From ad152151b06a40aaf6cd90561356ff451996455d Mon Sep 17 00:00:00 2001
From: stratospher <44024636+stratospher@users.noreply.github.com>
Date: Tue, 11 Jul 2023 19:17:28 +0530
Subject: [PATCH] update max scalar in scalar_cmov_test and fix
 schnorrsig_verify exhaustive test

- `secp256k1_scalar_set_int` in scalar_low uses input mod EXHAUSTIVE_TEST_ORDER
- directly store s in sig64 without reducing it mod the group order for testing
---
 src/modules/schnorrsig/tests_exhaustive_impl.h | 10 +++++-----
 src/scalar_low_impl.h                          |  5 ++++-
 src/tests.c                                    |  4 ++--
 3 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/modules/schnorrsig/tests_exhaustive_impl.h b/src/modules/schnorrsig/tests_exhaustive_impl.h
index 55f9028a6386f..bc31d8110720b 100644
--- a/src/modules/schnorrsig/tests_exhaustive_impl.h
+++ b/src/modules/schnorrsig/tests_exhaustive_impl.h
@@ -110,15 +110,15 @@ static void test_exhaustive_schnorrsig_verify(const secp256k1_context *ctx, cons
                 if (!e_done[e]) {
                     /* Iterate over the possible valid last 32 bytes in the signature.
                        0..order=that s value; order+1=random bytes */
-                    int count_valid = 0, s;
+                    int count_valid = 0;
+                    unsigned int s;
                     for (s = 0; s <= EXHAUSTIVE_TEST_ORDER + 1; ++s) {
                         int expect_valid, valid;
                         if (s <= EXHAUSTIVE_TEST_ORDER) {
-                            secp256k1_scalar s_s;
-                            secp256k1_scalar_set_int(&s_s, s);
-                            secp256k1_scalar_get_b32(sig64 + 32, &s_s);
+                            memset(sig64 + 32, 0, 32);
+                            secp256k1_write_be32(sig64 + 60, s);
                             expect_valid = actual_k != -1 && s != EXHAUSTIVE_TEST_ORDER &&
-                                           (s_s == (actual_k + actual_d * e) % EXHAUSTIVE_TEST_ORDER);
+                                           (s == (actual_k + actual_d * e) % EXHAUSTIVE_TEST_ORDER);
                         } else {
                             secp256k1_testrand256(sig64 + 32);
                             expect_valid = 0;
diff --git a/src/scalar_low_impl.h b/src/scalar_low_impl.h
index 428a5deb3349a..09343c4935a2e 100644
--- a/src/scalar_low_impl.h
+++ b/src/scalar_low_impl.h
@@ -18,7 +18,10 @@ SECP256K1_INLINE static int secp256k1_scalar_is_even(const secp256k1_scalar *a)
 }
 
 SECP256K1_INLINE static void secp256k1_scalar_clear(secp256k1_scalar *r) { *r = 0; }
-SECP256K1_INLINE static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v) { *r = v; }
+
+SECP256K1_INLINE static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v) {
+    *r = v % EXHAUSTIVE_TEST_ORDER;
+}
 
 SECP256K1_INLINE static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count) {
     if (offset < 32)
diff --git a/src/tests.c b/src/tests.c
index 7b38d7906aa66..69960d4580c04 100644
--- a/src/tests.c
+++ b/src/tests.c
@@ -7652,8 +7652,8 @@ static void scalar_cmov_test(void) {
     static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
     static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
     static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
-        0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
-        0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
+        0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
+        0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL
     );
     secp256k1_scalar r = max;
     secp256k1_scalar a = zero;