Dash Core Source Documentation (0.16.0.1)

Find detailed information regarding the Dash Core source code.

tests_impl.h
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2013-2015 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #ifndef SECP256K1_MODULE_RECOVERY_TESTS_H
8 #define SECP256K1_MODULE_RECOVERY_TESTS_H
9 
10 static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
11  (void) msg32;
12  (void) key32;
13  (void) algo16;
14  (void) data;
15 
16  /* On the first run, return 0 to force a second run */
17  if (counter == 0) {
18  memset(nonce32, 0, 32);
19  return 1;
20  }
21  /* On the second run, return an overflow to force a third run */
22  if (counter == 1) {
23  memset(nonce32, 0xff, 32);
24  return 1;
25  }
26  /* On the next run, return a valid nonce, but flip a coin as to whether or not to fail signing. */
27  memset(nonce32, 1, 32);
28  return secp256k1_rand_bits(1);
29 }
30 
31 void test_ecdsa_recovery_api(void) {
32  /* Setup contexts that just count errors */
33  secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
34  secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
35  secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
36  secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
37  secp256k1_pubkey pubkey;
38  secp256k1_pubkey recpubkey;
39  secp256k1_ecdsa_signature normal_sig;
40  secp256k1_ecdsa_recoverable_signature recsig;
41  unsigned char privkey[32] = { 1 };
42  unsigned char message[32] = { 2 };
43  int32_t ecount = 0;
44  int recid = 0;
45  unsigned char sig[74];
46  unsigned char zero_privkey[32] = { 0 };
47  unsigned char over_privkey[32] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
48  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
49  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
50  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
51 
52  secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
53  secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount);
54  secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount);
55  secp256k1_context_set_error_callback(both, counting_illegal_callback_fn, &ecount);
56  secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
57  secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount);
58  secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
59  secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount);
60 
61  /* Construct and verify corresponding public key. */
62  CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
63  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
64 
65  /* Check bad contexts and NULLs for signing */
66  ecount = 0;
67  CHECK(secp256k1_ecdsa_sign_recoverable(none, &recsig, message, privkey, NULL, NULL) == 0);
68  CHECK(ecount == 1);
69  CHECK(secp256k1_ecdsa_sign_recoverable(sign, &recsig, message, privkey, NULL, NULL) == 1);
70  CHECK(ecount == 1);
71  CHECK(secp256k1_ecdsa_sign_recoverable(vrfy, &recsig, message, privkey, NULL, NULL) == 0);
72  CHECK(ecount == 2);
73  CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1);
74  CHECK(ecount == 2);
75  CHECK(secp256k1_ecdsa_sign_recoverable(both, NULL, message, privkey, NULL, NULL) == 0);
76  CHECK(ecount == 3);
77  CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, NULL, privkey, NULL, NULL) == 0);
78  CHECK(ecount == 4);
79  CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, NULL, NULL, NULL) == 0);
80  CHECK(ecount == 5);
81  /* This will fail or succeed randomly, and in either case will not ARG_CHECK failure */
82  secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, recovery_test_nonce_function, NULL);
83  CHECK(ecount == 5);
84  /* These will all fail, but not in ARG_CHECK way */
85  CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, zero_privkey, NULL, NULL) == 0);
86  CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, over_privkey, NULL, NULL) == 0);
87  /* This one will succeed. */
88  CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1);
89  CHECK(ecount == 5);
90 
91  /* Check signing with a goofy nonce function */
92 
93  /* Check bad contexts and NULLs for recovery */
94  ecount = 0;
95  CHECK(secp256k1_ecdsa_recover(none, &recpubkey, &recsig, message) == 0);
96  CHECK(ecount == 1);
97  CHECK(secp256k1_ecdsa_recover(sign, &recpubkey, &recsig, message) == 0);
98  CHECK(ecount == 2);
99  CHECK(secp256k1_ecdsa_recover(vrfy, &recpubkey, &recsig, message) == 1);
100  CHECK(ecount == 2);
101  CHECK(secp256k1_ecdsa_recover(both, &recpubkey, &recsig, message) == 1);
102  CHECK(ecount == 2);
103  CHECK(secp256k1_ecdsa_recover(both, NULL, &recsig, message) == 0);
104  CHECK(ecount == 3);
105  CHECK(secp256k1_ecdsa_recover(both, &recpubkey, NULL, message) == 0);
106  CHECK(ecount == 4);
107  CHECK(secp256k1_ecdsa_recover(both, &recpubkey, &recsig, NULL) == 0);
108  CHECK(ecount == 5);
109 
110  /* Check NULLs for conversion */
111  CHECK(secp256k1_ecdsa_sign(both, &normal_sig, message, privkey, NULL, NULL) == 1);
112  ecount = 0;
113  CHECK(secp256k1_ecdsa_recoverable_signature_convert(both, NULL, &recsig) == 0);
114  CHECK(ecount == 1);
115  CHECK(secp256k1_ecdsa_recoverable_signature_convert(both, &normal_sig, NULL) == 0);
116  CHECK(ecount == 2);
117  CHECK(secp256k1_ecdsa_recoverable_signature_convert(both, &normal_sig, &recsig) == 1);
118 
119  /* Check NULLs for de/serialization */
120  CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1);
121  ecount = 0;
122  CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, NULL, &recid, &recsig) == 0);
123  CHECK(ecount == 1);
124  CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, sig, NULL, &recsig) == 0);
125  CHECK(ecount == 2);
126  CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, NULL) == 0);
127  CHECK(ecount == 3);
128  CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, &recsig) == 1);
129 
130  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, NULL, sig, recid) == 0);
131  CHECK(ecount == 4);
132  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, NULL, recid) == 0);
133  CHECK(ecount == 5);
134  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, -1) == 0);
135  CHECK(ecount == 6);
136  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, 5) == 0);
137  CHECK(ecount == 7);
138  /* overflow in signature will fail but not affect ecount */
139  memcpy(sig, over_privkey, 32);
140  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, recid) == 0);
141  CHECK(ecount == 7);
142 
143  /* cleanup */
144  secp256k1_context_destroy(none);
145  secp256k1_context_destroy(sign);
146  secp256k1_context_destroy(vrfy);
147  secp256k1_context_destroy(both);
148 }
149 
150 void test_ecdsa_recovery_end_to_end(void) {
151  unsigned char extra[32] = {0x00};
152  unsigned char privkey[32];
153  unsigned char message[32];
154  secp256k1_ecdsa_signature signature[5];
155  secp256k1_ecdsa_recoverable_signature rsignature[5];
156  unsigned char sig[74];
157  secp256k1_pubkey pubkey;
158  secp256k1_pubkey recpubkey;
159  int recid = 0;
160 
161  /* Generate a random key and message. */
162  {
163  secp256k1_scalar msg, key;
164  random_scalar_order_test(&msg);
165  random_scalar_order_test(&key);
166  secp256k1_scalar_get_b32(privkey, &key);
167  secp256k1_scalar_get_b32(message, &msg);
168  }
169 
170  /* Construct and verify corresponding public key. */
171  CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
172  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
173 
174  /* Serialize/parse compact and verify/recover. */
175  extra[0] = 0;
176  CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[0], message, privkey, NULL, NULL) == 1);
177  CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
178  CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[4], message, privkey, NULL, NULL) == 1);
179  CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[1], message, privkey, NULL, extra) == 1);
180  extra[31] = 1;
181  CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[2], message, privkey, NULL, extra) == 1);
182  extra[31] = 0;
183  extra[0] = 1;
184  CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[3], message, privkey, NULL, extra) == 1);
185  CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1);
186  CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
187  CHECK(memcmp(&signature[4], &signature[0], 64) == 0);
188  CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1);
189  memset(&rsignature[4], 0, sizeof(rsignature[4]));
190  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
191  CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
192  CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1);
193  /* Parse compact (with recovery id) and recover. */
194  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
195  CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 1);
196  CHECK(memcmp(&pubkey, &recpubkey, sizeof(pubkey)) == 0);
197  /* Serialize/destroy/parse signature and verify again. */
198  CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1);
199  sig[secp256k1_rand_bits(6)] += 1 + secp256k1_rand_int(255);
200  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
201  CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
202  CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 0);
203  /* Recover again */
204  CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 0 ||
205  memcmp(&pubkey, &recpubkey, sizeof(pubkey)) != 0);
206 }
207 
208 /* Tests several edge cases. */
209 void test_ecdsa_recovery_edge_cases(void) {
210  const unsigned char msg32[32] = {
211  'T', 'h', 'i', 's', ' ', 'i', 's', ' ',
212  'a', ' ', 'v', 'e', 'r', 'y', ' ', 's',
213  'e', 'c', 'r', 'e', 't', ' ', 'm', 'e',
214  's', 's', 'a', 'g', 'e', '.', '.', '.'
215  };
216  const unsigned char sig64[64] = {
217  /* Generated by signing the above message with nonce 'This is the nonce we will use...'
218  * and secret key 0 (which is not valid), resulting in recid 0. */
219  0x67, 0xCB, 0x28, 0x5F, 0x9C, 0xD1, 0x94, 0xE8,
220  0x40, 0xD6, 0x29, 0x39, 0x7A, 0xF5, 0x56, 0x96,
221  0x62, 0xFD, 0xE4, 0x46, 0x49, 0x99, 0x59, 0x63,
222  0x17, 0x9A, 0x7D, 0xD1, 0x7B, 0xD2, 0x35, 0x32,
223  0x4B, 0x1B, 0x7D, 0xF3, 0x4C, 0xE1, 0xF6, 0x8E,
224  0x69, 0x4F, 0xF6, 0xF1, 0x1A, 0xC7, 0x51, 0xDD,
225  0x7D, 0xD7, 0x3E, 0x38, 0x7E, 0xE4, 0xFC, 0x86,
226  0x6E, 0x1B, 0xE8, 0xEC, 0xC7, 0xDD, 0x95, 0x57
227  };
228  secp256k1_pubkey pubkey;
229  /* signature (r,s) = (4,4), which can be recovered with all 4 recids. */
230  const unsigned char sigb64[64] = {
231  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
232  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
233  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
234  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
235  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
236  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
237  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
238  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
239  };
240  secp256k1_pubkey pubkeyb;
241  secp256k1_ecdsa_recoverable_signature rsig;
242  secp256k1_ecdsa_signature sig;
243  int recid;
244 
245  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 0));
246  CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
247  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 1));
248  CHECK(secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
249  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 2));
250  CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
251  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 3));
252  CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
253 
254  for (recid = 0; recid < 4; recid++) {
255  int i;
256  int recid2;
257  /* (4,4) encoded in DER. */
258  unsigned char sigbder[8] = {0x30, 0x06, 0x02, 0x01, 0x04, 0x02, 0x01, 0x04};
259  unsigned char sigcder_zr[7] = {0x30, 0x05, 0x02, 0x00, 0x02, 0x01, 0x01};
260  unsigned char sigcder_zs[7] = {0x30, 0x05, 0x02, 0x01, 0x01, 0x02, 0x00};
261  unsigned char sigbderalt1[39] = {
262  0x30, 0x25, 0x02, 0x20, 0x00, 0x00, 0x00, 0x00,
263  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
264  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
265  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
266  0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
267  };
268  unsigned char sigbderalt2[39] = {
269  0x30, 0x25, 0x02, 0x01, 0x04, 0x02, 0x20, 0x00,
270  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
271  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
272  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
273  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
274  };
275  unsigned char sigbderalt3[40] = {
276  0x30, 0x26, 0x02, 0x21, 0x00, 0x00, 0x00, 0x00,
277  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
278  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
279  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
280  0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
281  };
282  unsigned char sigbderalt4[40] = {
283  0x30, 0x26, 0x02, 0x01, 0x04, 0x02, 0x21, 0x00,
284  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
285  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
286  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
287  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
288  };
289  /* (order + r,4) encoded in DER. */
290  unsigned char sigbderlong[40] = {
291  0x30, 0x26, 0x02, 0x21, 0x00, 0xFF, 0xFF, 0xFF,
292  0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
293  0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC,
294  0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E,
295  0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04
296  };
297  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid) == 1);
298  CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 1);
299  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1);
300  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 1);
301  for (recid2 = 0; recid2 < 4; recid2++) {
302  secp256k1_pubkey pubkey2b;
303  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid2) == 1);
304  CHECK(secp256k1_ecdsa_recover(ctx, &pubkey2b, &rsig, msg32) == 1);
305  /* Verifying with (order + r,4) should always fail. */
306  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderlong, sizeof(sigbderlong)) == 1);
307  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
308  }
309  /* DER parsing tests. */
310  /* Zero length r/s. */
311  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0);
312  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0);
313  /* Leading zeros. */
314  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt1, sizeof(sigbderalt1)) == 0);
315  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt2, sizeof(sigbderalt2)) == 0);
316  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0);
317  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0);
318  sigbderalt3[4] = 1;
319  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1);
320  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
321  sigbderalt4[7] = 1;
322  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1);
323  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
324  /* Damage signature. */
325  sigbder[7]++;
326  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1);
327  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
328  sigbder[7]--;
329  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, 6) == 0);
330  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder) - 1) == 0);
331  for(i = 0; i < 8; i++) {
332  int c;
333  unsigned char orig = sigbder[i];
334  /*Try every single-byte change.*/
335  for (c = 0; c < 256; c++) {
336  if (c == orig ) {
337  continue;
338  }
339  sigbder[i] = c;
340  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 0 || secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
341  }
342  sigbder[i] = orig;
343  }
344  }
345 
346  /* Test r/s equal to zero */
347  {
348  /* (1,1) encoded in DER. */
349  unsigned char sigcder[8] = {0x30, 0x06, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01};
350  unsigned char sigc64[64] = {
351  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
352  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
353  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
354  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
355  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
356  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
357  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
358  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
359  };
360  secp256k1_pubkey pubkeyc;
361  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
362  CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyc, &rsig, msg32) == 1);
363  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
364  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 1);
365  sigcder[4] = 0;
366  sigc64[31] = 0;
367  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
368  CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0);
369  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
370  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0);
371  sigcder[4] = 1;
372  sigcder[7] = 0;
373  sigc64[31] = 1;
374  sigc64[63] = 0;
375  CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
376  CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0);
377  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
378  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0);
379  }
380 }
381 
382 void run_recovery_tests(void) {
383  int i;
384  for (i = 0; i < count; i++) {
385  test_ecdsa_recovery_api();
386  }
387  for (i = 0; i < 64*count; i++) {
388  test_ecdsa_recovery_end_to_end();
389  }
390  test_ecdsa_recovery_edge_cases();
391 }
392 
393 #endif /* SECP256K1_MODULE_RECOVERY_TESTS_H */
secp256k1_ecdsa_recoverable_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call...
Definition: secp256k1.c:111
test_ecdsa_recovery_end_to_end
void test_ecdsa_recovery_end_to_end(void)
Definition: tests_impl.h:150
secp256k1_ecdsa_recoverable_signature
Opaque data structured that holds a parsed ECDSA signature, supporting pubkey recovery.
Definition: secp256k1_recovery.h:24
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:169
secp256k1_ecdsa_recoverable_signature_convert
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_convert(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const secp256k1_ecdsa_recoverable_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Convert a recoverable signature into a normal signature.
Definition: main_impl.h:74
secp256k1_rand_int
static uint32_t secp256k1_rand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
recovery_test_nonce_function
static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests_impl.h:10
secp256k1_context_struct
Definition: secp256k1.c:52
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:168
test_ecdsa_recovery_api
void test_ecdsa_recovery_api(void)
Definition: tests_impl.h:31
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object.
Definition: secp256k1.c:101
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:428
test_ecdsa_recovery_edge_cases
void test_ecdsa_recovery_edge_cases(void)
Definition: tests_impl.h:209
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:415
ctx
static secp256k1_context * ctx
Definition: tests.c:46
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:369
secp256k1_ecdsa_sign_recoverable
SECP256K1_API int secp256k1_ecdsa_sign_recoverable(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a recoverable ECDSA signature.
Definition: main_impl.h:123
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:79
secp256k1_ecdsa_recoverable_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_recoverable_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in compact format (64 bytes + recovery id).
Definition: main_impl.h:60
CHECK
#define CHECK(cond)
Definition: util.h:52
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:120
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:233
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create.
Definition: secp256k1.h:167
secp256k1_ecdsa_recover
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msg32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:170
random_scalar_order_test
void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:114
secp256k1_rand_bits
static uint32_t secp256k1_rand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
memcpy
void * memcpy(void *a, const void *b, size_t c)
Definition: glibc_compat.cpp:18
count
static int count
Definition: tests.c:45
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:48
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object.
Definition: secp256k1.c:67
run_recovery_tests
void run_recovery_tests(void)
Definition: tests_impl.h:382
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:66
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:314
Released under the MIT license