Bitcoin ABC 0.32.10
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_MODULE_RECOVERY_TESTS_H
8#define SECP256K1_MODULE_RECOVERY_TESTS_H
9
10static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
11 (void) msg32;
12 (void) key32;
13 (void) algo16;
14 (void) data;
15
16 /* On the first run, return 0 to force a second run */
17 if (counter == 0) {
18 memset(nonce32, 0, 32);
19 return 1;
20 }
21 /* On the second run, return an overflow to force a third run */
22 if (counter == 1) {
23 memset(nonce32, 0xff, 32);
24 return 1;
25 }
26 /* On the next run, return a valid nonce, but flip a coin as to whether or not to fail signing. */
27 memset(nonce32, 1, 32);
28 return secp256k1_testrand_bits(1);
29}
30
31void test_ecdsa_recovery_api(void) {
32 /* Setup contexts that just count errors */
33 secp256k1_pubkey pubkey;
34 secp256k1_pubkey recpubkey;
35 secp256k1_ecdsa_signature normal_sig;
36 secp256k1_ecdsa_recoverable_signature recsig;
37 unsigned char privkey[32] = { 1 };
38 unsigned char message[32] = { 2 };
39 int32_t ecount = 0;
40 int recid = 0;
41 unsigned char sig[74];
42 unsigned char zero_privkey[32] = { 0 };
43 unsigned char over_privkey[32] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
44 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
45 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
46 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
47
48 secp256k1_context_set_error_callback(CTX, counting_illegal_callback_fn, &ecount);
49 secp256k1_context_set_illegal_callback(CTX, counting_illegal_callback_fn, &ecount);
50 secp256k1_context_set_error_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
51 secp256k1_context_set_illegal_callback(STATIC_CTX, counting_illegal_callback_fn, &ecount);
52
53 /* Construct and verify corresponding public key. */
54 CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
55 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
56
57 /* Check bad contexts and NULLs for signing */
58 ecount = 0;
59 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, NULL, NULL) == 1);
60 CHECK(ecount == 0);
61 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, NULL, message, privkey, NULL, NULL) == 0);
62 CHECK(ecount == 1);
63 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, NULL, privkey, NULL, NULL) == 0);
64 CHECK(ecount == 2);
65 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, NULL, NULL, NULL) == 0);
66 CHECK(ecount == 3);
67 CHECK(secp256k1_ecdsa_sign_recoverable(STATIC_CTX, &recsig, message, privkey, NULL, NULL) == 0);
68 CHECK(ecount == 4);
69 /* This will fail or succeed randomly, and in either case will not ARG_CHECK failure */
70 secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, recovery_test_nonce_function, NULL);
71 CHECK(ecount == 4);
72 /* These will all fail, but not in ARG_CHECK way */
73 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, zero_privkey, NULL, NULL) == 0);
74 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, over_privkey, NULL, NULL) == 0);
75 /* This one will succeed. */
76 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, NULL, NULL) == 1);
77 CHECK(ecount == 4);
78
79 /* Check signing with a goofy nonce function */
80
81 /* Check bad contexts and NULLs for recovery */
82 ecount = 0;
83 CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, &recsig, message) == 1);
84 CHECK(ecount == 0);
85 CHECK(secp256k1_ecdsa_recover(CTX, NULL, &recsig, message) == 0);
86 CHECK(ecount == 1);
87 CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, NULL, message) == 0);
88 CHECK(ecount == 2);
89 CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, &recsig, NULL) == 0);
90 CHECK(ecount == 3);
91
92 /* Check NULLs for conversion */
93 CHECK(secp256k1_ecdsa_sign(CTX, &normal_sig, message, privkey, NULL, NULL) == 1);
94 ecount = 0;
95 CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, NULL, &recsig) == 0);
96 CHECK(ecount == 1);
97 CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &normal_sig, NULL) == 0);
98 CHECK(ecount == 2);
99 CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &normal_sig, &recsig) == 1);
100
101 /* Check NULLs for de/serialization */
102 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, NULL, NULL) == 1);
103 ecount = 0;
104 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, NULL, &recid, &recsig) == 0);
105 CHECK(ecount == 1);
106 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, NULL, &recsig) == 0);
107 CHECK(ecount == 2);
108 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, NULL) == 0);
109 CHECK(ecount == 3);
110 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, &recsig) == 1);
111
112 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, NULL, sig, recid) == 0);
113 CHECK(ecount == 4);
114 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, NULL, recid) == 0);
115 CHECK(ecount == 5);
116 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, sig, -1) == 0);
117 CHECK(ecount == 6);
118 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, sig, 5) == 0);
119 CHECK(ecount == 7);
120 /* overflow in signature will fail but not affect ecount */
121 memcpy(sig, over_privkey, 32);
122 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, sig, recid) == 0);
123 CHECK(ecount == 7);
124
125 /* cleanup */
126 secp256k1_context_set_error_callback(STATIC_CTX, NULL, NULL);
127 secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
128}
129
130void test_ecdsa_recovery_end_to_end(void) {
131 unsigned char extra[32] = {0x00};
132 unsigned char privkey[32];
133 unsigned char message[32];
134 secp256k1_ecdsa_signature signature[5];
135 secp256k1_ecdsa_recoverable_signature rsignature[5];
136 unsigned char sig[74];
137 secp256k1_pubkey pubkey;
138 secp256k1_pubkey recpubkey;
139 int recid = 0;
140
141 /* Generate a random key and message. */
142 {
143 secp256k1_scalar msg, key;
144 random_scalar_order_test(&msg);
145 random_scalar_order_test(&key);
146 secp256k1_scalar_get_b32(privkey, &key);
147 secp256k1_scalar_get_b32(message, &msg);
148 }
149
150 /* Construct and verify corresponding public key. */
151 CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
152 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
153
154 /* Serialize/parse compact and verify/recover. */
155 extra[0] = 0;
156 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[0], message, privkey, NULL, NULL) == 1);
157 CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1);
158 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[4], message, privkey, NULL, NULL) == 1);
159 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[1], message, privkey, NULL, extra) == 1);
160 extra[31] = 1;
161 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[2], message, privkey, NULL, extra) == 1);
162 extra[31] = 0;
163 extra[0] = 1;
164 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[3], message, privkey, NULL, extra) == 1);
165 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, &rsignature[4]) == 1);
166 CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &signature[4], &rsignature[4]) == 1);
167 CHECK(secp256k1_ecdsa_verify(CTX, &signature[4], message, &pubkey) == 1);
168 memset(&rsignature[4], 0, sizeof(rsignature[4]));
169 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsignature[4], sig, recid) == 1);
170 CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &signature[4], &rsignature[4]) == 1);
171 CHECK(secp256k1_ecdsa_verify(CTX, &signature[4], message, &pubkey) == 1);
172 /* Parse compact (with recovery id) and recover. */
173 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsignature[4], sig, recid) == 1);
174 CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, &rsignature[4], message) == 1);
175 CHECK(secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) == 0);
176 /* Serialize/destroy/parse signature and verify again. */
177 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, &rsignature[4]) == 1);
178 sig[secp256k1_testrand_bits(6)] += 1 + secp256k1_testrand_int(255);
179 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsignature[4], sig, recid) == 1);
180 CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &signature[4], &rsignature[4]) == 1);
181 CHECK(secp256k1_ecdsa_verify(CTX, &signature[4], message, &pubkey) == 0);
182 /* Recover again */
183 CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, &rsignature[4], message) == 0 ||
184 secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) != 0);
185}
186
187/* Tests several edge cases. */
188void test_ecdsa_recovery_edge_cases(void) {
189 const unsigned char msg32[32] = {
190 'T', 'h', 'i', 's', ' ', 'i', 's', ' ',
191 'a', ' ', 'v', 'e', 'r', 'y', ' ', 's',
192 'e', 'c', 'r', 'e', 't', ' ', 'm', 'e',
193 's', 's', 'a', 'g', 'e', '.', '.', '.'
194 };
195 const unsigned char sig64[64] = {
196 /* Generated by signing the above message with nonce 'This is the nonce we will use...'
197 * and secret key 0 (which is not valid), resulting in recid 1. */
198 0x67, 0xCB, 0x28, 0x5F, 0x9C, 0xD1, 0x94, 0xE8,
199 0x40, 0xD6, 0x29, 0x39, 0x7A, 0xF5, 0x56, 0x96,
200 0x62, 0xFD, 0xE4, 0x46, 0x49, 0x99, 0x59, 0x63,
201 0x17, 0x9A, 0x7D, 0xD1, 0x7B, 0xD2, 0x35, 0x32,
202 0x4B, 0x1B, 0x7D, 0xF3, 0x4C, 0xE1, 0xF6, 0x8E,
203 0x69, 0x4F, 0xF6, 0xF1, 0x1A, 0xC7, 0x51, 0xDD,
204 0x7D, 0xD7, 0x3E, 0x38, 0x7E, 0xE4, 0xFC, 0x86,
205 0x6E, 0x1B, 0xE8, 0xEC, 0xC7, 0xDD, 0x95, 0x57
206 };
207 secp256k1_pubkey pubkey;
208 /* signature (r,s) = (4,4), which can be recovered with all 4 recids. */
209 const unsigned char sigb64[64] = {
210 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
211 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
212 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
213 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
214 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
215 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
216 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
217 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
218 };
219 secp256k1_pubkey pubkeyb;
220 secp256k1_ecdsa_recoverable_signature rsig;
221 secp256k1_ecdsa_signature sig;
222 int recid;
223
224 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 0));
225 CHECK(!secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32));
226 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 1));
227 CHECK(secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32));
228 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 2));
229 CHECK(!secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32));
230 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 3));
231 CHECK(!secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32));
232
233 for (recid = 0; recid < 4; recid++) {
234 int i;
235 int recid2;
236 /* (4,4) encoded in DER. */
237 unsigned char sigbder[8] = {0x30, 0x06, 0x02, 0x01, 0x04, 0x02, 0x01, 0x04};
238 unsigned char sigcder_zr[7] = {0x30, 0x05, 0x02, 0x00, 0x02, 0x01, 0x01};
239 unsigned char sigcder_zs[7] = {0x30, 0x05, 0x02, 0x01, 0x01, 0x02, 0x00};
240 unsigned char sigbderalt1[39] = {
241 0x30, 0x25, 0x02, 0x20, 0x00, 0x00, 0x00, 0x00,
242 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
243 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
244 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
245 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
246 };
247 unsigned char sigbderalt2[39] = {
248 0x30, 0x25, 0x02, 0x01, 0x04, 0x02, 0x20, 0x00,
249 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
250 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
251 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
252 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
253 };
254 unsigned char sigbderalt3[40] = {
255 0x30, 0x26, 0x02, 0x21, 0x00, 0x00, 0x00, 0x00,
256 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
257 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
258 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
259 0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
260 };
261 unsigned char sigbderalt4[40] = {
262 0x30, 0x26, 0x02, 0x01, 0x04, 0x02, 0x21, 0x00,
263 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
264 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
265 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
266 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
267 };
268 /* (order + r,4) encoded in DER. */
269 unsigned char sigbderlong[40] = {
270 0x30, 0x26, 0x02, 0x21, 0x00, 0xFF, 0xFF, 0xFF,
271 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
272 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC,
273 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E,
274 0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04
275 };
276 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigb64, recid) == 1);
277 CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyb, &rsig, msg32) == 1);
278 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder)) == 1);
279 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 1);
280 for (recid2 = 0; recid2 < 4; recid2++) {
281 secp256k1_pubkey pubkey2b;
282 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigb64, recid2) == 1);
283 CHECK(secp256k1_ecdsa_recover(CTX, &pubkey2b, &rsig, msg32) == 1);
284 /* Verifying with (order + r,4) should always fail. */
285 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderlong, sizeof(sigbderlong)) == 1);
286 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0);
287 }
288 /* DER parsing tests. */
289 /* Zero length r/s. */
290 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0);
291 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0);
292 /* Leading zeros. */
293 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt1, sizeof(sigbderalt1)) == 0);
294 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt2, sizeof(sigbderalt2)) == 0);
295 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0);
296 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0);
297 sigbderalt3[4] = 1;
298 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1);
299 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0);
300 sigbderalt4[7] = 1;
301 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1);
302 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0);
303 /* Damage signature. */
304 sigbder[7]++;
305 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder)) == 1);
306 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0);
307 sigbder[7]--;
308 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, 6) == 0);
309 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder) - 1) == 0);
310 for(i = 0; i < 8; i++) {
311 int c;
312 unsigned char orig = sigbder[i];
313 /*Try every single-byte change.*/
314 for (c = 0; c < 256; c++) {
315 if (c == orig ) {
316 continue;
317 }
318 sigbder[i] = c;
319 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder)) == 0 || secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0);
320 }
321 sigbder[i] = orig;
322 }
323 }
324
325 /* Test r/s equal to zero */
326 {
327 /* (1,1) encoded in DER. */
328 unsigned char sigcder[8] = {0x30, 0x06, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01};
329 unsigned char sigc64[64] = {
330 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
331 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
332 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
333 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
334 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
335 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
336 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
337 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
338 };
339 secp256k1_pubkey pubkeyc;
340 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigc64, 0) == 1);
341 CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyc, &rsig, msg32) == 1);
342 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder, sizeof(sigcder)) == 1);
343 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyc) == 1);
344 sigcder[4] = 0;
345 sigc64[31] = 0;
346 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigc64, 0) == 1);
347 CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyb, &rsig, msg32) == 0);
348 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder, sizeof(sigcder)) == 1);
349 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyc) == 0);
350 sigcder[4] = 1;
351 sigcder[7] = 0;
352 sigc64[31] = 1;
353 sigc64[63] = 0;
354 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigc64, 0) == 1);
355 CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyb, &rsig, msg32) == 0);
356 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder, sizeof(sigcder)) == 1);
357 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyc) == 0);
358 }
359}
360
361void run_recovery_tests(void) {
362 int i;
363 for (i = 0; i < COUNT; i++) {
364 test_ecdsa_recovery_api();
365 }
366 for (i = 0; i < 64*COUNT; i++) {
367 test_ecdsa_recovery_end_to_end();
368 }
369 test_ecdsa_recovery_edge_cases();
370}
371
372#endif /* SECP256K1_MODULE_RECOVERY_TESTS_H */
sig
SchnorrSig sig
Definition: processor.cpp:523
test_ecdsa_recovery_api
void test_ecdsa_recovery_api(void)
Definition: tests_impl.h:31
run_recovery_tests
void run_recovery_tests(void)
Definition: tests_impl.h:361
test_ecdsa_recovery_end_to_end
void test_ecdsa_recovery_end_to_end(void)
Definition: tests_impl.h:130
recovery_test_nonce_function
static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests_impl.h:10
test_ecdsa_recovery_edge_cases
void test_ecdsa_recovery_edge_cases(void)
Definition: tests_impl.h:188
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:197
CHECK
#define CHECK(cond)
Definition: util.h:81
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:195
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:565
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:183
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:550
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:355
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:588
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:436
secp256k1_ecdsa_recoverable_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_recoverable_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in compact format (64 bytes + recovery id).
Definition: main_impl.h:60
secp256k1_ecdsa_recoverable_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38
secp256k1_ecdsa_sign_recoverable
SECP256K1_API int secp256k1_ecdsa_sign_recoverable(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a recoverable ECDSA signature.
Definition: main_impl.h:123
secp256k1_ecdsa_recoverable_signature_convert
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_convert(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const secp256k1_ecdsa_recoverable_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Convert a recoverable signature into a normal signature.
Definition: main_impl.h:74
secp256k1_ecdsa_recover
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:138
secp256k1_ecdsa_recoverable_signature
Opaque data structured that holds a parsed ECDSA signature, supporting pubkey recovery.
Definition: secp256k1_recovery.h:24
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:87
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:74
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
COUNT
static int COUNT
Definition: tests.c:30
random_scalar_order_test
void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:109
CTX
static secp256k1_context * CTX
Definition: tests.c:31
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:34
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:32
Generated on Sat Mar 7 2026 11:51:02 for Bitcoin ABC by doxygen 1.9.4