Wire Sysio Wire Sysion 1.0.0
Loading...
Searching...
No Matches
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_MODULE_RECOVERY_TESTS_H
8#define SECP256K1_MODULE_RECOVERY_TESTS_H
9
10static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
11 (void) msg32;
12 (void) key32;
13 (void) algo16;
14 (void) data;
15
16 /* On the first run, return 0 to force a second run */
17 if (counter == 0) {
18 memset(nonce32, 0, 32);
19 return 1;
20 }
21 /* On the second run, return an overflow to force a third run */
22 if (counter == 1) {
23 memset(nonce32, 0xff, 32);
24 return 1;
25 }
26 /* On the next run, return a valid nonce, but flip a coin as to whether or not to fail signing. */
27 memset(nonce32, 1, 32);
28 return secp256k1_testrand_bits(1);
29}
30
31void test_ecdsa_recovery_api(void) {
32 /* Setup contexts that just count errors */
33 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
34 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
35 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
36 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
37 secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_no_precomp);
38 secp256k1_pubkey pubkey;
39 secp256k1_pubkey recpubkey;
40 secp256k1_ecdsa_signature normal_sig;
41 secp256k1_ecdsa_recoverable_signature recsig;
42 unsigned char privkey[32] = { 1 };
43 unsigned char message[32] = { 2 };
44 int32_t ecount = 0;
45 int recid = 0;
46 unsigned char sig[74];
47 unsigned char zero_privkey[32] = { 0 };
48 unsigned char over_privkey[32] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
49 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
50 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
51 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
52
53 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
54 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount);
55 secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount);
56 secp256k1_context_set_error_callback(both, counting_illegal_callback_fn, &ecount);
57 secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount);
58 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
59 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount);
60 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
61 secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount);
62 secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
63
64 /* Construct and verify corresponding public key. */
65 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
66 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
67
68 /* Check bad contexts and NULLs for signing */
69 ecount = 0;
70 CHECK(secp256k1_ecdsa_sign_recoverable(none, &recsig, message, privkey, NULL, NULL) == 1);
71 CHECK(ecount == 0);
72 CHECK(secp256k1_ecdsa_sign_recoverable(sign, &recsig, message, privkey, NULL, NULL) == 1);
73 CHECK(ecount == 0);
74 CHECK(secp256k1_ecdsa_sign_recoverable(vrfy, &recsig, message, privkey, NULL, NULL) == 1);
75 CHECK(ecount == 0);
76 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1);
77 CHECK(ecount == 0);
78 CHECK(secp256k1_ecdsa_sign_recoverable(both, NULL, message, privkey, NULL, NULL) == 0);
79 CHECK(ecount == 1);
80 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, NULL, privkey, NULL, NULL) == 0);
81 CHECK(ecount == 2);
82 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, NULL, NULL, NULL) == 0);
83 CHECK(ecount == 3);
84 CHECK(secp256k1_ecdsa_sign_recoverable(sttc, &recsig, message, privkey, NULL, NULL) == 0);
85 CHECK(ecount == 4);
86 /* This will fail or succeed randomly, and in either case will not ARG_CHECK failure */
87 secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, recovery_test_nonce_function, NULL);
88 CHECK(ecount == 4);
89 /* These will all fail, but not in ARG_CHECK way */
90 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, zero_privkey, NULL, NULL) == 0);
91 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, over_privkey, NULL, NULL) == 0);
92 /* This one will succeed. */
93 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1);
94 CHECK(ecount == 4);
95
96 /* Check signing with a goofy nonce function */
97
98 /* Check bad contexts and NULLs for recovery */
99 ecount = 0;
100 CHECK(secp256k1_ecdsa_recover(none, &recpubkey, &recsig, message) == 1);
101 CHECK(ecount == 0);
102 CHECK(secp256k1_ecdsa_recover(sign, &recpubkey, &recsig, message) == 1);
103 CHECK(ecount == 0);
104 CHECK(secp256k1_ecdsa_recover(vrfy, &recpubkey, &recsig, message) == 1);
105 CHECK(ecount == 0);
106 CHECK(secp256k1_ecdsa_recover(both, &recpubkey, &recsig, message) == 1);
107 CHECK(ecount == 0);
108 CHECK(secp256k1_ecdsa_recover(both, NULL, &recsig, message) == 0);
109 CHECK(ecount == 1);
110 CHECK(secp256k1_ecdsa_recover(both, &recpubkey, NULL, message) == 0);
111 CHECK(ecount == 2);
112 CHECK(secp256k1_ecdsa_recover(both, &recpubkey, &recsig, NULL) == 0);
113 CHECK(ecount == 3);
114
115 /* Check NULLs for conversion */
116 CHECK(secp256k1_ecdsa_sign(both, &normal_sig, message, privkey, NULL, NULL) == 1);
117 ecount = 0;
118 CHECK(secp256k1_ecdsa_recoverable_signature_convert(both, NULL, &recsig) == 0);
119 CHECK(ecount == 1);
120 CHECK(secp256k1_ecdsa_recoverable_signature_convert(both, &normal_sig, NULL) == 0);
121 CHECK(ecount == 2);
122 CHECK(secp256k1_ecdsa_recoverable_signature_convert(both, &normal_sig, &recsig) == 1);
123
124 /* Check NULLs for de/serialization */
125 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1);
126 ecount = 0;
127 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, NULL, &recid, &recsig) == 0);
128 CHECK(ecount == 1);
129 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, sig, NULL, &recsig) == 0);
130 CHECK(ecount == 2);
131 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, NULL) == 0);
132 CHECK(ecount == 3);
133 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, &recsig) == 1);
134
135 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, NULL, sig, recid) == 0);
136 CHECK(ecount == 4);
137 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, NULL, recid) == 0);
138 CHECK(ecount == 5);
139 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, -1) == 0);
140 CHECK(ecount == 6);
141 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, 5) == 0);
142 CHECK(ecount == 7);
143 /* overflow in signature will fail but not affect ecount */
144 memcpy(sig, over_privkey, 32);
145 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, recid) == 0);
146 CHECK(ecount == 7);
147
148 /* cleanup */
149 secp256k1_context_destroy(none);
150 secp256k1_context_destroy(sign);
151 secp256k1_context_destroy(vrfy);
152 secp256k1_context_destroy(both);
153 secp256k1_context_destroy(sttc);
154}
155
156void test_ecdsa_recovery_end_to_end(void) {
157 unsigned char extra[32] = {0x00};
158 unsigned char privkey[32];
159 unsigned char message[32];
160 secp256k1_ecdsa_signature signature[5];
161 secp256k1_ecdsa_recoverable_signature rsignature[5];
162 unsigned char sig[74];
163 secp256k1_pubkey pubkey;
164 secp256k1_pubkey recpubkey;
165 int recid = 0;
166
167 /* Generate a random key and message. */
168 {
169 secp256k1_scalar msg, key;
170 random_scalar_order_test(&msg);
171 random_scalar_order_test(&key);
172 secp256k1_scalar_get_b32(privkey, &key);
173 secp256k1_scalar_get_b32(message, &msg);
174 }
175
176 /* Construct and verify corresponding public key. */
177 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
178 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
179
180 /* Serialize/parse compact and verify/recover. */
181 extra[0] = 0;
182 CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[0], message, privkey, NULL, NULL) == 1);
183 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
184 CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[4], message, privkey, NULL, NULL) == 1);
185 CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[1], message, privkey, NULL, extra) == 1);
186 extra[31] = 1;
187 CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[2], message, privkey, NULL, extra) == 1);
188 extra[31] = 0;
189 extra[0] = 1;
190 CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[3], message, privkey, NULL, extra) == 1);
191 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1);
192 CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
193 CHECK(secp256k1_memcmp_var(&signature[4], &signature[0], 64) == 0);
194 CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1);
195 memset(&rsignature[4], 0, sizeof(rsignature[4]));
196 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
197 CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
198 CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1);
199 /* Parse compact (with recovery id) and recover. */
200 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
201 CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 1);
202 CHECK(secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) == 0);
203 /* Serialize/destroy/parse signature and verify again. */
204 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1);
205 sig[secp256k1_testrand_bits(6)] += 1 + secp256k1_testrand_int(255);
206 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
207 CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
208 CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 0);
209 /* Recover again */
210 CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 0 ||
211 secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) != 0);
212}
213
214/* Tests several edge cases. */
215void test_ecdsa_recovery_edge_cases(void) {
216 const unsigned char msg32[32] = {
217 'T', 'h', 'i', 's', ' ', 'i', 's', ' ',
218 'a', ' ', 'v', 'e', 'r', 'y', ' ', 's',
219 'e', 'c', 'r', 'e', 't', ' ', 'm', 'e',
220 's', 's', 'a', 'g', 'e', '.', '.', '.'
221 };
222 const unsigned char sig64[64] = {
223 /* Generated by signing the above message with nonce 'This is the nonce we will use...'
224 * and secret key 0 (which is not valid), resulting in recid 1. */
225 0x67, 0xCB, 0x28, 0x5F, 0x9C, 0xD1, 0x94, 0xE8,
226 0x40, 0xD6, 0x29, 0x39, 0x7A, 0xF5, 0x56, 0x96,
227 0x62, 0xFD, 0xE4, 0x46, 0x49, 0x99, 0x59, 0x63,
228 0x17, 0x9A, 0x7D, 0xD1, 0x7B, 0xD2, 0x35, 0x32,
229 0x4B, 0x1B, 0x7D, 0xF3, 0x4C, 0xE1, 0xF6, 0x8E,
230 0x69, 0x4F, 0xF6, 0xF1, 0x1A, 0xC7, 0x51, 0xDD,
231 0x7D, 0xD7, 0x3E, 0x38, 0x7E, 0xE4, 0xFC, 0x86,
232 0x6E, 0x1B, 0xE8, 0xEC, 0xC7, 0xDD, 0x95, 0x57
233 };
234 secp256k1_pubkey pubkey;
235 /* signature (r,s) = (4,4), which can be recovered with all 4 recids. */
236 const unsigned char sigb64[64] = {
237 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
238 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
239 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
240 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
241 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
242 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
243 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
244 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
245 };
246 secp256k1_pubkey pubkeyb;
247 secp256k1_ecdsa_recoverable_signature rsig;
248 secp256k1_ecdsa_signature sig;
249 int recid;
250
251 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 0));
252 CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
253 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 1));
254 CHECK(secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
255 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 2));
256 CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
257 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 3));
258 CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
259
260 for (recid = 0; recid < 4; recid++) {
261 int i;
262 int recid2;
263 /* (4,4) encoded in DER. */
264 unsigned char sigbder[8] = {0x30, 0x06, 0x02, 0x01, 0x04, 0x02, 0x01, 0x04};
265 unsigned char sigcder_zr[7] = {0x30, 0x05, 0x02, 0x00, 0x02, 0x01, 0x01};
266 unsigned char sigcder_zs[7] = {0x30, 0x05, 0x02, 0x01, 0x01, 0x02, 0x00};
267 unsigned char sigbderalt1[39] = {
268 0x30, 0x25, 0x02, 0x20, 0x00, 0x00, 0x00, 0x00,
269 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
270 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
271 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
272 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
273 };
274 unsigned char sigbderalt2[39] = {
275 0x30, 0x25, 0x02, 0x01, 0x04, 0x02, 0x20, 0x00,
276 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
277 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
278 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
279 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
280 };
281 unsigned char sigbderalt3[40] = {
282 0x30, 0x26, 0x02, 0x21, 0x00, 0x00, 0x00, 0x00,
283 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
284 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
285 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
286 0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
287 };
288 unsigned char sigbderalt4[40] = {
289 0x30, 0x26, 0x02, 0x01, 0x04, 0x02, 0x21, 0x00,
290 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
291 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
292 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
293 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
294 };
295 /* (order + r,4) encoded in DER. */
296 unsigned char sigbderlong[40] = {
297 0x30, 0x26, 0x02, 0x21, 0x00, 0xFF, 0xFF, 0xFF,
298 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
299 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC,
300 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E,
301 0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04
302 };
303 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid) == 1);
304 CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 1);
305 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1);
306 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 1);
307 for (recid2 = 0; recid2 < 4; recid2++) {
308 secp256k1_pubkey pubkey2b;
309 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid2) == 1);
310 CHECK(secp256k1_ecdsa_recover(ctx, &pubkey2b, &rsig, msg32) == 1);
311 /* Verifying with (order + r,4) should always fail. */
312 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderlong, sizeof(sigbderlong)) == 1);
313 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
314 }
315 /* DER parsing tests. */
316 /* Zero length r/s. */
317 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0);
318 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0);
319 /* Leading zeros. */
320 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt1, sizeof(sigbderalt1)) == 0);
321 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt2, sizeof(sigbderalt2)) == 0);
322 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0);
323 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0);
324 sigbderalt3[4] = 1;
325 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1);
326 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
327 sigbderalt4[7] = 1;
328 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1);
329 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
330 /* Damage signature. */
331 sigbder[7]++;
332 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1);
333 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
334 sigbder[7]--;
335 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, 6) == 0);
336 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder) - 1) == 0);
337 for(i = 0; i < 8; i++) {
338 int c;
339 unsigned char orig = sigbder[i];
340 /*Try every single-byte change.*/
341 for (c = 0; c < 256; c++) {
342 if (c == orig ) {
343 continue;
344 }
345 sigbder[i] = c;
346 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 0 || secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
347 }
348 sigbder[i] = orig;
349 }
350 }
351
352 /* Test r/s equal to zero */
353 {
354 /* (1,1) encoded in DER. */
355 unsigned char sigcder[8] = {0x30, 0x06, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01};
356 unsigned char sigc64[64] = {
357 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
358 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
359 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
360 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
361 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
362 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
363 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
364 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
365 };
366 secp256k1_pubkey pubkeyc;
367 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
368 CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyc, &rsig, msg32) == 1);
369 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
370 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 1);
371 sigcder[4] = 0;
372 sigc64[31] = 0;
373 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
374 CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0);
375 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
376 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0);
377 sigcder[4] = 1;
378 sigcder[7] = 0;
379 sigc64[31] = 1;
380 sigc64[63] = 0;
381 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
382 CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0);
383 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
384 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0);
385 }
386}
387
388void run_recovery_tests(void) {
389 int i;
390 for (i = 0; i < count; i++) {
391 test_ecdsa_recovery_api();
392 }
393 for (i = 0; i < 64*count; i++) {
394 test_ecdsa_recovery_end_to_end();
395 }
396 test_ecdsa_recovery_edge_cases();
397}
398
399#endif /* SECP256K1_MODULE_RECOVERY_TESTS_H */
CHECK
#define CHECK(cond)
Definition util.h:80
count
int * count
Definition gmock_stress_test.cc:177
test_ecdsa_recovery_api
void test_ecdsa_recovery_api(void)
Definition tests_impl.h:31
run_recovery_tests
void run_recovery_tests(void)
Definition tests_impl.h:388
test_ecdsa_recovery_end_to_end
void test_ecdsa_recovery_end_to_end(void)
Definition tests_impl.h:156
test_ecdsa_recovery_edge_cases
void test_ecdsa_recovery_edge_cases(void)
Definition tests_impl.h:215
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Definition secp256k1.c:146
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition secp256k1.h:196
secp256k1_context_no_precomp
SECP256K1_API const secp256k1_context * secp256k1_context_no_precomp
Definition secp256k1.c:60
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Definition secp256k1.c:162
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Definition secp256k1.c:528
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Definition secp256k1.c:107
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Definition secp256k1.c:153
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Definition secp256k1.c:514
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition secp256k1.h:198
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition secp256k1.c:319
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition secp256k1.c:551
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Definition secp256k1.c:400
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Definition secp256k1.c:128
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Definition secp256k1.h:195
secp256k1_ecdsa_recoverable_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_recoverable_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Definition main_impl.h:60
secp256k1_ecdsa_recoverable_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition main_impl.h:38
secp256k1_ecdsa_sign_recoverable
SECP256K1_API int secp256k1_ecdsa_sign_recoverable(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Definition main_impl.h:123
secp256k1_ecdsa_recoverable_signature_convert
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_convert(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const secp256k1_ecdsa_recoverable_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Definition main_impl.h:74
secp256k1_ecdsa_recover
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Definition main_impl.h:137
int32_t
signed int int32_t
Definition stdint.h:123
secp256k1_context_struct
Definition secp256k1.c:47
secp256k1_ecdsa_recoverable_signature
Definition secp256k1_recovery.h:24
secp256k1_ecdsa_signature
Definition secp256k1.h:83
secp256k1_pubkey
Definition secp256k1.h:70
secp256k1_scalar
Definition scalar_4x64.h:13
random_scalar_order_test
void random_scalar_order_test(secp256k1_scalar *num)
Definition tests.c:111
key
uint8_t key[16]
Definition yubico_otp.c:41
pubkey
CK_BYTE_PTR pubkey
Definition yubihsm_pkcs11.c:4984
memset
memset(pInfo->slotDescription, ' ', 64)
memcpy
memcpy((char *) pInfo->slotDescription, s, l)