, &mantissa, &min_value, NULL, proof, len) == 0); | ||||
|         CHECK(secp256k1_rangeproof_info(CTX, &exp, &mantissa, &min_value, NULL, proof, len) == 0); | ||||
|         CHECK(*ecount == 13); | ||||
|         CHECK(secp256k1_rangeproof_info(ctx, &exp, &mantissa, &min_value, &max_value, NULL, len) == 0); | ||||
|         CHECK(secp256k1_rangeproof_info(CTX, &exp, &mantissa, &min_value, &max_value, NULL, len) == 0); | ||||
|         CHECK(*ecount == 14); | ||||
|         CHECK(secp256k1_rangeproof_info(ctx, &exp, &mantissa, &min_value, &max_value, proof, 0) == 0); | ||||
|         CHECK(secp256k1_rangeproof_info(CTX, &exp, &mantissa, &min_value, &max_value, proof, 0) == 0); | ||||
|         CHECK(*ecount == 14); | ||||
|     } | ||||
|     { | ||||
|         uint64_t min_value; | ||||
|         uint64_t max_value; | ||||
|         CHECK(secp256k1_rangeproof_verify(ctx, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 1); | ||||
|         CHECK(secp256k1_rangeproof_verify(CTX, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 1); | ||||
|         CHECK(*ecount == 14); | ||||
| 
 | ||||
|         CHECK(secp256k1_rangeproof_verify(ctx, NULL, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_verify(CTX, NULL, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 15); | ||||
|         CHECK(secp256k1_rangeproof_verify(ctx, &min_value, NULL, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_verify(CTX, &min_value, NULL, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 16); | ||||
|         CHECK(secp256k1_rangeproof_verify(ctx, &min_value, &max_value, NULL, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_verify(CTX, &min_value, &max_value, NULL, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 17); | ||||
|         CHECK(secp256k1_rangeproof_verify(ctx, &min_value, &max_value, &commit, NULL, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_verify(CTX, &min_value, &max_value, &commit, NULL, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 18); | ||||
|         CHECK(secp256k1_rangeproof_verify(ctx, &min_value, &max_value, &commit, proof, 0, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_verify(CTX, &min_value, &max_value, &commit, proof, 0, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 18); | ||||
|         CHECK(secp256k1_rangeproof_verify(ctx, &min_value, &max_value, &commit, proof, len, NULL, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_verify(CTX, &min_value, &max_value, &commit, proof, len, NULL, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 19); | ||||
|         CHECK(secp256k1_rangeproof_verify(ctx, &min_value, &max_value, &commit, proof, len, NULL, 0, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_verify(CTX, &min_value, &max_value, &commit, proof, len, NULL, 0, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 19); | ||||
|         CHECK(secp256k1_rangeproof_verify(ctx, &min_value, &max_value, &commit, proof, len, NULL, 0, NULL) == 0); | ||||
|         CHECK(secp256k1_rangeproof_verify(CTX, &min_value, &max_value, &commit, proof, len, NULL, 0, NULL) == 0); | ||||
|         CHECK(*ecount == 20); | ||||
|     } | ||||
|     { | ||||
| @ -117,9 +117,9 @@ static void test_rangeproof_api(const secp256k1_context *sttc, const int32_t *ec | ||||
|         uint64_t max_value; | ||||
|         size_t message_len = sizeof(message_out); | ||||
| 
 | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 1); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 1); | ||||
|         CHECK(*ecount == 20); | ||||
|         CHECK(secp256k1_rangeproof_rewind(sttc, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_rewind(STATIC_CTX, blind_out, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 21); | ||||
| 
 | ||||
|         CHECK(min_value == vmin); | ||||
| @ -128,56 +128,58 @@ static void test_rangeproof_api(const secp256k1_context *sttc, const int32_t *ec | ||||
|         CHECK(message_len == sizeof(message_out)); | ||||
|         CHECK(secp256k1_memcmp_var(message, message_out, sizeof(message_out)) == 0); | ||||
| 
 | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, NULL, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) != 0); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, NULL, &value_out, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) != 0); | ||||
|         CHECK(*ecount == 21);  /* blindout may be NULL */ | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, NULL, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) != 0); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, NULL, message_out, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) != 0); | ||||
|         CHECK(*ecount == 21);  /* valueout may be NULL */ | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, &message_len, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 22); | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) != 0); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) != 0); | ||||
|         CHECK(*ecount == 22); | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, NULL, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, NULL, &min_value, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 23); | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, NULL, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, NULL, &max_value, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 24); | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, NULL, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, NULL, &commit, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 25); | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, NULL, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, NULL, proof, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 26); | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, NULL, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, NULL, len, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 27); | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, 0, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, 0, ext_commit, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 27); | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, ext_commit_len, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 28); | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, 0, secp256k1_generator_h) == 0); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, 0, secp256k1_generator_h) == 0); | ||||
|         CHECK(*ecount == 28); | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, 0, NULL) == 0); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, NULL, 0, commit.data, &min_value, &max_value, &commit, proof, len, NULL, 0, NULL) == 0); | ||||
|         CHECK(*ecount == 29); | ||||
|     } | ||||
| 
 | ||||
|     /* This constant is hardcoded in these tests and elsewhere, so we
 | ||||
|      * consider it to be part of the API and test it here. */ | ||||
|     CHECK(secp256k1_rangeproof_max_size(ctx, 0, 64) == 5134); | ||||
|     CHECK(secp256k1_rangeproof_max_size(ctx, UINT64_MAX, 0) == 5134); | ||||
|     CHECK(secp256k1_rangeproof_max_size(CTX, 0, 64) == 5134); | ||||
|     CHECK(secp256k1_rangeproof_max_size(CTX, UINT64_MAX, 0) == 5134); | ||||
| } | ||||
| 
 | ||||
| static void test_api(void) { | ||||
|     secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static); | ||||
|     int32_t ecount; | ||||
|     int i; | ||||
| 
 | ||||
|     secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount); | ||||
| 
 | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         ecount = 0; | ||||
|         test_rangeproof_api(sttc, &ecount); | ||||
|         test_rangeproof_api(&ecount); | ||||
|     } | ||||
| 
 | ||||
|     secp256k1_context_destroy(sttc); | ||||
|     secp256k1_context_set_error_callback(CTX, NULL, NULL); | ||||
|     secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL); | ||||
|     secp256k1_context_set_illegal_callback(CTX, NULL, NULL); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL); | ||||
| } | ||||
| 
 | ||||
| static void test_borromean(void) { | ||||
| @ -219,7 +221,7 @@ static void test_borromean(void) { | ||||
|                 s[i] = one; | ||||
|             } | ||||
|             if (j == secidx[i]) { | ||||
|                 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubs[c + j], &sec[i]); | ||||
|                 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pubs[c + j], &sec[i]); | ||||
|             } else { | ||||
|                 random_group_element_test(&ge); | ||||
|                 random_group_element_jacobian_test(&pubs[c + j],&ge); | ||||
| @ -227,7 +229,7 @@ static void test_borromean(void) { | ||||
|         } | ||||
|         c += rsizes[i]; | ||||
|     } | ||||
|     CHECK(secp256k1_borromean_sign(&ctx->ecmult_gen_ctx, e0, s, pubs, k, sec, rsizes, secidx, nrings, m, 32)); | ||||
|     CHECK(secp256k1_borromean_sign(&CTX->ecmult_gen_ctx, e0, s, pubs, k, sec, rsizes, secidx, nrings, m, 32)); | ||||
|     CHECK(secp256k1_borromean_verify(NULL, e0, s, pubs, rsizes, nrings, m, 32)); | ||||
|     i = secp256k1_testrand32() % c; | ||||
|     secp256k1_scalar_negate(&s[i],&s[i]); | ||||
| @ -275,7 +277,7 @@ static void test_rangeproof(void) { | ||||
|     secp256k1_testrand256(blind); | ||||
|     for (i = 0; i < 11; i++) { | ||||
|         v = testvs[i]; | ||||
|         CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, v, secp256k1_generator_h)); | ||||
|         for (vmin = 0; vmin < (i<9 && i > 0 ? 2 : 1); vmin++) { | ||||
|             const unsigned char *input_message = NULL; | ||||
|             size_t input_message_len = 0; | ||||
| @ -291,11 +293,11 @@ static void test_rangeproof(void) { | ||||
|                 input_message_len = sizeof(message_long); | ||||
|             } | ||||
|             len = 5134; | ||||
|             CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, 0, 0, v, input_message, input_message_len, NULL, 0, secp256k1_generator_h)); | ||||
|             CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, 0, 0, v, input_message, input_message_len, NULL, 0, secp256k1_generator_h)); | ||||
|             CHECK(len <= 5134); | ||||
|             CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, 0)); | ||||
|             CHECK(len <= secp256k1_rangeproof_max_size(CTX, v, 0)); | ||||
|             mlen = 4096; | ||||
|             CHECK(secp256k1_rangeproof_rewind(ctx, blindout, &vout, message, &mlen, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|             CHECK(secp256k1_rangeproof_rewind(CTX, blindout, &vout, message, &mlen, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|             if (input_message != NULL) { | ||||
|                 CHECK(secp256k1_memcmp_var(message, input_message, input_message_len) == 0); | ||||
|             } | ||||
| @ -308,10 +310,10 @@ static void test_rangeproof(void) { | ||||
|             CHECK(minv <= v); | ||||
|             CHECK(maxv >= v); | ||||
|             len = 5134; | ||||
|             CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, v, &commit, blind, commit.data, -1, 64, v, NULL, 0, NULL, 0, secp256k1_generator_h)); | ||||
|             CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, v, &commit, blind, commit.data, -1, 64, v, NULL, 0, NULL, 0, secp256k1_generator_h)); | ||||
|             CHECK(len <= 73); | ||||
|             CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, 0)); | ||||
|             CHECK(secp256k1_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|             CHECK(len <= secp256k1_rangeproof_max_size(CTX, v, 0)); | ||||
|             CHECK(secp256k1_rangeproof_rewind(CTX, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|             CHECK(secp256k1_memcmp_var(blindout, blind, 32) == 0); | ||||
|             CHECK(vout == v); | ||||
|             CHECK(minv == v); | ||||
| @ -319,12 +321,12 @@ static void test_rangeproof(void) { | ||||
| 
 | ||||
|             /* Check with a committed message */ | ||||
|             len = 5134; | ||||
|             CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, v, &commit, blind, commit.data, -1, 64, v, NULL, 0, message_short, sizeof(message_short), secp256k1_generator_h)); | ||||
|             CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, v, &commit, blind, commit.data, -1, 64, v, NULL, 0, message_short, sizeof(message_short), secp256k1_generator_h)); | ||||
|             CHECK(len <= 73); | ||||
|             CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, 0)); | ||||
|             CHECK(!secp256k1_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|             CHECK(!secp256k1_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, message_long, sizeof(message_long), secp256k1_generator_h)); | ||||
|             CHECK(secp256k1_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, message_short, sizeof(message_short), secp256k1_generator_h)); | ||||
|             CHECK(len <= secp256k1_rangeproof_max_size(CTX, v, 0)); | ||||
|             CHECK(!secp256k1_rangeproof_rewind(CTX, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|             CHECK(!secp256k1_rangeproof_rewind(CTX, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, message_long, sizeof(message_long), secp256k1_generator_h)); | ||||
|             CHECK(secp256k1_rangeproof_rewind(CTX, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, message_short, sizeof(message_short), secp256k1_generator_h)); | ||||
|             CHECK(secp256k1_memcmp_var(blindout, blind, 32) == 0); | ||||
|             CHECK(vout == v); | ||||
|             CHECK(minv == v); | ||||
| @ -333,41 +335,41 @@ static void test_rangeproof(void) { | ||||
|     } | ||||
|     secp256k1_testrand256(blind); | ||||
|     v = INT64_MAX - 1; | ||||
|     CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, secp256k1_generator_h)); | ||||
|     CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, v, secp256k1_generator_h)); | ||||
|     for (i = 0; i < 19; i++) { | ||||
|         len = 5134; | ||||
|         CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, 0, &commit, blind, commit.data, i, 0, v, NULL, 0, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, 0)); | ||||
|         CHECK(secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, 0, &commit, blind, commit.data, i, 0, v, NULL, 0, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(len <= secp256k1_rangeproof_max_size(CTX, v, 0)); | ||||
|         CHECK(secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(len <= 5134); | ||||
|         CHECK(minv <= v); | ||||
|         CHECK(maxv >= v); | ||||
|         /* Make sure it fails when validating with a committed message */ | ||||
|         CHECK(!secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, message_short, sizeof(message_short), secp256k1_generator_h)); | ||||
|         CHECK(!secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit, proof, len, message_short, sizeof(message_short), secp256k1_generator_h)); | ||||
|     } | ||||
|     secp256k1_testrand256(blind); | ||||
|     { | ||||
|         /*Malleability test.*/ | ||||
|         v = secp256k1_testrandi64(0, 255); | ||||
|         CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, v, secp256k1_generator_h)); | ||||
|         len = 5134; | ||||
|         CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, 0, &commit, blind, commit.data, 0, 3, v, NULL, 0, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, 0, &commit, blind, commit.data, 0, 3, v, NULL, 0, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(len <= 5134); | ||||
|         CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, 3)); | ||||
|         CHECK(len <= secp256k1_rangeproof_max_size(CTX, v, 3)); | ||||
|         /* Test if trailing bytes are rejected. */ | ||||
|         proof[len] = v; | ||||
|         CHECK(!secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len + 1, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(!secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit, proof, len + 1, NULL, 0, secp256k1_generator_h)); | ||||
|         for (i = 0; i < len*8; i++) { | ||||
|             proof[i >> 3] ^= 1 << (i & 7); | ||||
|             CHECK(!secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|             CHECK(!secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|             proof[i >> 3] ^= 1 << (i & 7); | ||||
|         } | ||||
|         CHECK(secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(minv <= v); | ||||
|         CHECK(maxv >= v); | ||||
|     } | ||||
|     memcpy(&commit2, &commit, sizeof(commit)); | ||||
|     for (i = 0; i < (size_t) count; i++) { | ||||
|     for (i = 0; i < (size_t) COUNT; i++) { | ||||
|         int exp; | ||||
|         int min_bits; | ||||
|         v = secp256k1_testrandi64(0, UINT64_MAX >> (secp256k1_testrand32()&63)); | ||||
| @ -376,7 +378,7 @@ static void test_rangeproof(void) { | ||||
|             vmin = secp256k1_testrandi64(0, v); | ||||
|         } | ||||
|         secp256k1_testrand256(blind); | ||||
|         CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, v, secp256k1_generator_h)); | ||||
|         len = 5134; | ||||
|         exp = (int)secp256k1_testrandi64(0,18)-(int)secp256k1_testrandi64(0,18); | ||||
|         if (exp < 0) { | ||||
| @ -386,11 +388,11 @@ static void test_rangeproof(void) { | ||||
|         if (min_bits < 0) { | ||||
|             min_bits = -min_bits; | ||||
|         } | ||||
|         CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, vmin, &commit, blind, commit.data, exp, min_bits, v, NULL, 0, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, vmin, &commit, blind, commit.data, exp, min_bits, v, NULL, 0, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(len <= 5134); | ||||
|         CHECK(len <= secp256k1_rangeproof_max_size(ctx, v, min_bits)); | ||||
|         CHECK(len <= secp256k1_rangeproof_max_size(CTX, v, min_bits)); | ||||
|         mlen = 4096; | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blindout, &vout, message, &mlen, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blindout, &vout, message, &mlen, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|         for (j = 0; j < mlen; j++) { | ||||
|             CHECK(message[j] == 0); | ||||
|         } | ||||
| @ -399,7 +401,7 @@ static void test_rangeproof(void) { | ||||
| 
 | ||||
|         CHECK(minv <= v); | ||||
|         CHECK(maxv >= v); | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blindout, &vout, NULL, NULL, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|         memcpy(&commit2, &commit, sizeof(commit)); | ||||
|     } | ||||
|     for (j = 0; j < 3; j++) { | ||||
| @ -408,10 +410,10 @@ static void test_rangeproof(void) { | ||||
|         } | ||||
|         for (k = 0; k < 128; k += 3) { | ||||
|             len = k; | ||||
|             CHECK(!secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit2, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|             CHECK(!secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit2, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|         } | ||||
|         len = secp256k1_testrandi64(0, 3072); | ||||
|         CHECK(!secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit2, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(!secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit2, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|     } | ||||
| } | ||||
| 
 | ||||
| @ -423,26 +425,26 @@ static void test_rangeproof_null_blinder(void) { | ||||
|     secp256k1_pedersen_commitment commit; | ||||
|     size_t len; | ||||
| 
 | ||||
|     CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, v, secp256k1_generator_h)); | ||||
|     CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, v, secp256k1_generator_h)); | ||||
| 
 | ||||
|     /* Try a 32-bit proof; should work */ | ||||
|     len = 5134; | ||||
|     CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, 1, &commit, blind, commit.data, 0, 32, v, NULL, 0, NULL, 0, secp256k1_generator_h)); | ||||
|     CHECK(secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|     CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, 1, &commit, blind, commit.data, 0, 32, v, NULL, 0, NULL, 0, secp256k1_generator_h)); | ||||
|     CHECK(secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|     CHECK(minv == 1); | ||||
|     CHECK(maxv == 1ULL << 32); | ||||
| 
 | ||||
|     /* Try a 3-bit proof; should work */ | ||||
|     len = 5134; | ||||
|     CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, v - 1, &commit, blind, commit.data, 0, 3, v, NULL, 0, NULL, 0, secp256k1_generator_h)); | ||||
|     CHECK(secp256k1_rangeproof_verify(ctx, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|     CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, v - 1, &commit, blind, commit.data, 0, 3, v, NULL, 0, NULL, 0, secp256k1_generator_h)); | ||||
|     CHECK(secp256k1_rangeproof_verify(CTX, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h)); | ||||
|     CHECK(minv == 1110); | ||||
|     CHECK(maxv == 1117); | ||||
| 
 | ||||
|     /* But a 2-bits will not because then it does not have any subcommitments (which rerandomize
 | ||||
|      * the blinding factors that get passed into the borromean logic ... passing 0s will fail) */ | ||||
|     len = 5134; | ||||
|     CHECK(!secp256k1_rangeproof_sign(ctx, proof, &len, v - 1, &commit, blind, commit.data, 0, 2, v, NULL, 0, NULL, 0, secp256k1_generator_h)); | ||||
|     CHECK(!secp256k1_rangeproof_sign(CTX, proof, &len, v - 1, &commit, blind, commit.data, 0, 2, v, NULL, 0, NULL, 0, secp256k1_generator_h)); | ||||
| 
 | ||||
|     /* Rewinding with 3-bits works */ | ||||
|     { | ||||
| @ -457,8 +459,8 @@ static void test_rangeproof_null_blinder(void) { | ||||
|         secp256k1_testrand256(&msg[32]); | ||||
|         secp256k1_testrand256(&msg[64]); | ||||
|         secp256k1_testrand256(&msg[96]); | ||||
|         CHECK(secp256k1_rangeproof_sign(ctx, proof, &len, v, &commit, blind, commit.data, 0, 3, v, msg, sizeof(msg), NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_rangeproof_rewind(ctx, blind_out, &value_out, msg_out, &msg_len, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h) != 0); | ||||
|         CHECK(secp256k1_rangeproof_sign(CTX, proof, &len, v, &commit, blind, commit.data, 0, 3, v, msg, sizeof(msg), NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_rangeproof_rewind(CTX, blind_out, &value_out, msg_out, &msg_len, commit.data, &minv, &maxv, &commit, proof, len, NULL, 0, secp256k1_generator_h) != 0); | ||||
|         CHECK(secp256k1_memcmp_var(blind, blind_out, sizeof(blind)) == 0); | ||||
|         CHECK(secp256k1_memcmp_var(msg, msg_out, sizeof(msg)) == 0); | ||||
|         CHECK(value_out == v); | ||||
| @ -484,10 +486,10 @@ static void test_single_value_proof(uint64_t val) { | ||||
| 
 | ||||
|     secp256k1_testrand256(blind); | ||||
|     secp256k1_testrand256(nonce); | ||||
|     CHECK(secp256k1_pedersen_commit(ctx, &commit, blind, val, secp256k1_generator_h)); | ||||
|     CHECK(secp256k1_pedersen_commit(CTX, &commit, blind, val, secp256k1_generator_h)); | ||||
| 
 | ||||
|     CHECK(secp256k1_rangeproof_sign( | ||||
|         ctx, | ||||
|         CTX, | ||||
|         proof, &plen, | ||||
|         val, /* min_val */ | ||||
|         &commit, blind, nonce, | ||||
| @ -501,7 +503,7 @@ static void test_single_value_proof(uint64_t val) { | ||||
| 
 | ||||
|     plen = sizeof(proof); | ||||
|     CHECK(secp256k1_rangeproof_sign( | ||||
|         ctx, | ||||
|         CTX, | ||||
|         proof, &plen, | ||||
|         val, /* min_val */ | ||||
|         &commit, blind, nonce, | ||||
| @ -512,7 +514,7 @@ static void test_single_value_proof(uint64_t val) { | ||||
|         NULL, 0, | ||||
|         secp256k1_generator_h | ||||
|     ) == 1); | ||||
|     CHECK(plen <= secp256k1_rangeproof_max_size(ctx, val, 0)); | ||||
|     CHECK(plen <= secp256k1_rangeproof_max_size(CTX, val, 0)); | ||||
| 
 | ||||
|     /* Different proof sizes are unfortunate but is caused by `min_value` of
 | ||||
|      * zero being special-cased and encoded more efficiently. */ | ||||
| @ -523,7 +525,7 @@ static void test_single_value_proof(uint64_t val) { | ||||
|     } | ||||
| 
 | ||||
|     CHECK(secp256k1_rangeproof_verify( | ||||
|         ctx, | ||||
|         CTX, | ||||
|         &min_val_out, &max_val_out, | ||||
|         &commit, | ||||
|         proof, plen, | ||||
| @ -536,7 +538,7 @@ static void test_single_value_proof(uint64_t val) { | ||||
|     memset(message_out, 0, sizeof(message_out)); | ||||
|     m_len_out = sizeof(message_out); | ||||
|     CHECK(secp256k1_rangeproof_rewind( | ||||
|         ctx, | ||||
|         CTX, | ||||
|         blind_out, &val_out, | ||||
|         message_out, &m_len_out, | ||||
|         nonce, | ||||
| @ -585,7 +587,7 @@ static void test_multiple_generators(void) { | ||||
|         random_scalar_order(&s); | ||||
|         secp256k1_scalar_get_b32(pedersen_blind[i], &s); | ||||
| 
 | ||||
|         CHECK(secp256k1_generator_generate_blinded(ctx, &generator[i], generator_seed, generator_blind[i])); | ||||
|         CHECK(secp256k1_generator_generate_blinded(CTX, &generator[i], generator_seed, generator_blind[i])); | ||||
| 
 | ||||
|         commit_ptr[i] = &commit[i]; | ||||
|     } | ||||
| @ -603,13 +605,13 @@ static void test_multiple_generators(void) { | ||||
|     value[i] = total_value; | ||||
| 
 | ||||
|     /* Correct for blinding factors and do the commitments */ | ||||
|     CHECK(secp256k1_pedersen_blind_generator_blind_sum(ctx, value, (const unsigned char * const *) generator_blind, pedersen_blind, n_generators, n_inputs)); | ||||
|     CHECK(secp256k1_pedersen_blind_generator_blind_sum(CTX, value, (const unsigned char * const *) generator_blind, pedersen_blind, n_generators, n_inputs)); | ||||
|     for (i = 0; i < n_generators; i++) { | ||||
|         CHECK(secp256k1_pedersen_commit(ctx, &commit[i], pedersen_blind[i], value[i], &generator[i])); | ||||
|         CHECK(secp256k1_pedersen_commit(CTX, &commit[i], pedersen_blind[i], value[i], &generator[i])); | ||||
|     } | ||||
| 
 | ||||
|     /* Verify */ | ||||
|     CHECK(secp256k1_pedersen_verify_tally(ctx, &commit_ptr[0], n_inputs, &commit_ptr[n_inputs], n_outputs)); | ||||
|     CHECK(secp256k1_pedersen_verify_tally(CTX, &commit_ptr[0], n_inputs, &commit_ptr[n_inputs], n_outputs)); | ||||
| 
 | ||||
|     /* Cleanup */ | ||||
|     for (i = 0; i < n_generators; i++) { | ||||
| @ -683,9 +685,9 @@ void test_rangeproof_fixed_vectors(void) { | ||||
|         0x77, 0x47, 0xa4, 0xd3, 0x53, 0x17, 0xc6, 0x44, 0x30, 0x73, 0x84, 0xeb, 0x1f, 0xbe, 0xa1, 0xfb | ||||
|     }; | ||||
| 
 | ||||
|     CHECK(secp256k1_pedersen_commitment_parse(ctx, &pc, commit_1)); | ||||
|     CHECK(secp256k1_pedersen_commitment_parse(CTX, &pc, commit_1)); | ||||
|     CHECK(secp256k1_rangeproof_verify( | ||||
|         ctx, | ||||
|         CTX, | ||||
|         &min_value, &max_value, | ||||
|         &pc, | ||||
|         vector_1, sizeof(vector_1), | ||||
| @ -696,7 +698,7 @@ void test_rangeproof_fixed_vectors(void) { | ||||
|     CHECK(max_value == 25586); | ||||
| 
 | ||||
|     CHECK(secp256k1_rangeproof_rewind( | ||||
|         ctx, | ||||
|         CTX, | ||||
|         blind, &value, | ||||
|         message, &m_len, | ||||
|         pc.data, | ||||
| @ -754,9 +756,9 @@ void test_rangeproof_fixed_vectors(void) { | ||||
|     }; | ||||
|     static const unsigned char message_2[] = "When I see my own likeness in the depths of someone else's consciousness,  I always experience a moment of panic."; | ||||
| 
 | ||||
|     CHECK(secp256k1_pedersen_commitment_parse(ctx, &pc, commit_2)); | ||||
|     CHECK(secp256k1_pedersen_commitment_parse(CTX, &pc, commit_2)); | ||||
|     CHECK(secp256k1_rangeproof_verify( | ||||
|         ctx, | ||||
|         CTX, | ||||
|         &min_value, &max_value, | ||||
|         &pc, | ||||
|         vector_2, sizeof(vector_2), | ||||
| @ -767,7 +769,7 @@ void test_rangeproof_fixed_vectors(void) { | ||||
|     CHECK(max_value == 15); | ||||
| 
 | ||||
|     CHECK(secp256k1_rangeproof_rewind( | ||||
|         ctx, | ||||
|         CTX, | ||||
|         blind, &value, | ||||
|         message, &m_len, | ||||
|         pc.data, | ||||
| @ -812,9 +814,9 @@ void test_rangeproof_fixed_vectors(void) { | ||||
|         0xc0, 0x6b, 0x9b, 0x4c, 0x02, 0xa6, 0xc8, 0xf6, 0xc0, 0x34, 0xea, 0x35, 0x57, 0xf4, 0xe1, 0x37 | ||||
|     }; | ||||
| 
 | ||||
|     CHECK(secp256k1_pedersen_commitment_parse(ctx, &pc, commit_3)); | ||||
|     CHECK(secp256k1_pedersen_commitment_parse(CTX, &pc, commit_3)); | ||||
|     CHECK(secp256k1_rangeproof_verify( | ||||
|         ctx, | ||||
|         CTX, | ||||
|         &min_value, &max_value, | ||||
|         &pc, | ||||
|         vector_3, sizeof(vector_3), | ||||
| @ -825,7 +827,7 @@ void test_rangeproof_fixed_vectors(void) { | ||||
|     CHECK(max_value == UINT64_MAX); | ||||
| 
 | ||||
|     CHECK(secp256k1_rangeproof_rewind( | ||||
|         ctx, | ||||
|         CTX, | ||||
|         blind, &value, | ||||
|         message, &m_len, | ||||
|         nonce_3, | ||||
| @ -866,7 +868,7 @@ static void print_vector(int i, unsigned char *proof, size_t p_len, secp256k1_pe | ||||
|     printf("unsigned char vector_%d[] = {\n", i); | ||||
|     print_vector_helper(proof, p_len); | ||||
| 
 | ||||
|     CHECK(secp256k1_pedersen_commitment_serialize(ctx, commit_output, commit)); | ||||
|     CHECK(secp256k1_pedersen_commitment_serialize(CTX, commit_output, commit)); | ||||
|     printf("unsigned char commit_%d[] = {\n", i); | ||||
|     print_vector_helper(commit_output, sizeof(commit_output)); | ||||
| } | ||||
| @ -887,9 +889,9 @@ void test_rangeproof_fixed_vectors_reproducible_helper(unsigned char *vector, si | ||||
|     secp256k1_pedersen_commitment pc; | ||||
|     unsigned char blind_r[32]; | ||||
| 
 | ||||
|     CHECK(secp256k1_pedersen_commitment_parse(ctx, &pc, commit)); | ||||
|     CHECK(secp256k1_pedersen_commitment_parse(CTX, &pc, commit)); | ||||
|     CHECK(secp256k1_rangeproof_verify( | ||||
|         ctx, | ||||
|         CTX, | ||||
|         min_value_r, max_value_r, | ||||
|         &pc, | ||||
|         vector, vector_len, | ||||
| @ -899,7 +901,7 @@ void test_rangeproof_fixed_vectors_reproducible_helper(unsigned char *vector, si | ||||
| 
 | ||||
|     *m_len_r = SECP256K1_RANGEPROOF_MAX_MESSAGE_LEN; | ||||
|     CHECK(secp256k1_rangeproof_rewind( | ||||
|         ctx, | ||||
|         CTX, | ||||
|         blind_r, value_r, | ||||
|         message_r, m_len_r, | ||||
|         vector_nonce, | ||||
| @ -1261,9 +1263,9 @@ void test_rangeproof_fixed_vectors_reproducible(void) { | ||||
|             0xef, | ||||
|         }; | ||||
| 
 | ||||
|         CHECK(secp256k1_pedersen_commit(ctx, &pc, vector_blind, value, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_rangeproof_sign(ctx, proof, &p_len, min_value, &pc, vector_blind, vector_nonce, exp, min_bits, value, message, m_len, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(p_len <= secp256k1_rangeproof_max_size(ctx, value, min_bits)); | ||||
|         CHECK(secp256k1_pedersen_commit(CTX, &pc, vector_blind, value, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_rangeproof_sign(CTX, proof, &p_len, min_value, &pc, vector_blind, vector_nonce, exp, min_bits, value, message, m_len, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(p_len <= secp256k1_rangeproof_max_size(CTX, value, min_bits)); | ||||
|         CHECK(p_len == sizeof(proof)); | ||||
|         /* Uncomment the next line to print the test vector */ | ||||
|         /* print_vector(0, proof, p_len, &pc); */ | ||||
| @ -1315,9 +1317,9 @@ void test_rangeproof_fixed_vectors_reproducible(void) { | ||||
|             0x66, 0x16, 0x2e, 0x44, 0xc8, 0x65, 0x8e, 0xe6, 0x3a, 0x1a, 0x57, 0x2c, 0xb9, 0x6c, 0x07, 0x85, | ||||
|             0xf0, | ||||
|         }; | ||||
|         CHECK(secp256k1_pedersen_commit(ctx, &pc, vector_blind, value, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_rangeproof_sign(ctx, proof, &p_len, min_value, &pc, vector_blind, vector_nonce, exp, min_bits, value, message, m_len, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(p_len <= secp256k1_rangeproof_max_size(ctx, value, min_bits)); | ||||
|         CHECK(secp256k1_pedersen_commit(CTX, &pc, vector_blind, value, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_rangeproof_sign(CTX, proof, &p_len, min_value, &pc, vector_blind, vector_nonce, exp, min_bits, value, message, m_len, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(p_len <= secp256k1_rangeproof_max_size(CTX, value, min_bits)); | ||||
|         CHECK(p_len == sizeof(proof)); | ||||
|         /* Uncomment the next line to print the test vector */ | ||||
|         /* print_vector(1, proof, p_len, &pc); */ | ||||
| @ -1361,9 +1363,9 @@ void test_rangeproof_fixed_vectors_reproducible(void) { | ||||
|             0x70, | ||||
|         }; | ||||
| 
 | ||||
|         CHECK(secp256k1_pedersen_commit(ctx, &pc, vector_blind, value, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_rangeproof_sign(ctx, proof, &p_len, min_value, &pc, vector_blind, vector_nonce, exp, min_bits, value, message, m_len, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(p_len <= secp256k1_rangeproof_max_size(ctx, value, min_bits)); | ||||
|         CHECK(secp256k1_pedersen_commit(CTX, &pc, vector_blind, value, secp256k1_generator_h)); | ||||
|         CHECK(secp256k1_rangeproof_sign(CTX, proof, &p_len, min_value, &pc, vector_blind, vector_nonce, exp, min_bits, value, message, m_len, NULL, 0, secp256k1_generator_h)); | ||||
|         CHECK(p_len <= secp256k1_rangeproof_max_size(CTX, value, min_bits)); | ||||
|         CHECK(p_len == sizeof(proof)); | ||||
|         /* Uncomment the next line to print the test vector */ | ||||
|         /* print_vector(2, proof, p_len, &pc); */ | ||||
| @ -1390,7 +1392,7 @@ void run_rangeproof_tests(void) { | ||||
| 
 | ||||
|     test_rangeproof_fixed_vectors(); | ||||
|     test_rangeproof_fixed_vectors_reproducible(); | ||||
|     for (i = 0; i < count / 2 + 1; i++) { | ||||
|     for (i = 0; i < COUNT / 2 + 1; i++) { | ||||
|         test_borromean(); | ||||
|     } | ||||
|     test_rangeproof(); | ||||
|  | ||||
| @ -30,7 +30,6 @@ static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned c | ||||
| 
 | ||||
| void test_ecdsa_recovery_api(void) { | ||||
|     /* Setup contexts that just count errors */ | ||||
|     secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static); | ||||
|     secp256k1_pubkey pubkey; | ||||
|     secp256k1_pubkey recpubkey; | ||||
|     secp256k1_ecdsa_signature normal_sig; | ||||
| @ -46,85 +45,86 @@ void test_ecdsa_recovery_api(void) { | ||||
|                                        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||||
|                                        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; | ||||
| 
 | ||||
|     secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount); | ||||
| 
 | ||||
|     /* Construct and verify corresponding public key. */ | ||||
|     CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1); | ||||
|     CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1); | ||||
| 
 | ||||
|     /* Check bad contexts and NULLs for signing */ | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &recsig, message, privkey, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, NULL, NULL) == 1); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(ctx, NULL, message, privkey, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(CTX, NULL, message, privkey, NULL, NULL) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &recsig, NULL, privkey, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, NULL, privkey, NULL, NULL) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &recsig, message, NULL, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, NULL, NULL, NULL) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(sttc, &recsig, message, privkey, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(STATIC_CTX, &recsig, message, privkey, NULL, NULL) == 0); | ||||
|     CHECK(ecount == 4); | ||||
|     /* This will fail or succeed randomly, and in either case will not ARG_CHECK failure */ | ||||
|     secp256k1_ecdsa_sign_recoverable(ctx, &recsig, message, privkey, recovery_test_nonce_function, NULL); | ||||
|     secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, recovery_test_nonce_function, NULL); | ||||
|     CHECK(ecount == 4); | ||||
|     /* These will all fail, but not in ARG_CHECK way */ | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &recsig, message, zero_privkey, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &recsig, message, over_privkey, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, zero_privkey, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, over_privkey, NULL, NULL) == 0); | ||||
|     /* This one will succeed. */ | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &recsig, message, privkey, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, NULL, NULL) == 1); | ||||
|     CHECK(ecount == 4); | ||||
| 
 | ||||
|     /* Check signing with a goofy nonce function */ | ||||
| 
 | ||||
|     /* Check bad contexts and NULLs for recovery */ | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &recsig, message) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, &recsig, message) == 1); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_ecdsa_recover(ctx, NULL, &recsig, message) == 0); | ||||
|     CHECK(secp256k1_ecdsa_recover(CTX, NULL, &recsig, message) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, NULL, message) == 0); | ||||
|     CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, NULL, message) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &recsig, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, &recsig, NULL) == 0); | ||||
|     CHECK(ecount == 3); | ||||
| 
 | ||||
|     /* Check NULLs for conversion */ | ||||
|     CHECK(secp256k1_ecdsa_sign(ctx, &normal_sig, message, privkey, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ecdsa_sign(CTX, &normal_sig, message, privkey, NULL, NULL) == 1); | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, NULL, &recsig) == 0); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, NULL, &recsig) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &normal_sig, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &normal_sig, NULL) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &normal_sig, &recsig) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &normal_sig, &recsig) == 1); | ||||
| 
 | ||||
|     /* Check NULLs for de/serialization */ | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &recsig, message, privkey, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, NULL, NULL) == 1); | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, NULL, &recid, &recsig) == 0); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, NULL, &recid, &recsig) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, NULL, &recsig) == 0); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, NULL, &recsig) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, NULL) == 0); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, NULL) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &recsig) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, &recsig) == 1); | ||||
| 
 | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, NULL, sig, recid) == 0); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, NULL, sig, recid) == 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &recsig, NULL, recid) == 0); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, NULL, recid) == 0); | ||||
|     CHECK(ecount == 5); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &recsig, sig, -1) == 0); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, sig, -1) == 0); | ||||
|     CHECK(ecount == 6); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &recsig, sig, 5) == 0); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, sig, 5) == 0); | ||||
|     CHECK(ecount == 7); | ||||
|     /* overflow in signature will fail but not affect ecount */ | ||||
|     memcpy(sig, over_privkey, 32); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &recsig, sig, recid) == 0); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, sig, recid) == 0); | ||||
|     CHECK(ecount == 7); | ||||
| 
 | ||||
|     /* cleanup */ | ||||
|     secp256k1_context_destroy(sttc); | ||||
|     secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL); | ||||
| } | ||||
| 
 | ||||
| void test_ecdsa_recovery_end_to_end(void) { | ||||
| @ -148,40 +148,40 @@ void test_ecdsa_recovery_end_to_end(void) { | ||||
|     } | ||||
| 
 | ||||
|     /* Construct and verify corresponding public key. */ | ||||
|     CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1); | ||||
|     CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1); | ||||
| 
 | ||||
|     /* Serialize/parse compact and verify/recover. */ | ||||
|     extra[0] = 0; | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[0], message, privkey, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[4], message, privkey, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[1], message, privkey, NULL, extra) == 1); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[0], message, privkey, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[4], message, privkey, NULL, NULL) == 1); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[1], message, privkey, NULL, extra) == 1); | ||||
|     extra[31] = 1; | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[2], message, privkey, NULL, extra) == 1); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[2], message, privkey, NULL, extra) == 1); | ||||
|     extra[31] = 0; | ||||
|     extra[0] = 1; | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[3], message, privkey, NULL, extra) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1); | ||||
|     CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[3], message, privkey, NULL, extra) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, &rsignature[4]) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &signature[4], &rsignature[4]) == 1); | ||||
|     CHECK(secp256k1_memcmp_var(&signature[4], &signature[0], 64) == 0); | ||||
|     CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1); | ||||
|     CHECK(secp256k1_ecdsa_verify(CTX, &signature[4], message, &pubkey) == 1); | ||||
|     memset(&rsignature[4], 0, sizeof(rsignature[4])); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1); | ||||
|     CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsignature[4], sig, recid) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &signature[4], &rsignature[4]) == 1); | ||||
|     CHECK(secp256k1_ecdsa_verify(CTX, &signature[4], message, &pubkey) == 1); | ||||
|     /* Parse compact (with recovery id) and recover. */ | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsignature[4], sig, recid) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, &rsignature[4], message) == 1); | ||||
|     CHECK(secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) == 0); | ||||
|     /* Serialize/destroy/parse signature and verify again. */ | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, &rsignature[4]) == 1); | ||||
|     sig[secp256k1_testrand_bits(6)] += 1 + secp256k1_testrand_int(255); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1); | ||||
|     CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 0); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsignature[4], sig, recid) == 1); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &signature[4], &rsignature[4]) == 1); | ||||
|     CHECK(secp256k1_ecdsa_verify(CTX, &signature[4], message, &pubkey) == 0); | ||||
|     /* Recover again */ | ||||
|     CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 0 || | ||||
|     CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, &rsignature[4], message) == 0 || | ||||
|           secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) != 0); | ||||
| } | ||||
| 
 | ||||
| @ -222,14 +222,14 @@ void test_ecdsa_recovery_edge_cases(void) { | ||||
|     secp256k1_ecdsa_signature sig; | ||||
|     int recid; | ||||
| 
 | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 0)); | ||||
|     CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 1)); | ||||
|     CHECK(secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 2)); | ||||
|     CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 3)); | ||||
|     CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 0)); | ||||
|     CHECK(!secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32)); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 1)); | ||||
|     CHECK(secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32)); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 2)); | ||||
|     CHECK(!secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32)); | ||||
|     CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 3)); | ||||
|     CHECK(!secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32)); | ||||
| 
 | ||||
|     for (recid = 0; recid < 4; recid++) { | ||||
|         int i; | ||||
| @ -274,40 +274,40 @@ void test_ecdsa_recovery_edge_cases(void) { | ||||
|             0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, | ||||
|             0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04 | ||||
|         }; | ||||
|         CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid) == 1); | ||||
|         CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 1); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 1); | ||||
|         CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigb64, recid) == 1); | ||||
|         CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyb, &rsig, msg32) == 1); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder)) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 1); | ||||
|         for (recid2 = 0; recid2 < 4; recid2++) { | ||||
|             secp256k1_pubkey pubkey2b; | ||||
|             CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid2) == 1); | ||||
|             CHECK(secp256k1_ecdsa_recover(ctx, &pubkey2b, &rsig, msg32) == 1); | ||||
|             CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigb64, recid2) == 1); | ||||
|             CHECK(secp256k1_ecdsa_recover(CTX, &pubkey2b, &rsig, msg32) == 1); | ||||
|             /* Verifying with (order + r,4) should always fail. */ | ||||
|             CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderlong, sizeof(sigbderlong)) == 1); | ||||
|             CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); | ||||
|             CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderlong, sizeof(sigbderlong)) == 1); | ||||
|             CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0); | ||||
|         } | ||||
|         /* DER parsing tests. */ | ||||
|         /* Zero length r/s. */ | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0); | ||||
|         /* Leading zeros. */ | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt1, sizeof(sigbderalt1)) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt2, sizeof(sigbderalt2)) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt1, sizeof(sigbderalt1)) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt2, sizeof(sigbderalt2)) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0); | ||||
|         sigbderalt3[4] = 1; | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0); | ||||
|         sigbderalt4[7] = 1; | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0); | ||||
|         /* Damage signature. */ | ||||
|         sigbder[7]++; | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder)) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0); | ||||
|         sigbder[7]--; | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, 6) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder) - 1) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, 6) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder) - 1) == 0); | ||||
|         for(i = 0; i < 8; i++) { | ||||
|             int c; | ||||
|             unsigned char orig = sigbder[i]; | ||||
| @ -317,7 +317,7 @@ void test_ecdsa_recovery_edge_cases(void) { | ||||
|                     continue; | ||||
|                 } | ||||
|                 sigbder[i] = c; | ||||
|                 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 0 || secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); | ||||
|                 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder)) == 0 || secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0); | ||||
|             } | ||||
|             sigbder[i] = orig; | ||||
|         } | ||||
| @ -338,33 +338,33 @@ void test_ecdsa_recovery_edge_cases(void) { | ||||
|             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, | ||||
|         }; | ||||
|         secp256k1_pubkey pubkeyc; | ||||
|         CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1); | ||||
|         CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyc, &rsig, msg32) == 1); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 1); | ||||
|         CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigc64, 0) == 1); | ||||
|         CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyc, &rsig, msg32) == 1); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder, sizeof(sigcder)) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyc) == 1); | ||||
|         sigcder[4] = 0; | ||||
|         sigc64[31] = 0; | ||||
|         CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1); | ||||
|         CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0); | ||||
|         CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigc64, 0) == 1); | ||||
|         CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyb, &rsig, msg32) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder, sizeof(sigcder)) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyc) == 0); | ||||
|         sigcder[4] = 1; | ||||
|         sigcder[7] = 0; | ||||
|         sigc64[31] = 1; | ||||
|         sigc64[63] = 0; | ||||
|         CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1); | ||||
|         CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0); | ||||
|         CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigc64, 0) == 1); | ||||
|         CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyb, &rsig, msg32) == 0); | ||||
|         CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder, sizeof(sigcder)) == 1); | ||||
|         CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyc) == 0); | ||||
|     } | ||||
| } | ||||
| 
 | ||||
| void run_recovery_tests(void) { | ||||
|     int i; | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         test_ecdsa_recovery_api(); | ||||
|     } | ||||
|     for (i = 0; i < 64*count; i++) { | ||||
|     for (i = 0; i < 64*COUNT; i++) { | ||||
|         test_ecdsa_recovery_end_to_end(); | ||||
|     } | ||||
|     test_ecdsa_recovery_edge_cases(); | ||||
|  | ||||
| @ -72,7 +72,7 @@ void run_nonce_function_bip340_tests(void) { | ||||
|     args[2] = pk; | ||||
|     args[3] = algo; | ||||
|     args[4] = aux_rand; | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         nonce_function_bip340_bitflip(args, 0, 32, msglen, algolen); | ||||
|         nonce_function_bip340_bitflip(args, 1, 32, msglen, algolen); | ||||
|         nonce_function_bip340_bitflip(args, 2, 32, msglen, algolen); | ||||
| @ -90,7 +90,7 @@ void run_nonce_function_bip340_tests(void) { | ||||
|     secp256k1_testrand_bytes_test(algo, algolen); | ||||
|     CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1); | ||||
| 
 | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         unsigned char nonce2[32]; | ||||
|         uint32_t offset = secp256k1_testrand_int(msglen - 1); | ||||
|         size_t msglen_tmp = (msglen + offset) % msglen; | ||||
| @ -128,77 +128,77 @@ void test_schnorrsig_api(void) { | ||||
|     secp256k1_schnorrsig_extraparams invalid_extraparams = {{ 0 }, NULL, NULL}; | ||||
| 
 | ||||
|     /** setup **/ | ||||
|     secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static); | ||||
|     int ecount; | ||||
|     int ecount = 0; | ||||
| 
 | ||||
|     secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount); | ||||
| 
 | ||||
|     secp256k1_testrand256(sk1); | ||||
|     secp256k1_testrand256(sk2); | ||||
|     secp256k1_testrand256(sk3); | ||||
|     secp256k1_testrand256(msg); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypairs[0], sk1) == 1); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypairs[1], sk2) == 1); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypairs[2], sk3) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[0], NULL, &keypairs[0]) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[1], NULL, &keypairs[1]) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(ctx, &pk[2], NULL, &keypairs[2]) == 1); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypairs[0], sk1) == 1); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypairs[1], sk2) == 1); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypairs[2], sk3) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[0], NULL, &keypairs[0]) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[1], NULL, &keypairs[1]) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(CTX, &pk[2], NULL, &keypairs[2]) == 1); | ||||
|     memset(&zero_pk, 0, sizeof(zero_pk)); | ||||
| 
 | ||||
|     /** main test body **/ | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypairs[0], NULL) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(ctx, NULL, msg, &keypairs[0], NULL) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(CTX, NULL, msg, &keypairs[0], NULL) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(ctx, sig, NULL, &keypairs[0], NULL) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(CTX, sig, NULL, &keypairs[0], NULL) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, NULL, NULL) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, NULL, NULL) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &invalid_keypair, NULL) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &invalid_keypair, NULL) == 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(sttc, sig, msg, &keypairs[0], NULL) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(STATIC_CTX, sig, msg, &keypairs[0], NULL) == 0); | ||||
|     CHECK(ecount == 5); | ||||
| 
 | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 1); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(ctx, NULL, msg, sizeof(msg), &keypairs[0], &extraparams) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(CTX, NULL, msg, sizeof(msg), &keypairs[0], &extraparams) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, NULL, sizeof(msg), &keypairs[0], &extraparams) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, sizeof(msg), &keypairs[0], &extraparams) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, NULL, 0, &keypairs[0], &extraparams) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, NULL, 0, &keypairs[0], &extraparams) == 1); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), NULL, &extraparams) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), NULL, &extraparams) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &invalid_keypair, &extraparams) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &invalid_keypair, &extraparams) == 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], NULL) == 1); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypairs[0], &invalid_extraparams) == 0); | ||||
|     CHECK(ecount == 5); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(sttc, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(STATIC_CTX, sig, msg, sizeof(msg), &keypairs[0], &extraparams) == 0); | ||||
|     CHECK(ecount == 6); | ||||
| 
 | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypairs[0], NULL) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk[0]) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypairs[0], NULL) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk[0]) == 1); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_schnorrsig_verify(ctx, NULL, msg, sizeof(msg), &pk[0]) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_verify(CTX, NULL, msg, sizeof(msg), &pk[0]) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_schnorrsig_verify(ctx, sig, NULL, sizeof(msg), &pk[0]) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, sizeof(msg), &pk[0]) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_schnorrsig_verify(ctx, sig, NULL, 0, &pk[0]) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_verify(CTX, sig, NULL, 0, &pk[0]) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), NULL) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), NULL) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &zero_pk) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &zero_pk) == 0); | ||||
|     CHECK(ecount == 4); | ||||
| 
 | ||||
|     secp256k1_context_destroy(sttc); | ||||
|     secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL); | ||||
| } | ||||
| 
 | ||||
| /* Checks that hash initialized by secp256k1_schnorrsig_sha256_tagged has the
 | ||||
| @ -220,14 +220,14 @@ void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const un | ||||
|     secp256k1_keypair keypair; | ||||
|     secp256k1_xonly_pubkey pk, pk_expected; | ||||
| 
 | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk)); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg32, &keypair, aux_rand)); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk)); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg32, &keypair, aux_rand)); | ||||
|     CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0); | ||||
| 
 | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk_expected, pk_serialized)); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair)); | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk_expected, pk_serialized)); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair)); | ||||
|     CHECK(secp256k1_memcmp_var(&pk, &pk_expected, sizeof(pk)) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk)); | ||||
|     CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg32, 32, &pk)); | ||||
| } | ||||
| 
 | ||||
| /* Helper function for schnorrsig_bip_vectors
 | ||||
| @ -235,8 +235,8 @@ void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const un | ||||
| void test_schnorrsig_bip_vectors_check_verify(const unsigned char *pk_serialized, const unsigned char *msg32, const unsigned char *sig, int expected) { | ||||
|     secp256k1_xonly_pubkey pk; | ||||
| 
 | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk, pk_serialized)); | ||||
|     CHECK(expected == secp256k1_schnorrsig_verify(ctx, sig, msg32, 32, &pk)); | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(CTX, &pk, pk_serialized)); | ||||
|     CHECK(expected == secp256k1_schnorrsig_verify(CTX, sig, msg32, 32, &pk)); | ||||
| } | ||||
| 
 | ||||
| /* Test vectors according to BIP-340 ("Schnorr Signatures for secp256k1"). See
 | ||||
| @ -434,7 +434,7 @@ void test_schnorrsig_bip_vectors(void) { | ||||
|         }; | ||||
|         secp256k1_xonly_pubkey pk_parsed; | ||||
|         /* No need to check the signature of the test vector as parsing the pubkey already fails */ | ||||
|         CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk)); | ||||
|         CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk)); | ||||
|     } | ||||
|     { | ||||
|         /* Test vector 6 */ | ||||
| @ -654,7 +654,7 @@ void test_schnorrsig_bip_vectors(void) { | ||||
|         }; | ||||
|         secp256k1_xonly_pubkey pk_parsed; | ||||
|         /* No need to check the signature of the test vector as parsing the pubkey already fails */ | ||||
|         CHECK(!secp256k1_xonly_pubkey_parse(ctx, &pk_parsed, pk)); | ||||
|         CHECK(!secp256k1_xonly_pubkey_parse(CTX, &pk_parsed, pk)); | ||||
|     } | ||||
| } | ||||
| 
 | ||||
| @ -712,36 +712,36 @@ void test_schnorrsig_sign(void) { | ||||
| 
 | ||||
|     secp256k1_testrand256(sk); | ||||
|     secp256k1_testrand256(aux_rand); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk)); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair)); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypair, NULL) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk)); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk)); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair)); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk)); | ||||
|     /* Check that deprecated alias gives the same result */ | ||||
|     CHECK(secp256k1_schnorrsig_sign(ctx, sig2, msg, &keypair, NULL) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_sign(CTX, sig2, msg, &keypair, NULL) == 1); | ||||
|     CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0); | ||||
| 
 | ||||
|     /* Test different nonce functions */ | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk)); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk)); | ||||
|     memset(sig, 1, sizeof(sig)); | ||||
|     extraparams.noncefp = nonce_function_failing; | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0); | ||||
|     CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0); | ||||
|     memset(&sig, 1, sizeof(sig)); | ||||
|     extraparams.noncefp = nonce_function_0; | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 0); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 0); | ||||
|     CHECK(secp256k1_memcmp_var(sig, zeros64, sizeof(sig)) == 0); | ||||
|     memset(&sig, 1, sizeof(sig)); | ||||
|     extraparams.noncefp = nonce_function_overflowing; | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk)); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &pk)); | ||||
| 
 | ||||
|     /* When using the default nonce function, schnorrsig_sign_custom produces
 | ||||
|      * the same result as schnorrsig_sign with aux_rand = extraparams.ndata */ | ||||
|     extraparams.noncefp = NULL; | ||||
|     extraparams.ndata = aux_rand; | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(ctx, sig2, msg, &keypair, extraparams.ndata) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig, msg, sizeof(msg), &keypair, &extraparams) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(CTX, sig2, msg, &keypair, extraparams.ndata) == 1); | ||||
|     CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0); | ||||
| } | ||||
| 
 | ||||
| @ -759,13 +759,13 @@ void test_schnorrsig_sign_verify(void) { | ||||
|     secp256k1_scalar s; | ||||
| 
 | ||||
|     secp256k1_testrand256(sk); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk)); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair)); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk)); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(CTX, &pk, NULL, &keypair)); | ||||
| 
 | ||||
|     for (i = 0; i < N_SIGS; i++) { | ||||
|         secp256k1_testrand256(msg[i]); | ||||
|         CHECK(secp256k1_schnorrsig_sign32(ctx, sig[i], msg[i], &keypair, NULL)); | ||||
|         CHECK(secp256k1_schnorrsig_verify(ctx, sig[i], msg[i], sizeof(msg[i]), &pk)); | ||||
|         CHECK(secp256k1_schnorrsig_sign32(CTX, sig[i], msg[i], &keypair, NULL)); | ||||
|         CHECK(secp256k1_schnorrsig_verify(CTX, sig[i], msg[i], sizeof(msg[i]), &pk)); | ||||
|     } | ||||
| 
 | ||||
|     { | ||||
| @ -775,40 +775,40 @@ void test_schnorrsig_sign_verify(void) { | ||||
|         size_t byte_idx = secp256k1_testrand_bits(5); | ||||
|         unsigned char xorbyte = secp256k1_testrand_int(254)+1; | ||||
|         sig[sig_idx][byte_idx] ^= xorbyte; | ||||
|         CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); | ||||
|         CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); | ||||
|         sig[sig_idx][byte_idx] ^= xorbyte; | ||||
| 
 | ||||
|         byte_idx = secp256k1_testrand_bits(5); | ||||
|         sig[sig_idx][32+byte_idx] ^= xorbyte; | ||||
|         CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); | ||||
|         CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); | ||||
|         sig[sig_idx][32+byte_idx] ^= xorbyte; | ||||
| 
 | ||||
|         byte_idx = secp256k1_testrand_bits(5); | ||||
|         msg[sig_idx][byte_idx] ^= xorbyte; | ||||
|         CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); | ||||
|         CHECK(!secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); | ||||
|         msg[sig_idx][byte_idx] ^= xorbyte; | ||||
| 
 | ||||
|         /* Check that above bitflips have been reversed correctly */ | ||||
|         CHECK(secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); | ||||
|         CHECK(secp256k1_schnorrsig_verify(CTX, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk)); | ||||
|     } | ||||
| 
 | ||||
|     /* Test overflowing s */ | ||||
|     CHECK(secp256k1_schnorrsig_sign32(ctx, sig[0], msg[0], &keypair, NULL)); | ||||
|     CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk)); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL)); | ||||
|     CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk)); | ||||
|     memset(&sig[0][32], 0xFF, 32); | ||||
|     CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk)); | ||||
|     CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk)); | ||||
| 
 | ||||
|     /* Test negative s */ | ||||
|     CHECK(secp256k1_schnorrsig_sign32(ctx, sig[0], msg[0], &keypair, NULL)); | ||||
|     CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk)); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(CTX, sig[0], msg[0], &keypair, NULL)); | ||||
|     CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk)); | ||||
|     secp256k1_scalar_set_b32(&s, &sig[0][32], NULL); | ||||
|     secp256k1_scalar_negate(&s, &s); | ||||
|     secp256k1_scalar_get_b32(&sig[0][32], &s); | ||||
|     CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk)); | ||||
|     CHECK(!secp256k1_schnorrsig_verify(CTX, sig[0], msg[0], sizeof(msg[0]), &pk)); | ||||
| 
 | ||||
|     /* The empty message can be signed & verified */ | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], NULL, 0, &keypair, NULL) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], NULL, 0, &pk) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], NULL, 0, &keypair, NULL) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], NULL, 0, &pk) == 1); | ||||
| 
 | ||||
|     { | ||||
|         /* Test varying message lengths */ | ||||
| @ -817,11 +817,11 @@ void test_schnorrsig_sign_verify(void) { | ||||
|         for (i = 0; i < sizeof(msg_large); i += 32) { | ||||
|             secp256k1_testrand256(&msg_large[i]); | ||||
|         } | ||||
|         CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig[0], msg_large, msglen, &keypair, NULL) == 1); | ||||
|         CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 1); | ||||
|         CHECK(secp256k1_schnorrsig_sign_custom(CTX, sig[0], msg_large, msglen, &keypair, NULL) == 1); | ||||
|         CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 1); | ||||
|         /* Verification for a random wrong message length fails */ | ||||
|         msglen = (msglen + (sizeof(msg_large) - 1)) % sizeof(msg_large); | ||||
|         CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg_large, msglen, &pk) == 0); | ||||
|         CHECK(secp256k1_schnorrsig_verify(CTX, sig[0], msg_large, msglen, &pk) == 0); | ||||
|     } | ||||
| } | ||||
| #undef N_SIGS | ||||
| @ -840,26 +840,26 @@ void test_schnorrsig_taproot(void) { | ||||
| 
 | ||||
|     /* Create output key */ | ||||
|     secp256k1_testrand256(sk); | ||||
|     CHECK(secp256k1_keypair_create(ctx, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(ctx, &internal_pk, NULL, &keypair) == 1); | ||||
|     CHECK(secp256k1_keypair_create(CTX, &keypair, sk) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(CTX, &internal_pk, NULL, &keypair) == 1); | ||||
|     /* In actual taproot the tweak would be hash of internal_pk */ | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(ctx, tweak, &internal_pk) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(ctx, &keypair, tweak) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(ctx, &output_pk, &pk_parity, &keypair) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(ctx, output_pk_bytes, &output_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(CTX, tweak, &internal_pk) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_tweak_add(CTX, &keypair, tweak) == 1); | ||||
|     CHECK(secp256k1_keypair_xonly_pub(CTX, &output_pk, &pk_parity, &keypair) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(CTX, output_pk_bytes, &output_pk) == 1); | ||||
| 
 | ||||
|     /* Key spend */ | ||||
|     secp256k1_testrand256(msg); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypair, NULL) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_sign32(CTX, sig, msg, &keypair, NULL) == 1); | ||||
|     /* Verify key spend */ | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(ctx, &output_pk, output_pk_bytes) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &output_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(CTX, &output_pk, output_pk_bytes) == 1); | ||||
|     CHECK(secp256k1_schnorrsig_verify(CTX, sig, msg, sizeof(msg), &output_pk) == 1); | ||||
| 
 | ||||
|     /* Script spend */ | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(ctx, internal_pk_bytes, &internal_pk) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_serialize(CTX, internal_pk_bytes, &internal_pk) == 1); | ||||
|     /* Verify script spend */ | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(ctx, &internal_pk, internal_pk_bytes) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(ctx, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_parse(CTX, &internal_pk, internal_pk_bytes) == 1); | ||||
|     CHECK(secp256k1_xonly_pubkey_tweak_add_check(CTX, output_pk_bytes, pk_parity, &internal_pk, tweak) == 1); | ||||
| } | ||||
| 
 | ||||
| void run_schnorrsig_tests(void) { | ||||
| @ -869,7 +869,7 @@ void run_schnorrsig_tests(void) { | ||||
|     test_schnorrsig_api(); | ||||
|     test_schnorrsig_sha256_tagged(); | ||||
|     test_schnorrsig_bip_vectors(); | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         test_schnorrsig_sign(); | ||||
|         test_schnorrsig_sign_verify(); | ||||
|     } | ||||
|  | ||||
| @ -15,7 +15,6 @@ | ||||
| 
 | ||||
| static void test_surjectionproof_api(void) { | ||||
|     unsigned char seed[32]; | ||||
|     secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_static); | ||||
|     secp256k1_fixed_asset_tag fixed_input_tags[10]; | ||||
|     secp256k1_fixed_asset_tag fixed_output_tag; | ||||
|     secp256k1_generator ephemeral_input_tags[10]; | ||||
| @ -32,54 +31,54 @@ static void test_surjectionproof_api(void) { | ||||
|     size_t i; | ||||
| 
 | ||||
|     secp256k1_testrand256(seed); | ||||
|     secp256k1_context_set_error_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount); | ||||
| 
 | ||||
| 
 | ||||
|     for (i = 0; i < n_inputs; i++) { | ||||
|         secp256k1_testrand256(input_blinding_key[i]); | ||||
|         secp256k1_testrand256(fixed_input_tags[i].data); | ||||
|         CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_input_tags[i], fixed_input_tags[i].data, input_blinding_key[i])); | ||||
|         CHECK(secp256k1_generator_generate_blinded(CTX, &ephemeral_input_tags[i], fixed_input_tags[i].data, input_blinding_key[i])); | ||||
|     } | ||||
|     secp256k1_testrand256(output_blinding_key); | ||||
|     memcpy(&fixed_output_tag, &fixed_input_tags[0], sizeof(fixed_input_tags[0])); | ||||
|     CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_output_tag, fixed_output_tag.data, output_blinding_key)); | ||||
|     CHECK(secp256k1_generator_generate_blinded(CTX, &ephemeral_output_tag, fixed_output_tag.data, output_blinding_key)); | ||||
| 
 | ||||
|     /* check allocate_initialized */ | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(proof_on_heap == 0); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0); | ||||
|     CHECK(proof_on_heap != 0); | ||||
|     secp256k1_surjectionproof_destroy(proof_on_heap); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, NULL, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, NULL, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, NULL, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, NULL, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(proof_on_heap == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, NULL, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, NULL, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(proof_on_heap == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS + 1, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS + 1, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(proof_on_heap == 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], 100, seed) != 0); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], 100, seed) != 0); | ||||
|     CHECK(proof_on_heap != 0); | ||||
|     secp256k1_surjectionproof_destroy(proof_on_heap); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, n_inputs + 1, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, n_inputs + 1, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(proof_on_heap == 0); | ||||
|     CHECK(ecount == 5); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 3, NULL, 100, seed) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 3, NULL, 100, seed) == 0); | ||||
|     CHECK(proof_on_heap == 0); | ||||
|     CHECK(ecount == 6); | ||||
|     CHECK((secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 0, seed) & 1) == 0); | ||||
|     CHECK((secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 0, seed) & 1) == 0); | ||||
|     CHECK(proof_on_heap == 0); | ||||
|     CHECK(ecount == 6); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(ctx, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, NULL) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_allocate_initialized(CTX, &proof_on_heap, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, NULL) == 0); | ||||
|     CHECK(proof_on_heap == 0); | ||||
|     CHECK(ecount == 7); | ||||
| 
 | ||||
| @ -88,114 +87,117 @@ static void test_surjectionproof_api(void) { | ||||
|     ecount = 0; | ||||
| 
 | ||||
|     /* check initialize */ | ||||
|     CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0); | ||||
|     CHECK(ecount == 0); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(ctx, NULL, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(CTX, NULL, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, NULL, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, NULL, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, NULL, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, NULL, n_inputs, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS + 1, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, SECP256K1_SURJECTIONPROOF_MAX_N_INPUTS + 1, 3, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], 100, seed) != 0); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], 100, seed) != 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs + 1, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs + 1, &fixed_input_tags[0], 100, seed) == 0); | ||||
|     CHECK(ecount == 5); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 3, NULL, 100, seed) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 3, NULL, 100, seed) == 0); | ||||
|     CHECK(ecount == 6); | ||||
|     CHECK((secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 0, seed) & 1) == 0); | ||||
|     CHECK((secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 0, seed) & 1) == 0); | ||||
|     CHECK(ecount == 6); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, NULL) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], 100, NULL) == 0); | ||||
|     CHECK(ecount == 7); | ||||
| 
 | ||||
|     CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[0], 100, seed) != 0); | ||||
|     /* check generate */ | ||||
|     CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) != 0); | ||||
|     CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) != 0); | ||||
|     CHECK(ecount == 7); | ||||
|     CHECK(secp256k1_surjectionproof_generate(sttc, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_generate(STATIC_CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|     CHECK(ecount == 8); | ||||
| 
 | ||||
|     CHECK(secp256k1_surjectionproof_generate(ctx, NULL, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_generate(CTX, NULL, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|     CHECK(ecount == 9); | ||||
|     CHECK(secp256k1_surjectionproof_generate(ctx, &proof, NULL, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_generate(CTX, &proof, NULL, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|     CHECK(ecount == 10); | ||||
|     CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs + 1, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs + 1, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|     CHECK(ecount == 10); | ||||
|     CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs - 1, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs - 1, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|     CHECK(ecount == 10); | ||||
|     CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, 0, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, 0, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|     CHECK(ecount == 10); | ||||
|     CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, NULL, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, NULL, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|     CHECK(ecount == 11); | ||||
|     CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 1, input_blinding_key[0], output_blinding_key) != 0); | ||||
|     CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 1, input_blinding_key[0], output_blinding_key) != 0); | ||||
|     CHECK(ecount == 11);  /* the above line "succeeds" but generates an invalid proof as the input_index is wrong. it is fairly expensive to detect this. should we? */ | ||||
|     CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, n_inputs + 1, input_blinding_key[0], output_blinding_key) != 0); | ||||
|     CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, n_inputs + 1, input_blinding_key[0], output_blinding_key) != 0); | ||||
|     CHECK(ecount == 11); | ||||
|     CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, NULL, output_blinding_key) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, NULL, output_blinding_key) == 0); | ||||
|     CHECK(ecount == 12); | ||||
|     CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], NULL) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], NULL) == 0); | ||||
|     CHECK(ecount == 13); | ||||
| 
 | ||||
|     CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) != 0); | ||||
|     CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) != 0); | ||||
|     /* check verify */ | ||||
|     CHECK(secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) == 1); | ||||
|     CHECK(secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) == 1); | ||||
|     CHECK(ecount == 13); | ||||
| 
 | ||||
|     CHECK(secp256k1_surjectionproof_verify(ctx, NULL, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_verify(CTX, NULL, ephemeral_input_tags, n_inputs, &ephemeral_output_tag) == 0); | ||||
|     CHECK(ecount == 14); | ||||
|     CHECK(secp256k1_surjectionproof_verify(ctx, &proof, NULL, n_inputs, &ephemeral_output_tag) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_verify(CTX, &proof, NULL, n_inputs, &ephemeral_output_tag) == 0); | ||||
|     CHECK(ecount == 15); | ||||
|     CHECK(secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs - 1, &ephemeral_output_tag) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs - 1, &ephemeral_output_tag) == 0); | ||||
|     CHECK(ecount == 15); | ||||
|     CHECK(secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs + 1, &ephemeral_output_tag) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs + 1, &ephemeral_output_tag) == 0); | ||||
|     CHECK(ecount == 15); | ||||
|     CHECK(secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, NULL) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs, NULL) == 0); | ||||
|     CHECK(ecount == 16); | ||||
| 
 | ||||
|     /* Test how surjectionproof_generate fails when the proof was not created
 | ||||
|      * with surjectionproof_initialize */ | ||||
|     ecount = 0; | ||||
|     CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 1); | ||||
|     CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 1); | ||||
|     { | ||||
|         secp256k1_surjectionproof tmp_proof = proof; | ||||
|         tmp_proof.n_inputs = 0; | ||||
|         CHECK(secp256k1_surjectionproof_generate(ctx, &tmp_proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|         CHECK(secp256k1_surjectionproof_generate(CTX, &tmp_proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 0); | ||||
|     } | ||||
|     CHECK(ecount == 1); | ||||
| 
 | ||||
|     CHECK(secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 1); | ||||
|     CHECK(secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_output_tag, 0, input_blinding_key[0], output_blinding_key) == 1); | ||||
| 
 | ||||
|     /* Check serialize */ | ||||
|     ecount = 0; | ||||
|     serialized_len = sizeof(serialized_proof); | ||||
|     CHECK(secp256k1_surjectionproof_serialize(ctx, serialized_proof, &serialized_len, &proof) != 0); | ||||
|     CHECK(secp256k1_surjectionproof_serialize(CTX, serialized_proof, &serialized_len, &proof) != 0); | ||||
|     CHECK(ecount == 0); | ||||
|     serialized_len = sizeof(serialized_proof); | ||||
|     CHECK(secp256k1_surjectionproof_serialize(ctx, NULL, &serialized_len, &proof) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_serialize(CTX, NULL, &serialized_len, &proof) == 0); | ||||
|     CHECK(ecount == 1); | ||||
|     serialized_len = sizeof(serialized_proof); | ||||
|     CHECK(secp256k1_surjectionproof_serialize(ctx, serialized_proof, NULL, &proof) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_serialize(CTX, serialized_proof, NULL, &proof) == 0); | ||||
|     CHECK(ecount == 2); | ||||
|     serialized_len = sizeof(serialized_proof); | ||||
|     CHECK(secp256k1_surjectionproof_serialize(ctx, serialized_proof, &serialized_len, NULL) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_serialize(CTX, serialized_proof, &serialized_len, NULL) == 0); | ||||
|     CHECK(ecount == 3); | ||||
| 
 | ||||
|     serialized_len = sizeof(serialized_proof); | ||||
|     CHECK(secp256k1_surjectionproof_serialize(ctx, serialized_proof, &serialized_len, &proof) != 0); | ||||
|     CHECK(secp256k1_surjectionproof_serialize(CTX, serialized_proof, &serialized_len, &proof) != 0); | ||||
|     /* Check parse */ | ||||
|     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof, serialized_len) != 0); | ||||
|     CHECK(secp256k1_surjectionproof_parse(CTX, &proof, serialized_proof, serialized_len) != 0); | ||||
|     CHECK(ecount == 3); | ||||
|     CHECK(secp256k1_surjectionproof_parse(ctx, NULL, serialized_proof, serialized_len) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_parse(CTX, NULL, serialized_proof, serialized_len) == 0); | ||||
|     CHECK(ecount == 4); | ||||
|     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, NULL, serialized_len) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_parse(CTX, &proof, NULL, serialized_len) == 0); | ||||
|     CHECK(ecount == 5); | ||||
|     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof, 0) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_parse(CTX, &proof, serialized_proof, 0) == 0); | ||||
|     CHECK(ecount == 5); | ||||
| 
 | ||||
|     secp256k1_context_destroy(sttc); | ||||
|     secp256k1_context_set_error_callback(CTX, NULL, NULL); | ||||
|     secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL); | ||||
|     secp256k1_context_set_illegal_callback(CTX, NULL, NULL); | ||||
|     secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL); | ||||
| } | ||||
| 
 | ||||
| static void test_input_selection(size_t n_inputs) { | ||||
| @ -216,50 +218,50 @@ static void test_input_selection(size_t n_inputs) { | ||||
|     } | ||||
| 
 | ||||
|     /* cannot match output when told to use zero keys */ | ||||
|     result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], try_count, seed); | ||||
|     result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 0, &fixed_input_tags[0], try_count, seed); | ||||
|     CHECK(result == 0); | ||||
|     CHECK(secp256k1_surjectionproof_n_used_inputs(ctx, &proof) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs); | ||||
|     CHECK(secp256k1_surjectionproof_serialized_size(ctx, &proof) == 34 + (n_inputs + 7) / 8); | ||||
|     CHECK(secp256k1_surjectionproof_n_used_inputs(CTX, &proof) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_n_total_inputs(CTX, &proof) == n_inputs); | ||||
|     CHECK(secp256k1_surjectionproof_serialized_size(CTX, &proof) == 34 + (n_inputs + 7) / 8); | ||||
|     if (n_inputs > 0) { | ||||
|         /* succeed in 100*n_inputs tries (probability of failure e^-100) */ | ||||
|         result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 1, &fixed_input_tags[0], try_count, seed); | ||||
|         result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 1, &fixed_input_tags[0], try_count, seed); | ||||
|         CHECK(result > 0); | ||||
|         CHECK(result < n_inputs * 10); | ||||
|         CHECK(secp256k1_surjectionproof_n_used_inputs(ctx, &proof) == 1); | ||||
|         CHECK(secp256k1_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs); | ||||
|         CHECK(secp256k1_surjectionproof_serialized_size(ctx, &proof) == 66 + (n_inputs + 7) / 8); | ||||
|         CHECK(secp256k1_surjectionproof_n_used_inputs(CTX, &proof) == 1); | ||||
|         CHECK(secp256k1_surjectionproof_n_total_inputs(CTX, &proof) == n_inputs); | ||||
|         CHECK(secp256k1_surjectionproof_serialized_size(CTX, &proof) == 66 + (n_inputs + 7) / 8); | ||||
|         CHECK(input_index == 0); | ||||
|     } | ||||
| 
 | ||||
|     if (n_inputs >= 3) { | ||||
|         /* succeed in 10*n_inputs tries (probability of failure e^-10) */ | ||||
|         result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[1], try_count, seed); | ||||
|         result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[1], try_count, seed); | ||||
|         CHECK(result > 0); | ||||
|         CHECK(secp256k1_surjectionproof_n_used_inputs(ctx, &proof) == 3); | ||||
|         CHECK(secp256k1_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs); | ||||
|         CHECK(secp256k1_surjectionproof_serialized_size(ctx, &proof) == 130 + (n_inputs + 7) / 8); | ||||
|         CHECK(secp256k1_surjectionproof_n_used_inputs(CTX, &proof) == 3); | ||||
|         CHECK(secp256k1_surjectionproof_n_total_inputs(CTX, &proof) == n_inputs); | ||||
|         CHECK(secp256k1_surjectionproof_serialized_size(CTX, &proof) == 130 + (n_inputs + 7) / 8); | ||||
|         CHECK(input_index == 1); | ||||
| 
 | ||||
|         /* fail, key not found */ | ||||
|         result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[n_inputs], try_count, seed); | ||||
|         result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, 3, &fixed_input_tags[n_inputs], try_count, seed); | ||||
|         CHECK(result == 0); | ||||
| 
 | ||||
|         /* succeed on first try when told to use all keys */ | ||||
|         result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], try_count, seed); | ||||
|         result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs, &fixed_input_tags[0], try_count, seed); | ||||
|         CHECK(result == 1); | ||||
|         CHECK(secp256k1_surjectionproof_n_used_inputs(ctx, &proof) == n_inputs); | ||||
|         CHECK(secp256k1_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs); | ||||
|         CHECK(secp256k1_surjectionproof_serialized_size(ctx, &proof) == 2 + 32 * (n_inputs + 1) + (n_inputs + 7) / 8); | ||||
|         CHECK(secp256k1_surjectionproof_n_used_inputs(CTX, &proof) == n_inputs); | ||||
|         CHECK(secp256k1_surjectionproof_n_total_inputs(CTX, &proof) == n_inputs); | ||||
|         CHECK(secp256k1_surjectionproof_serialized_size(CTX, &proof) == 2 + 32 * (n_inputs + 1) + (n_inputs + 7) / 8); | ||||
|         CHECK(input_index == 0); | ||||
| 
 | ||||
|         /* succeed in less than 64 tries when told to use half keys. (probability of failure 2^-64) */ | ||||
|         result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs / 2, &fixed_input_tags[0], 64, seed); | ||||
|         result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, n_inputs / 2, &fixed_input_tags[0], 64, seed); | ||||
|         CHECK(result > 0); | ||||
|         CHECK(result < 64); | ||||
|         CHECK(secp256k1_surjectionproof_n_used_inputs(ctx, &proof) == n_inputs / 2); | ||||
|         CHECK(secp256k1_surjectionproof_n_total_inputs(ctx, &proof) == n_inputs); | ||||
|         CHECK(secp256k1_surjectionproof_serialized_size(ctx, &proof) == 2 + 32 * (n_inputs / 2 + 1) + (n_inputs + 7) / 8); | ||||
|         CHECK(secp256k1_surjectionproof_n_used_inputs(CTX, &proof) == n_inputs / 2); | ||||
|         CHECK(secp256k1_surjectionproof_n_total_inputs(CTX, &proof) == n_inputs); | ||||
|         CHECK(secp256k1_surjectionproof_serialized_size(CTX, &proof) == 2 + 32 * (n_inputs / 2 + 1) + (n_inputs + 7) / 8); | ||||
|         CHECK(input_index == 0); | ||||
|     } | ||||
| } | ||||
| @ -278,7 +280,7 @@ static void test_input_selection_distribution_helper(const secp256k1_fixed_asset | ||||
|     } | ||||
|     for(j = 0; j < 10000; j++) { | ||||
|         secp256k1_testrand256(seed); | ||||
|         result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_input_tags, n_input_tags_to_use, &fixed_input_tags[0], 64, seed); | ||||
|         result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_input_tags, n_input_tags_to_use, &fixed_input_tags[0], 64, seed); | ||||
|         CHECK(result > 0); | ||||
| 
 | ||||
|         for (i = 0; i < n_input_tags; i++) { | ||||
| @ -396,11 +398,11 @@ static void test_gen_verify(size_t n_inputs, size_t n_used) { | ||||
|         } else { | ||||
|             memcpy(&fixed_input_tags[i], &fixed_input_tags[key_index], sizeof(fixed_input_tags[i])); | ||||
|         } | ||||
|         CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_input_tags[i], fixed_input_tags[i].data, input_blinding_key[i])); | ||||
|         CHECK(secp256k1_generator_generate_blinded(CTX, &ephemeral_input_tags[i], fixed_input_tags[i].data, input_blinding_key[i])); | ||||
|     } | ||||
| 
 | ||||
|     /* test */ | ||||
|     result = secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, fixed_input_tags, n_inputs, n_used, &fixed_input_tags[key_index], try_count, seed); | ||||
|     result = secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, fixed_input_tags, n_inputs, n_used, &fixed_input_tags[key_index], try_count, seed); | ||||
|     if (n_used == 0) { | ||||
|         CHECK(result == 0); | ||||
|         return; | ||||
| @ -408,32 +410,32 @@ static void test_gen_verify(size_t n_inputs, size_t n_used) { | ||||
|     CHECK(result > 0); | ||||
|     CHECK(input_index == key_index); | ||||
| 
 | ||||
|     result = secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs], input_index, input_blinding_key[input_index], input_blinding_key[n_inputs]); | ||||
|     result = secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs], input_index, input_blinding_key[input_index], input_blinding_key[n_inputs]); | ||||
|     CHECK(result == 1); | ||||
| 
 | ||||
|     CHECK(secp256k1_surjectionproof_serialize(ctx, serialized_proof, &serialized_len, &proof)); | ||||
|     CHECK(serialized_len == secp256k1_surjectionproof_serialized_size(ctx, &proof)); | ||||
|     CHECK(secp256k1_surjectionproof_serialize(CTX, serialized_proof, &serialized_len, &proof)); | ||||
|     CHECK(serialized_len == secp256k1_surjectionproof_serialized_size(CTX, &proof)); | ||||
|     CHECK(serialized_len == SECP256K1_SURJECTIONPROOF_SERIALIZATION_BYTES(n_inputs, n_used)); | ||||
| 
 | ||||
|     /* trailing garbage */ | ||||
|     memcpy(&serialized_proof_trailing, &serialized_proof, serialized_len); | ||||
|     serialized_proof_trailing[serialized_len] = seed[0]; | ||||
|     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof_trailing, serialized_len + 1) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_parse(CTX, &proof, serialized_proof_trailing, serialized_len + 1) == 0); | ||||
| 
 | ||||
|     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof, serialized_len)); | ||||
|     result = secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs]); | ||||
|     CHECK(secp256k1_surjectionproof_parse(CTX, &proof, serialized_proof, serialized_len)); | ||||
|     result = secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs]); | ||||
|     CHECK(result == 1); | ||||
| 
 | ||||
|     /* various fail cases */ | ||||
|     if (n_inputs > 1) { | ||||
|         result = secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs - 1]); | ||||
|         result = secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs - 1]); | ||||
|         CHECK(result == 0); | ||||
| 
 | ||||
|         /* number of entries in ephemeral_input_tags array is less than proof.n_inputs */ | ||||
|         n_inputs -= 1; | ||||
|         result = secp256k1_surjectionproof_generate(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs], input_index, input_blinding_key[input_index], input_blinding_key[n_inputs]); | ||||
|         result = secp256k1_surjectionproof_generate(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs], input_index, input_blinding_key[input_index], input_blinding_key[n_inputs]); | ||||
|         CHECK(result == 0); | ||||
|         result = secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs - 1]); | ||||
|         result = secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs - 1]); | ||||
|         CHECK(result == 0); | ||||
|         n_inputs += 1; | ||||
|     } | ||||
| @ -441,7 +443,7 @@ static void test_gen_verify(size_t n_inputs, size_t n_used) { | ||||
|     for (i = 0; i < n_inputs; i++) { | ||||
|         /* flip bit */ | ||||
|         proof.used_inputs[i / 8] ^= (1 << (i % 8)); | ||||
|         result = secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs]); | ||||
|         result = secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_inputs, &ephemeral_input_tags[n_inputs]); | ||||
|         CHECK(result == 0); | ||||
|         /* reset the bit */ | ||||
|         proof.used_inputs[i / 8] ^= (1 << (i % 8)); | ||||
| @ -477,8 +479,8 @@ static void test_no_used_inputs_verify(void) { | ||||
| 
 | ||||
|     /* blind fixed output tags with random blinding key */ | ||||
|     secp256k1_testrand256(blinding_key); | ||||
|     CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_input_tags[0], fixed_input_tag.data, blinding_key)); | ||||
|     CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_output_tag, fixed_output_tag.data, blinding_key)); | ||||
|     CHECK(secp256k1_generator_generate_blinded(CTX, &ephemeral_input_tags[0], fixed_input_tag.data, blinding_key)); | ||||
|     CHECK(secp256k1_generator_generate_blinded(CTX, &ephemeral_output_tag, fixed_output_tag.data, blinding_key)); | ||||
| 
 | ||||
|     /* create "borromean signature" which is just a hash of metadata (pubkeys, etc) in this case */ | ||||
|     secp256k1_generator_load(&output, &ephemeral_output_tag); | ||||
| @ -487,7 +489,7 @@ static void test_no_used_inputs_verify(void) { | ||||
|     secp256k1_sha256_write(&sha256_e0, proof.data, 32); | ||||
|     secp256k1_sha256_finalize(&sha256_e0, proof.data); | ||||
| 
 | ||||
|     result = secp256k1_surjectionproof_verify(ctx, &proof, ephemeral_input_tags, n_ephemeral_input_tags, &ephemeral_output_tag); | ||||
|     result = secp256k1_surjectionproof_verify(CTX, &proof, ephemeral_input_tags, n_ephemeral_input_tags, &ephemeral_output_tag); | ||||
|     CHECK(result == 0); | ||||
| } | ||||
| 
 | ||||
| @ -499,7 +501,7 @@ void test_bad_serialize(void) { | ||||
|     proof.n_inputs = 0; | ||||
|     serialized_len = 2 + 31; | ||||
|     /* e0 is one byte too short */ | ||||
|     CHECK(secp256k1_surjectionproof_serialize(ctx, serialized_proof, &serialized_len, &proof) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_serialize(CTX, serialized_proof, &serialized_len, &proof) == 0); | ||||
| } | ||||
| 
 | ||||
| void test_bad_parse(void) { | ||||
| @ -509,11 +511,11 @@ void test_bad_parse(void) { | ||||
|     unsigned char serialized_proof2[33] = { 0 }; | ||||
| 
 | ||||
|     /* Missing total input count */ | ||||
|     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof0, sizeof(serialized_proof0)) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_parse(CTX, &proof, serialized_proof0, sizeof(serialized_proof0)) == 0); | ||||
|     /* Missing bitmap */ | ||||
|     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof1, sizeof(serialized_proof1)) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_parse(CTX, &proof, serialized_proof1, sizeof(serialized_proof1)) == 0); | ||||
|     /* Missing e0 value */ | ||||
|     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, serialized_proof2, sizeof(serialized_proof2)) == 0); | ||||
|     CHECK(secp256k1_surjectionproof_parse(CTX, &proof, serialized_proof2, sizeof(serialized_proof2)) == 0); | ||||
| } | ||||
| 
 | ||||
| void test_input_eq_output(void) { | ||||
| @ -528,17 +530,17 @@ void test_input_eq_output(void) { | ||||
|     secp256k1_testrand256(blinding_key); | ||||
|     secp256k1_testrand256(entropy); | ||||
| 
 | ||||
|     CHECK(secp256k1_surjectionproof_initialize(ctx, &proof, &input_index, &fixed_tag, 1, 1, &fixed_tag, 100, entropy) == 1); | ||||
|     CHECK(secp256k1_surjectionproof_initialize(CTX, &proof, &input_index, &fixed_tag, 1, 1, &fixed_tag, 100, entropy) == 1); | ||||
|     CHECK(input_index == 0); | ||||
| 
 | ||||
|     /* Generation should fail */ | ||||
|     CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_tag, fixed_tag.data, blinding_key)); | ||||
|     CHECK(!secp256k1_surjectionproof_generate(ctx, &proof, &ephemeral_tag, 1, &ephemeral_tag, input_index, blinding_key, blinding_key)); | ||||
|     CHECK(secp256k1_generator_generate_blinded(CTX, &ephemeral_tag, fixed_tag.data, blinding_key)); | ||||
|     CHECK(!secp256k1_surjectionproof_generate(CTX, &proof, &ephemeral_tag, 1, &ephemeral_tag, input_index, blinding_key, blinding_key)); | ||||
| 
 | ||||
|     /* ...even when the blinding key is zero */ | ||||
|     memset(blinding_key, 0, 32); | ||||
|     CHECK(secp256k1_generator_generate_blinded(ctx, &ephemeral_tag, fixed_tag.data, blinding_key)); | ||||
|     CHECK(!secp256k1_surjectionproof_generate(ctx, &proof, &ephemeral_tag, 1, &ephemeral_tag, input_index, blinding_key, blinding_key)); | ||||
|     CHECK(secp256k1_generator_generate_blinded(CTX, &ephemeral_tag, fixed_tag.data, blinding_key)); | ||||
|     CHECK(!secp256k1_surjectionproof_generate(CTX, &proof, &ephemeral_tag, 1, &ephemeral_tag, input_index, blinding_key, blinding_key)); | ||||
| } | ||||
| 
 | ||||
| void test_fixed_vectors(void) { | ||||
| @ -638,53 +640,53 @@ void test_fixed_vectors(void) { | ||||
|     secp256k1_generator output_tag; | ||||
|     secp256k1_surjectionproof proof; | ||||
| 
 | ||||
|     CHECK(secp256k1_generator_parse(ctx, &input_tags[0], tag0_ser)); | ||||
|     CHECK(secp256k1_generator_parse(ctx, &input_tags[1], tag1_ser)); | ||||
|     CHECK(secp256k1_generator_parse(ctx, &input_tags[2], tag2_ser)); | ||||
|     CHECK(secp256k1_generator_parse(ctx, &input_tags[3], tag3_ser)); | ||||
|     CHECK(secp256k1_generator_parse(ctx, &input_tags[4], tag4_ser)); | ||||
|     CHECK(secp256k1_generator_parse(ctx, &output_tag, output_tag_ser)); | ||||
|     CHECK(secp256k1_generator_parse(CTX, &input_tags[0], tag0_ser)); | ||||
|     CHECK(secp256k1_generator_parse(CTX, &input_tags[1], tag1_ser)); | ||||
|     CHECK(secp256k1_generator_parse(CTX, &input_tags[2], tag2_ser)); | ||||
|     CHECK(secp256k1_generator_parse(CTX, &input_tags[3], tag3_ser)); | ||||
|     CHECK(secp256k1_generator_parse(CTX, &input_tags[4], tag4_ser)); | ||||
|     CHECK(secp256k1_generator_parse(CTX, &output_tag, output_tag_ser)); | ||||
| 
 | ||||
|     /* check 1-of-1 */ | ||||
|     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total1_used1, total1_used1_len)); | ||||
|     CHECK(secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 1, &output_tag)); | ||||
|     CHECK(secp256k1_surjectionproof_parse(CTX, &proof, total1_used1, total1_used1_len)); | ||||
|     CHECK(secp256k1_surjectionproof_verify(CTX, &proof, input_tags, 1, &output_tag)); | ||||
|     /* check 1-of-2 */ | ||||
|     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total2_used1, total2_used1_len)); | ||||
|     CHECK(secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 2, &output_tag)); | ||||
|     CHECK(secp256k1_surjectionproof_parse(CTX, &proof, total2_used1, total2_used1_len)); | ||||
|     CHECK(secp256k1_surjectionproof_verify(CTX, &proof, input_tags, 2, &output_tag)); | ||||
|     /* check 2-of-3 */ | ||||
|     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total3_used2, total3_used2_len)); | ||||
|     CHECK(secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 3, &output_tag)); | ||||
|     CHECK(secp256k1_surjectionproof_parse(CTX, &proof, total3_used2, total3_used2_len)); | ||||
|     CHECK(secp256k1_surjectionproof_verify(CTX, &proof, input_tags, 3, &output_tag)); | ||||
|     /* check 3-of-5 */ | ||||
|     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total5_used3, total5_used3_len)); | ||||
|     CHECK(secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 5, &output_tag)); | ||||
|     CHECK(secp256k1_surjectionproof_parse(CTX, &proof, total5_used3, total5_used3_len)); | ||||
|     CHECK(secp256k1_surjectionproof_verify(CTX, &proof, input_tags, 5, &output_tag)); | ||||
|     /* check 5-of-5 */ | ||||
|     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total5_used5, total5_used5_len)); | ||||
|     CHECK(secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 5, &output_tag)); | ||||
|     CHECK(secp256k1_surjectionproof_parse(CTX, &proof, total5_used5, total5_used5_len)); | ||||
|     CHECK(secp256k1_surjectionproof_verify(CTX, &proof, input_tags, 5, &output_tag)); | ||||
| 
 | ||||
|     /* check invalid length fails */ | ||||
|     CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, total5_used5, total5_used3_len)); | ||||
|     CHECK(!secp256k1_surjectionproof_parse(CTX, &proof, total5_used5, total5_used3_len)); | ||||
|     /* check invalid keys fail */ | ||||
|     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total1_used1, total1_used1_len)); | ||||
|     CHECK(!secp256k1_surjectionproof_verify(ctx, &proof, &input_tags[1], 1, &output_tag)); | ||||
|     CHECK(!secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 1, &input_tags[0])); | ||||
|     CHECK(secp256k1_surjectionproof_parse(CTX, &proof, total1_used1, total1_used1_len)); | ||||
|     CHECK(!secp256k1_surjectionproof_verify(CTX, &proof, &input_tags[1], 1, &output_tag)); | ||||
|     CHECK(!secp256k1_surjectionproof_verify(CTX, &proof, input_tags, 1, &input_tags[0])); | ||||
| 
 | ||||
|     /* Try setting 6 bits on the total5-used-5; check that parsing fails */ | ||||
|     memcpy(bad, total5_used5, total5_used5_len); | ||||
|     bad[2] = 0x3f;  /* 0x1f -> 0x3f */ | ||||
|     CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len)); | ||||
|     CHECK(!secp256k1_surjectionproof_parse(CTX, &proof, bad, total5_used5_len)); | ||||
|     /* Correct for the length */ | ||||
|     CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len + 32)); | ||||
|     CHECK(!secp256k1_surjectionproof_parse(CTX, &proof, bad, total5_used5_len + 32)); | ||||
|     /* Alternately just turn off one of the "legit" bits */ | ||||
|     bad[2] = 0x37;  /* 0x1f -> 0x37 */ | ||||
|     CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len)); | ||||
|     CHECK(!secp256k1_surjectionproof_parse(CTX, &proof, bad, total5_used5_len)); | ||||
| 
 | ||||
|     /* Similarly try setting 4 bits on the total5-used-3, with one bit out of range */ | ||||
|     memcpy(bad, total5_used3, total5_used3_len); | ||||
|     bad[2] = 0x35;  /* 0x15 -> 0x35 */ | ||||
|     CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len)); | ||||
|     CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len + 32)); | ||||
|     CHECK(!secp256k1_surjectionproof_parse(CTX, &proof, bad, total5_used3_len)); | ||||
|     CHECK(!secp256k1_surjectionproof_parse(CTX, &proof, bad, total5_used3_len + 32)); | ||||
|     bad[2] = 0x34;  /* 0x15 -> 0x34 */ | ||||
|     CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len)); | ||||
|     CHECK(!secp256k1_surjectionproof_parse(CTX, &proof, bad, total5_used3_len)); | ||||
| } | ||||
| 
 | ||||
| void run_surjection_tests(void) { | ||||
|  | ||||
| @ -15,21 +15,21 @@ void test_whitelist_end_to_end_internal(const unsigned char *summed_seckey, cons | ||||
|         secp256k1_whitelist_signature sig; | ||||
|         secp256k1_whitelist_signature sig1; | ||||
| 
 | ||||
|         CHECK(secp256k1_whitelist_sign(ctx, &sig, online_pubkeys, offline_pubkeys, n_keys, sub_pubkey, online_seckey, summed_seckey, signer_i)); | ||||
|         CHECK(secp256k1_whitelist_verify(ctx, &sig, online_pubkeys, offline_pubkeys, n_keys, sub_pubkey) == 1); | ||||
|         CHECK(secp256k1_whitelist_sign(CTX, &sig, online_pubkeys, offline_pubkeys, n_keys, sub_pubkey, online_seckey, summed_seckey, signer_i)); | ||||
|         CHECK(secp256k1_whitelist_verify(CTX, &sig, online_pubkeys, offline_pubkeys, n_keys, sub_pubkey) == 1); | ||||
|         /* Check that exchanging keys causes a failure */ | ||||
|         CHECK(secp256k1_whitelist_verify(ctx, &sig, offline_pubkeys, online_pubkeys, n_keys, sub_pubkey) != 1); | ||||
|         CHECK(secp256k1_whitelist_verify(CTX, &sig, offline_pubkeys, online_pubkeys, n_keys, sub_pubkey) != 1); | ||||
|         /* Serialization round trip */ | ||||
|         CHECK(secp256k1_whitelist_signature_serialize(ctx, serialized, &slen, &sig) == 1); | ||||
|         CHECK(secp256k1_whitelist_signature_serialize(CTX, serialized, &slen, &sig) == 1); | ||||
|         CHECK(slen == 33 + 32 * n_keys); | ||||
|         CHECK(secp256k1_whitelist_signature_parse(ctx, &sig1, serialized, slen) == 1); | ||||
|         CHECK(secp256k1_whitelist_signature_parse(CTX, &sig1, serialized, slen) == 1); | ||||
|         /* (Check various bad-length conditions) */ | ||||
|         CHECK(secp256k1_whitelist_signature_parse(ctx, &sig1, serialized, slen + 32) == 0); | ||||
|         CHECK(secp256k1_whitelist_signature_parse(ctx, &sig1, serialized, slen + 1) == 0); | ||||
|         CHECK(secp256k1_whitelist_signature_parse(ctx, &sig1, serialized, slen - 1) == 0); | ||||
|         CHECK(secp256k1_whitelist_signature_parse(ctx, &sig1, serialized, 0) == 0); | ||||
|         CHECK(secp256k1_whitelist_verify(ctx, &sig1, online_pubkeys, offline_pubkeys, n_keys, sub_pubkey) == 1); | ||||
|         CHECK(secp256k1_whitelist_verify(ctx, &sig1, offline_pubkeys, online_pubkeys, n_keys, sub_pubkey) != 1); | ||||
|         CHECK(secp256k1_whitelist_signature_parse(CTX, &sig1, serialized, slen + 32) == 0); | ||||
|         CHECK(secp256k1_whitelist_signature_parse(CTX, &sig1, serialized, slen + 1) == 0); | ||||
|         CHECK(secp256k1_whitelist_signature_parse(CTX, &sig1, serialized, slen - 1) == 0); | ||||
|         CHECK(secp256k1_whitelist_signature_parse(CTX, &sig1, serialized, 0) == 0); | ||||
|         CHECK(secp256k1_whitelist_verify(CTX, &sig1, online_pubkeys, offline_pubkeys, n_keys, sub_pubkey) == 1); | ||||
|         CHECK(secp256k1_whitelist_verify(CTX, &sig1, offline_pubkeys, online_pubkeys, n_keys, sub_pubkey) != 1); | ||||
| 
 | ||||
|         /* Test n_keys */ | ||||
|         CHECK(secp256k1_whitelist_signature_n_keys(&sig) == n_keys); | ||||
| @ -37,7 +37,7 @@ void test_whitelist_end_to_end_internal(const unsigned char *summed_seckey, cons | ||||
| 
 | ||||
|         /* Test bad number of keys in signature */ | ||||
|         sig.n_keys = n_keys + 1; | ||||
|         CHECK(secp256k1_whitelist_verify(ctx, &sig, offline_pubkeys, online_pubkeys, n_keys, sub_pubkey) != 1); | ||||
|         CHECK(secp256k1_whitelist_verify(CTX, &sig, offline_pubkeys, online_pubkeys, n_keys, sub_pubkey) != 1); | ||||
|         sig.n_keys = n_keys; | ||||
| } | ||||
| 
 | ||||
| @ -56,8 +56,8 @@ void test_whitelist_end_to_end(const size_t n_keys, int test_all_keys) { | ||||
|     /* Start with subkey */ | ||||
|     random_scalar_order_test(&ssub); | ||||
|     secp256k1_scalar_get_b32(csub, &ssub); | ||||
|     CHECK(secp256k1_ec_seckey_verify(ctx, csub) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(ctx, &sub_pubkey, csub) == 1); | ||||
|     CHECK(secp256k1_ec_seckey_verify(CTX, csub) == 1); | ||||
|     CHECK(secp256k1_ec_pubkey_create(CTX, &sub_pubkey, csub) == 1); | ||||
|     /* Then offline and online whitelist keys */ | ||||
|     for (i = 0; i < n_keys; i++) { | ||||
|         secp256k1_scalar son, soff; | ||||
| @ -68,18 +68,18 @@ void test_whitelist_end_to_end(const size_t n_keys, int test_all_keys) { | ||||
|         /* Create two keys */ | ||||
|         random_scalar_order_test(&son); | ||||
|         secp256k1_scalar_get_b32(online_seckey[i], &son); | ||||
|         CHECK(secp256k1_ec_seckey_verify(ctx, online_seckey[i]) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_create(ctx, &online_pubkeys[i], online_seckey[i]) == 1); | ||||
|         CHECK(secp256k1_ec_seckey_verify(CTX, online_seckey[i]) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_create(CTX, &online_pubkeys[i], online_seckey[i]) == 1); | ||||
| 
 | ||||
|         random_scalar_order_test(&soff); | ||||
|         secp256k1_scalar_get_b32(summed_seckey[i], &soff); | ||||
|         CHECK(secp256k1_ec_seckey_verify(ctx, summed_seckey[i]) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_create(ctx, &offline_pubkeys[i], summed_seckey[i]) == 1); | ||||
|         CHECK(secp256k1_ec_seckey_verify(CTX, summed_seckey[i]) == 1); | ||||
|         CHECK(secp256k1_ec_pubkey_create(CTX, &offline_pubkeys[i], summed_seckey[i]) == 1); | ||||
| 
 | ||||
|         /* Make summed_seckey correspond to the sum of offline_pubkey and sub_pubkey */ | ||||
|         secp256k1_scalar_add(&soff, &soff, &ssub); | ||||
|         secp256k1_scalar_get_b32(summed_seckey[i], &soff); | ||||
|         CHECK(secp256k1_ec_seckey_verify(ctx, summed_seckey[i]) == 1); | ||||
|         CHECK(secp256k1_ec_seckey_verify(CTX, summed_seckey[i]) == 1); | ||||
|     } | ||||
| 
 | ||||
|     /* Sign/verify with each one */ | ||||
| @ -124,11 +124,11 @@ void test_whitelist_bad_parse(void) { | ||||
|     }; | ||||
| 
 | ||||
|     /* Empty input */ | ||||
|     CHECK(secp256k1_whitelist_signature_parse(ctx, &sig, serialized0, 0) == 0); | ||||
|     CHECK(secp256k1_whitelist_signature_parse(CTX, &sig, serialized0, 0) == 0); | ||||
|     /* Misses one byte of e0 */ | ||||
|     CHECK(secp256k1_whitelist_signature_parse(ctx, &sig, serialized1, sizeof(serialized1)) == 0); | ||||
|     CHECK(secp256k1_whitelist_signature_parse(CTX, &sig, serialized1, sizeof(serialized1)) == 0); | ||||
|     /* Enough bytes for e0, but there is no s value */ | ||||
|     CHECK(secp256k1_whitelist_signature_parse(ctx, &sig, serialized2, sizeof(serialized2)) == 0); | ||||
|     CHECK(secp256k1_whitelist_signature_parse(CTX, &sig, serialized2, sizeof(serialized2)) == 0); | ||||
| } | ||||
| 
 | ||||
| void test_whitelist_bad_serialize(void) { | ||||
| @ -142,17 +142,17 @@ void test_whitelist_bad_serialize(void) { | ||||
|     size_t serialized_len; | ||||
|     secp256k1_whitelist_signature sig; | ||||
| 
 | ||||
|     CHECK(secp256k1_whitelist_signature_parse(ctx, &sig, serialized, sizeof(serialized)) == 1); | ||||
|     CHECK(secp256k1_whitelist_signature_parse(CTX, &sig, serialized, sizeof(serialized)) == 1); | ||||
|     serialized_len = sizeof(serialized) - 1; | ||||
|     /* Output buffer is one byte too short */ | ||||
|     CHECK(secp256k1_whitelist_signature_serialize(ctx, serialized, &serialized_len, &sig) == 0); | ||||
|     CHECK(secp256k1_whitelist_signature_serialize(CTX, serialized, &serialized_len, &sig) == 0); | ||||
| } | ||||
| 
 | ||||
| void run_whitelist_tests(void) { | ||||
|     int i; | ||||
|     test_whitelist_bad_parse(); | ||||
|     test_whitelist_bad_serialize(); | ||||
|     for (i = 0; i < count; i++) { | ||||
|     for (i = 0; i < COUNT; i++) { | ||||
|         test_whitelist_end_to_end(1, 1); | ||||
|         test_whitelist_end_to_end(10, 1); | ||||
|         test_whitelist_end_to_end(50, 1); | ||||
|  | ||||
| @ -7,12 +7,6 @@ | ||||
| #include <inttypes.h> | ||||
| #include <stdio.h> | ||||
| 
 | ||||
| /* Autotools creates libsecp256k1-config.h, of which ECMULT_WINDOW_SIZE is needed.
 | ||||
|    ifndef guard so downstream users can define their own if they do not use autotools. */ | ||||
| #if !defined(ECMULT_WINDOW_SIZE) | ||||
| #include "libsecp256k1-config.h" | ||||
| #endif | ||||
| 
 | ||||
| #include "../include/secp256k1.h" | ||||
| 
 | ||||
| #include "assumptions.h" | ||||
| @ -74,9 +68,6 @@ int main(void) { | ||||
|     fprintf(fp, "/* This file contains an array secp256k1_pre_g with odd multiples of the base point G and\n"); | ||||
|     fprintf(fp, " * an array secp256k1_pre_g_128 with odd multiples of 2^128*G for accelerating the computation of a*P + b*G.\n"); | ||||
|     fprintf(fp, " */\n"); | ||||
|     fprintf(fp, "#if defined HAVE_CONFIG_H\n"); | ||||
|     fprintf(fp, "#    include \"libsecp256k1-config.h\"\n"); | ||||
|     fprintf(fp, "#endif\n"); | ||||
|     fprintf(fp, "#include \"../include/secp256k1.h\"\n"); | ||||
|     fprintf(fp, "#include \"group.h\"\n"); | ||||
|     fprintf(fp, "#include \"ecmult.h\"\n"); | ||||
|  | ||||
| @ -33,9 +33,6 @@ int main(int argc, char **argv) { | ||||
| 
 | ||||
|     fprintf(fp, "/* This file was automatically generated by precompute_ecmult_gen. */\n"); | ||||
|     fprintf(fp, "/* See ecmult_gen_impl.h for details about the contents of this file. */\n"); | ||||
|     fprintf(fp, "#if defined HAVE_CONFIG_H\n"); | ||||
|     fprintf(fp, "#    include \"libsecp256k1-config.h\"\n"); | ||||
|     fprintf(fp, "#endif\n"); | ||||
|     fprintf(fp, "#include \"../include/secp256k1.h\"\n"); | ||||
|     fprintf(fp, "#include \"group.h\"\n"); | ||||
|     fprintf(fp, "#include \"ecmult_gen.h\"\n"); | ||||
|  | ||||
							
								
								
									
										3
									
								
								src/precomputed_ecmult.c
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										3
									
								
								src/precomputed_ecmult.c
									
									
									
										generated
									
									
									
								
							| @ -2,9 +2,6 @@ | ||||
| /* This file contains an array secp256k1_pre_g with odd multiples of the base point G and
 | ||||
|  * an array secp256k1_pre_g_128 with odd multiples of 2^128*G for accelerating the computation of a*P + b*G. | ||||
|  */ | ||||
| #if defined HAVE_CONFIG_H | ||||
| #    include "libsecp256k1-config.h" | ||||
| #endif | ||||
| #include "../include/secp256k1.h" | ||||
| #include "group.h" | ||||
| #include "ecmult.h" | ||||
|  | ||||
							
								
								
									
										3
									
								
								src/precomputed_ecmult_gen.c
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										3
									
								
								src/precomputed_ecmult_gen.c
									
									
									
										generated
									
									
									
								
							| @ -1,8 +1,5 @@ | ||||
| /* This file was automatically generated by precompute_ecmult_gen. */ | ||||
| /* See ecmult_gen_impl.h for details about the contents of this file. */ | ||||
| #if defined HAVE_CONFIG_H | ||||
| #    include "libsecp256k1-config.h" | ||||
| #endif | ||||
| #include "../include/secp256k1.h" | ||||
| #include "group.h" | ||||
| #include "ecmult_gen.h" | ||||
|  | ||||
| @ -9,10 +9,6 @@ | ||||
| 
 | ||||
| #include "util.h" | ||||
| 
 | ||||
| #if defined HAVE_CONFIG_H | ||||
| #include "libsecp256k1-config.h" | ||||
| #endif | ||||
| 
 | ||||
| #if defined(EXHAUSTIVE_TEST_ORDER) | ||||
| #include "scalar_low.h" | ||||
| #elif defined(SECP256K1_WIDEMUL_INT128) | ||||
|  | ||||
| @ -14,10 +14,6 @@ | ||||
| #include "scalar.h" | ||||
| #include "util.h" | ||||
| 
 | ||||
| #if defined HAVE_CONFIG_H | ||||
| #include "libsecp256k1-config.h" | ||||
| #endif | ||||
| 
 | ||||
| #if defined(EXHAUSTIVE_TEST_ORDER) | ||||
| #include "scalar_low_impl.h" | ||||
| #elif defined(SECP256K1_WIDEMUL_INT128) | ||||
|  | ||||
| @ -72,9 +72,10 @@ static void secp256k1_ecdsa_s2c_opening_save(secp256k1_ecdsa_s2c_opening* openin | ||||
|     } \ | ||||
| } while(0) | ||||
| 
 | ||||
| #define ARG_CHECK_NO_RETURN(cond) do { \ | ||||
| #define ARG_CHECK_VOID(cond) do { \ | ||||
|     if (EXPECT(!(cond), 0)) { \ | ||||
|         secp256k1_callback_call(&ctx->illegal_callback, #cond); \ | ||||
|         return; \ | ||||
|     } \ | ||||
| } while(0) | ||||
| 
 | ||||
| @ -96,6 +97,15 @@ static const secp256k1_context secp256k1_context_static_ = { | ||||
| const secp256k1_context *secp256k1_context_static = &secp256k1_context_static_; | ||||
| const secp256k1_context *secp256k1_context_no_precomp = &secp256k1_context_static_; | ||||
| 
 | ||||
| /* Helper function that determines if a context is proper, i.e., is not the static context or a copy thereof.
 | ||||
|  * | ||||
|  * This is intended for "context" functions such as secp256k1_context_clone. Function which need specific | ||||
|  * features of a context should still check for these features directly. For example, a function that needs | ||||
|  * ecmult_gen should directly check for the existence of the ecmult_gen context. */ | ||||
| static int secp256k1_context_is_proper(const secp256k1_context* ctx) { | ||||
|     return secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx); | ||||
| } | ||||
| 
 | ||||
| void secp256k1_selftest(void) { | ||||
|     if (!secp256k1_selftest_passes()) { | ||||
|         secp256k1_callback_call(&default_error_callback, "self test failed"); | ||||
| @ -178,7 +188,7 @@ secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) { | ||||
| } | ||||
| 
 | ||||
| void secp256k1_context_preallocated_destroy(secp256k1_context* ctx) { | ||||
|     ARG_CHECK_NO_RETURN(ctx != secp256k1_context_static); | ||||
|     ARG_CHECK_VOID(ctx != secp256k1_context_static); | ||||
|     if (ctx != NULL) { | ||||
|         secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx); | ||||
|     } | ||||
| @ -192,7 +202,10 @@ void secp256k1_context_destroy(secp256k1_context* ctx) { | ||||
| } | ||||
| 
 | ||||
| void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) { | ||||
|     ARG_CHECK_NO_RETURN(ctx != secp256k1_context_static); | ||||
|     /* We compare pointers instead of checking secp256k1_context_is_proper() here
 | ||||
|        because setting callbacks is allowed on *copies* of the static context: | ||||
|        it's harmless and makes testing easier. */ | ||||
|     ARG_CHECK_VOID(ctx != secp256k1_context_static); | ||||
|     if (fun == NULL) { | ||||
|         fun = secp256k1_default_illegal_callback_fn; | ||||
|     } | ||||
| @ -201,7 +214,10 @@ void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)( | ||||
| } | ||||
| 
 | ||||
| void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) { | ||||
|     ARG_CHECK_NO_RETURN(ctx != secp256k1_context_static); | ||||
|     /* We compare pointers instead of checking secp256k1_context_is_proper() here
 | ||||
|        because setting callbacks is allowed on *copies* of the static context: | ||||
|        it's harmless and makes testing easier. */ | ||||
|     ARG_CHECK_VOID(ctx != secp256k1_context_static); | ||||
|     if (fun == NULL) { | ||||
|         fun = secp256k1_default_error_callback_fn; | ||||
|     } | ||||
|  | ||||
| @ -7,10 +7,6 @@ | ||||
| #ifndef SECP256K1_TESTRAND_H | ||||
| #define SECP256K1_TESTRAND_H | ||||
| 
 | ||||
| #if defined HAVE_CONFIG_H | ||||
| #include "libsecp256k1-config.h" | ||||
| #endif | ||||
| 
 | ||||
| /* A non-cryptographic RNG used only for test infrastructure. */ | ||||
| 
 | ||||
| /** Seed the pseudorandom number generator for testing. */ | ||||
|  | ||||
							
								
								
									
										986
									
								
								src/tests.c
									
									
									
									
									
								
							
							
						
						
									
										986
									
								
								src/tests.c
									
									
									
									
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -4,10 +4,6 @@ | ||||
|  * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
 | ||||
|  ***********************************************************************/ | ||||
| 
 | ||||
| #if defined HAVE_CONFIG_H | ||||
| #include "libsecp256k1-config.h" | ||||
| #endif | ||||
| 
 | ||||
| #include <stdio.h> | ||||
| #include <stdlib.h> | ||||
| #include <time.h> | ||||
|  | ||||
| @ -7,10 +7,6 @@ | ||||
| #ifndef SECP256K1_UTIL_H | ||||
| #define SECP256K1_UTIL_H | ||||
| 
 | ||||
| #if defined HAVE_CONFIG_H | ||||
| #include "libsecp256k1-config.h" | ||||
| #endif | ||||
| 
 | ||||
| #include <stdlib.h> | ||||
| #include <stdint.h> | ||||
| #include <stdio.h> | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user