Bitcoin ABC 0.30.5
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_MODULE_RECOVERY_TESTS_H
8#define SECP256K1_MODULE_RECOVERY_TESTS_H
9
10static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
11 (void) msg32;
12 (void) key32;
13 (void) algo16;
14 (void) data;
15
16 /* On the first run, return 0 to force a second run */
17 if (counter == 0) {
18 memset(nonce32, 0, 32);
19 return 1;
20 }
21 /* On the second run, return an overflow to force a third run */
22 if (counter == 1) {
23 memset(nonce32, 0xff, 32);
24 return 1;
25 }
26 /* On the next run, return a valid nonce, but flip a coin as to whether or not to fail signing. */
27 memset(nonce32, 1, 32);
28 return secp256k1_testrand_bits(1);
29}
30
31void test_ecdsa_recovery_api(void) {
32 /* Setup contexts that just count errors */
33 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
34 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
35 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
36 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
37 secp256k1_pubkey pubkey;
38 secp256k1_pubkey recpubkey;
39 secp256k1_ecdsa_signature normal_sig;
40 secp256k1_ecdsa_recoverable_signature recsig;
41 unsigned char privkey[32] = { 1 };
42 unsigned char message[32] = { 2 };
43 int32_t ecount = 0;
44 int recid = 0;
45 unsigned char sig[74];
46 unsigned char zero_privkey[32] = { 0 };
47 unsigned char over_privkey[32] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
48 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
49 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
50 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
51
52 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
53 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount);
54 secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount);
55 secp256k1_context_set_error_callback(both, counting_illegal_callback_fn, &ecount);
56 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
57 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount);
58 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
59 secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount);
60
61 /* Construct and verify corresponding public key. */
62 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
63 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
64
65 /* Check bad contexts and NULLs for signing */
66 ecount = 0;
67 CHECK(secp256k1_ecdsa_sign_recoverable(none, &recsig, message, privkey, NULL, NULL) == 0);
68 CHECK(ecount == 1);
69 CHECK(secp256k1_ecdsa_sign_recoverable(sign, &recsig, message, privkey, NULL, NULL) == 1);
70 CHECK(ecount == 1);
71 CHECK(secp256k1_ecdsa_sign_recoverable(vrfy, &recsig, message, privkey, NULL, NULL) == 0);
72 CHECK(ecount == 2);
73 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1);
74 CHECK(ecount == 2);
75 CHECK(secp256k1_ecdsa_sign_recoverable(both, NULL, message, privkey, NULL, NULL) == 0);
76 CHECK(ecount == 3);
77 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, NULL, privkey, NULL, NULL) == 0);
78 CHECK(ecount == 4);
79 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, NULL, NULL, NULL) == 0);
80 CHECK(ecount == 5);
81 /* This will fail or succeed randomly, and in either case will not ARG_CHECK failure */
82 secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, recovery_test_nonce_function, NULL);
83 CHECK(ecount == 5);
84 /* These will all fail, but not in ARG_CHECK way */
85 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, zero_privkey, NULL, NULL) == 0);
86 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, over_privkey, NULL, NULL) == 0);
87 /* This one will succeed. */
88 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1);
89 CHECK(ecount == 5);
90
91 /* Check signing with a goofy nonce function */
92
93 /* Check bad contexts and NULLs for recovery */
94 ecount = 0;
95 CHECK(secp256k1_ecdsa_recover(none, &recpubkey, &recsig, message) == 0);
96 CHECK(ecount == 1);
97 CHECK(secp256k1_ecdsa_recover(sign, &recpubkey, &recsig, message) == 0);
98 CHECK(ecount == 2);
99 CHECK(secp256k1_ecdsa_recover(vrfy, &recpubkey, &recsig, message) == 1);
100 CHECK(ecount == 2);
101 CHECK(secp256k1_ecdsa_recover(both, &recpubkey, &recsig, message) == 1);
102 CHECK(ecount == 2);
103 CHECK(secp256k1_ecdsa_recover(both, NULL, &recsig, message) == 0);
104 CHECK(ecount == 3);
105 CHECK(secp256k1_ecdsa_recover(both, &recpubkey, NULL, message) == 0);
106 CHECK(ecount == 4);
107 CHECK(secp256k1_ecdsa_recover(both, &recpubkey, &recsig, NULL) == 0);
108 CHECK(ecount == 5);
109
110 /* Check NULLs for conversion */
111 CHECK(secp256k1_ecdsa_sign(both, &normal_sig, message, privkey, NULL, NULL) == 1);
112 ecount = 0;
113 CHECK(secp256k1_ecdsa_recoverable_signature_convert(both, NULL, &recsig) == 0);
114 CHECK(ecount == 1);
115 CHECK(secp256k1_ecdsa_recoverable_signature_convert(both, &normal_sig, NULL) == 0);
116 CHECK(ecount == 2);
117 CHECK(secp256k1_ecdsa_recoverable_signature_convert(both, &normal_sig, &recsig) == 1);
118
119 /* Check NULLs for de/serialization */
120 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1);
121 ecount = 0;
122 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, NULL, &recid, &recsig) == 0);
123 CHECK(ecount == 1);
124 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, sig, NULL, &recsig) == 0);
125 CHECK(ecount == 2);
126 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, NULL) == 0);
127 CHECK(ecount == 3);
128 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, &recsig) == 1);
129
130 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, NULL, sig, recid) == 0);
131 CHECK(ecount == 4);
132 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, NULL, recid) == 0);
133 CHECK(ecount == 5);
134 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, -1) == 0);
135 CHECK(ecount == 6);
136 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, 5) == 0);
137 CHECK(ecount == 7);
138 /* overflow in signature will fail but not affect ecount */
139 memcpy(sig, over_privkey, 32);
140 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, recid) == 0);
141 CHECK(ecount == 7);
142
143 /* cleanup */
144 secp256k1_context_destroy(none);
145 secp256k1_context_destroy(sign);
146 secp256k1_context_destroy(vrfy);
147 secp256k1_context_destroy(both);
148}
149
150void test_ecdsa_recovery_end_to_end(void) {
151 unsigned char extra[32] = {0x00};
152 unsigned char privkey[32];
153 unsigned char message[32];
154 secp256k1_ecdsa_signature signature[5];
155 secp256k1_ecdsa_recoverable_signature rsignature[5];
156 unsigned char sig[74];
157 secp256k1_pubkey pubkey;
158 secp256k1_pubkey recpubkey;
159 int recid = 0;
160
161 /* Generate a random key and message. */
162 {
163 secp256k1_scalar msg, key;
164 random_scalar_order_test(&msg);
165 random_scalar_order_test(&key);
166 secp256k1_scalar_get_b32(privkey, &key);
167 secp256k1_scalar_get_b32(message, &msg);
168 }
169
170 /* Construct and verify corresponding public key. */
171 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
172 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
173
174 /* Serialize/parse compact and verify/recover. */
175 extra[0] = 0;
176 CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[0], message, privkey, NULL, NULL) == 1);
177 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
178 CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[4], message, privkey, NULL, NULL) == 1);
179 CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[1], message, privkey, NULL, extra) == 1);
180 extra[31] = 1;
181 CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[2], message, privkey, NULL, extra) == 1);
182 extra[31] = 0;
183 extra[0] = 1;
184 CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[3], message, privkey, NULL, extra) == 1);
185 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1);
186 CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
187 CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1);
188 memset(&rsignature[4], 0, sizeof(rsignature[4]));
189 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
190 CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
191 CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1);
192 /* Parse compact (with recovery id) and recover. */
193 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
194 CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 1);
195 CHECK(secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) == 0);
196 /* Serialize/destroy/parse signature and verify again. */
197 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1);
198 sig[secp256k1_testrand_bits(6)] += 1 + secp256k1_testrand_int(255);
199 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
200 CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
201 CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 0);
202 /* Recover again */
203 CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 0 ||
204 secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) != 0);
205}
206
207/* Tests several edge cases. */
208void test_ecdsa_recovery_edge_cases(void) {
209 const unsigned char msg32[32] = {
210 'T', 'h', 'i', 's', ' ', 'i', 's', ' ',
211 'a', ' ', 'v', 'e', 'r', 'y', ' ', 's',
212 'e', 'c', 'r', 'e', 't', ' ', 'm', 'e',
213 's', 's', 'a', 'g', 'e', '.', '.', '.'
214 };
215 const unsigned char sig64[64] = {
216 /* Generated by signing the above message with nonce 'This is the nonce we will use...'
217 * and secret key 0 (which is not valid), resulting in recid 1. */
218 0x67, 0xCB, 0x28, 0x5F, 0x9C, 0xD1, 0x94, 0xE8,
219 0x40, 0xD6, 0x29, 0x39, 0x7A, 0xF5, 0x56, 0x96,
220 0x62, 0xFD, 0xE4, 0x46, 0x49, 0x99, 0x59, 0x63,
221 0x17, 0x9A, 0x7D, 0xD1, 0x7B, 0xD2, 0x35, 0x32,
222 0x4B, 0x1B, 0x7D, 0xF3, 0x4C, 0xE1, 0xF6, 0x8E,
223 0x69, 0x4F, 0xF6, 0xF1, 0x1A, 0xC7, 0x51, 0xDD,
224 0x7D, 0xD7, 0x3E, 0x38, 0x7E, 0xE4, 0xFC, 0x86,
225 0x6E, 0x1B, 0xE8, 0xEC, 0xC7, 0xDD, 0x95, 0x57
226 };
227 secp256k1_pubkey pubkey;
228 /* signature (r,s) = (4,4), which can be recovered with all 4 recids. */
229 const unsigned char sigb64[64] = {
230 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
231 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
232 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
233 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
234 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
236 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
237 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
238 };
239 secp256k1_pubkey pubkeyb;
240 secp256k1_ecdsa_recoverable_signature rsig;
241 secp256k1_ecdsa_signature sig;
242 int recid;
243
244 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 0));
245 CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
246 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 1));
247 CHECK(secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
248 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 2));
249 CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
250 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 3));
251 CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
252
253 for (recid = 0; recid < 4; recid++) {
254 int i;
255 int recid2;
256 /* (4,4) encoded in DER. */
257 unsigned char sigbder[8] = {0x30, 0x06, 0x02, 0x01, 0x04, 0x02, 0x01, 0x04};
258 unsigned char sigcder_zr[7] = {0x30, 0x05, 0x02, 0x00, 0x02, 0x01, 0x01};
259 unsigned char sigcder_zs[7] = {0x30, 0x05, 0x02, 0x01, 0x01, 0x02, 0x00};
260 unsigned char sigbderalt1[39] = {
261 0x30, 0x25, 0x02, 0x20, 0x00, 0x00, 0x00, 0x00,
262 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
263 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
264 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
265 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
266 };
267 unsigned char sigbderalt2[39] = {
268 0x30, 0x25, 0x02, 0x01, 0x04, 0x02, 0x20, 0x00,
269 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
270 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
271 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
272 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
273 };
274 unsigned char sigbderalt3[40] = {
275 0x30, 0x26, 0x02, 0x21, 0x00, 0x00, 0x00, 0x00,
276 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
277 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
278 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
279 0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
280 };
281 unsigned char sigbderalt4[40] = {
282 0x30, 0x26, 0x02, 0x01, 0x04, 0x02, 0x21, 0x00,
283 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
284 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
285 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
286 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
287 };
288 /* (order + r,4) encoded in DER. */
289 unsigned char sigbderlong[40] = {
290 0x30, 0x26, 0x02, 0x21, 0x00, 0xFF, 0xFF, 0xFF,
291 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
292 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC,
293 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E,
294 0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04
295 };
296 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid) == 1);
297 CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 1);
298 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1);
299 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 1);
300 for (recid2 = 0; recid2 < 4; recid2++) {
301 secp256k1_pubkey pubkey2b;
302 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid2) == 1);
303 CHECK(secp256k1_ecdsa_recover(ctx, &pubkey2b, &rsig, msg32) == 1);
304 /* Verifying with (order + r,4) should always fail. */
305 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderlong, sizeof(sigbderlong)) == 1);
306 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
307 }
308 /* DER parsing tests. */
309 /* Zero length r/s. */
310 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0);
311 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0);
312 /* Leading zeros. */
313 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt1, sizeof(sigbderalt1)) == 0);
314 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt2, sizeof(sigbderalt2)) == 0);
315 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0);
316 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0);
317 sigbderalt3[4] = 1;
318 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1);
319 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
320 sigbderalt4[7] = 1;
321 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1);
322 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
323 /* Damage signature. */
324 sigbder[7]++;
325 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1);
326 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
327 sigbder[7]--;
328 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, 6) == 0);
329 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder) - 1) == 0);
330 for(i = 0; i < 8; i++) {
331 int c;
332 unsigned char orig = sigbder[i];
333 /*Try every single-byte change.*/
334 for (c = 0; c < 256; c++) {
335 if (c == orig ) {
336 continue;
337 }
338 sigbder[i] = c;
339 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 0 || secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
340 }
341 sigbder[i] = orig;
342 }
343 }
344
345 /* Test r/s equal to zero */
346 {
347 /* (1,1) encoded in DER. */
348 unsigned char sigcder[8] = {0x30, 0x06, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01};
349 unsigned char sigc64[64] = {
350 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
351 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
352 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
353 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
354 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
355 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
356 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
357 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
358 };
359 secp256k1_pubkey pubkeyc;
360 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
361 CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyc, &rsig, msg32) == 1);
362 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
363 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 1);
364 sigcder[4] = 0;
365 sigc64[31] = 0;
366 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
367 CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0);
368 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
369 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0);
370 sigcder[4] = 1;
371 sigcder[7] = 0;
372 sigc64[31] = 1;
373 sigc64[63] = 0;
374 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
375 CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0);
376 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
377 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0);
378 }
379}
380
381void run_recovery_tests(void) {
382 int i;
383 for (i = 0; i < count; i++) {
384 test_ecdsa_recovery_api();
385 }
386 for (i = 0; i < 64*count; i++) {
387 test_ecdsa_recovery_end_to_end();
388 }
389 test_ecdsa_recovery_edge_cases();
390}
391
392#endif /* SECP256K1_MODULE_RECOVERY_TESTS_H */
ctx
secp256k1_context * ctx
Definition: bench_multiset.c:12
sig
SchnorrSig sig
Definition: processor.cpp:498
test_ecdsa_recovery_api
void test_ecdsa_recovery_api(void)
Definition: tests_impl.h:31
run_recovery_tests
void run_recovery_tests(void)
Definition: tests_impl.h:381
test_ecdsa_recovery_end_to_end
void test_ecdsa_recovery_end_to_end(void)
Definition: tests_impl.h:150
recovery_test_nonce_function
static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests_impl.h:10
test_ecdsa_recovery_edge_cases
void test_ecdsa_recovery_edge_cases(void)
Definition: tests_impl.h:208
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:224
CHECK
#define CHECK(cond)
Definition: util.h:53
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:174
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:212
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:576
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:152
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:203
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:561
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:176
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:369
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:599
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:450
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:173
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:196
secp256k1_ecdsa_recoverable_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_recoverable_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in compact format (64 bytes + recovery id).
Definition: main_impl.h:60
secp256k1_ecdsa_recoverable_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38
secp256k1_ecdsa_sign_recoverable
SECP256K1_API int secp256k1_ecdsa_sign_recoverable(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a recoverable ECDSA signature.
Definition: main_impl.h:123
secp256k1_ecdsa_recoverable_signature_convert
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_convert(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const secp256k1_ecdsa_recoverable_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Convert a recoverable signature into a normal signature.
Definition: main_impl.h:74
secp256k1_ecdsa_recover
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:138
secp256k1_context_struct
Definition: secp256k1.c:69
secp256k1_ecdsa_recoverable_signature
Opaque data structured that holds a parsed ECDSA signature, supporting pubkey recovery.
Definition: secp256k1_recovery.h:24
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:83
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_bits
static uint32_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
random_scalar_order_test
void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:103
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:34
count
static int count
Definition: tests.c:31
Generated on Wed Nov 20 2024 17:55:59 for Bitcoin ABC by doxygen 1.9.4