Bitcoin ABC 0.32.7
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_MODULE_RECOVERY_TESTS_H
8#define SECP256K1_MODULE_RECOVERY_TESTS_H
9
10static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
11 (void) msg32;
12 (void) key32;
13 (void) algo16;
14 (void) data;
15
16 /* On the first run, return 0 to force a second run */
17 if (counter == 0) {
18 memset(nonce32, 0, 32);
19 return 1;
20 }
21 /* On the second run, return an overflow to force a third run */
22 if (counter == 1) {
23 memset(nonce32, 0xff, 32);
24 return 1;
25 }
26 /* On the next run, return a valid nonce, but flip a coin as to whether or not to fail signing. */
27 memset(nonce32, 1, 32);
28 return secp256k1_testrand_bits(1);
29}
30
31void test_ecdsa_recovery_api(void) {
32 /* Setup contexts that just count errors */
33 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
34 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
35 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
36 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
37 secp256k1_context *sttc = secp256k1_context_clone(secp256k1_context_no_precomp);
38 secp256k1_pubkey pubkey;
39 secp256k1_pubkey recpubkey;
40 secp256k1_ecdsa_signature normal_sig;
41 secp256k1_ecdsa_recoverable_signature recsig;
42 unsigned char privkey[32] = { 1 };
43 unsigned char message[32] = { 2 };
44 int32_t ecount = 0;
45 int recid = 0;
46 unsigned char sig[74];
47 unsigned char zero_privkey[32] = { 0 };
48 unsigned char over_privkey[32] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
49 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
50 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
51 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
52
53 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
54 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount);
55 secp256k1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount);
56 secp256k1_context_set_error_callback(both, counting_illegal_callback_fn, &ecount);
57 secp256k1_context_set_error_callback(sttc, counting_illegal_callback_fn, &ecount);
58 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
59 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount);
60 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
61 secp256k1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount);
62 secp256k1_context_set_illegal_callback(sttc, counting_illegal_callback_fn, &ecount);
63
64 /* Construct and verify corresponding public key. */
65 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
66 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
67
68 /* Check bad contexts and NULLs for signing */
69 ecount = 0;
70 CHECK(secp256k1_ecdsa_sign_recoverable(none, &recsig, message, privkey, NULL, NULL) == 1);
71 CHECK(ecount == 0);
72 CHECK(secp256k1_ecdsa_sign_recoverable(sign, &recsig, message, privkey, NULL, NULL) == 1);
73 CHECK(ecount == 0);
74 CHECK(secp256k1_ecdsa_sign_recoverable(vrfy, &recsig, message, privkey, NULL, NULL) == 1);
75 CHECK(ecount == 0);
76 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1);
77 CHECK(ecount == 0);
78 CHECK(secp256k1_ecdsa_sign_recoverable(both, NULL, message, privkey, NULL, NULL) == 0);
79 CHECK(ecount == 1);
80 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, NULL, privkey, NULL, NULL) == 0);
81 CHECK(ecount == 2);
82 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, NULL, NULL, NULL) == 0);
83 CHECK(ecount == 3);
84 CHECK(secp256k1_ecdsa_sign_recoverable(sttc, &recsig, message, privkey, NULL, NULL) == 0);
85 CHECK(ecount == 4);
86 /* This will fail or succeed randomly, and in either case will not ARG_CHECK failure */
87 secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, recovery_test_nonce_function, NULL);
88 CHECK(ecount == 4);
89 /* These will all fail, but not in ARG_CHECK way */
90 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, zero_privkey, NULL, NULL) == 0);
91 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, over_privkey, NULL, NULL) == 0);
92 /* This one will succeed. */
93 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1);
94 CHECK(ecount == 4);
95
96 /* Check signing with a goofy nonce function */
97
98 /* Check bad contexts and NULLs for recovery */
99 ecount = 0;
100 CHECK(secp256k1_ecdsa_recover(none, &recpubkey, &recsig, message) == 1);
101 CHECK(ecount == 0);
102 CHECK(secp256k1_ecdsa_recover(sign, &recpubkey, &recsig, message) == 1);
103 CHECK(ecount == 0);
104 CHECK(secp256k1_ecdsa_recover(vrfy, &recpubkey, &recsig, message) == 1);
105 CHECK(ecount == 0);
106 CHECK(secp256k1_ecdsa_recover(both, &recpubkey, &recsig, message) == 1);
107 CHECK(ecount == 0);
108 CHECK(secp256k1_ecdsa_recover(both, NULL, &recsig, message) == 0);
109 CHECK(ecount == 1);
110 CHECK(secp256k1_ecdsa_recover(both, &recpubkey, NULL, message) == 0);
111 CHECK(ecount == 2);
112 CHECK(secp256k1_ecdsa_recover(both, &recpubkey, &recsig, NULL) == 0);
113 CHECK(ecount == 3);
114
115 /* Check NULLs for conversion */
116 CHECK(secp256k1_ecdsa_sign(both, &normal_sig, message, privkey, NULL, NULL) == 1);
117 ecount = 0;
118 CHECK(secp256k1_ecdsa_recoverable_signature_convert(both, NULL, &recsig) == 0);
119 CHECK(ecount == 1);
120 CHECK(secp256k1_ecdsa_recoverable_signature_convert(both, &normal_sig, NULL) == 0);
121 CHECK(ecount == 2);
122 CHECK(secp256k1_ecdsa_recoverable_signature_convert(both, &normal_sig, &recsig) == 1);
123
124 /* Check NULLs for de/serialization */
125 CHECK(secp256k1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1);
126 ecount = 0;
127 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, NULL, &recid, &recsig) == 0);
128 CHECK(ecount == 1);
129 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, sig, NULL, &recsig) == 0);
130 CHECK(ecount == 2);
131 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, NULL) == 0);
132 CHECK(ecount == 3);
133 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, &recsig) == 1);
134
135 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, NULL, sig, recid) == 0);
136 CHECK(ecount == 4);
137 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, NULL, recid) == 0);
138 CHECK(ecount == 5);
139 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, -1) == 0);
140 CHECK(ecount == 6);
141 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, 5) == 0);
142 CHECK(ecount == 7);
143 /* overflow in signature will fail but not affect ecount */
144 memcpy(sig, over_privkey, 32);
145 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, recid) == 0);
146 CHECK(ecount == 7);
147
148 /* cleanup */
149 secp256k1_context_destroy(none);
150 secp256k1_context_destroy(sign);
151 secp256k1_context_destroy(vrfy);
152 secp256k1_context_destroy(both);
153 secp256k1_context_destroy(sttc);
154}
155
156void test_ecdsa_recovery_end_to_end(void) {
157 unsigned char extra[32] = {0x00};
158 unsigned char privkey[32];
159 unsigned char message[32];
160 secp256k1_ecdsa_signature signature[5];
161 secp256k1_ecdsa_recoverable_signature rsignature[5];
162 unsigned char sig[74];
163 secp256k1_pubkey pubkey;
164 secp256k1_pubkey recpubkey;
165 int recid = 0;
166
167 /* Generate a random key and message. */
168 {
169 secp256k1_scalar msg, key;
170 random_scalar_order_test(&msg);
171 random_scalar_order_test(&key);
172 secp256k1_scalar_get_b32(privkey, &key);
173 secp256k1_scalar_get_b32(message, &msg);
174 }
175
176 /* Construct and verify corresponding public key. */
177 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
178 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
179
180 /* Serialize/parse compact and verify/recover. */
181 extra[0] = 0;
182 CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[0], message, privkey, NULL, NULL) == 1);
183 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
184 CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[4], message, privkey, NULL, NULL) == 1);
185 CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[1], message, privkey, NULL, extra) == 1);
186 extra[31] = 1;
187 CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[2], message, privkey, NULL, extra) == 1);
188 extra[31] = 0;
189 extra[0] = 1;
190 CHECK(secp256k1_ecdsa_sign_recoverable(ctx, &rsignature[3], message, privkey, NULL, extra) == 1);
191 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1);
192 CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
193 CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1);
194 memset(&rsignature[4], 0, sizeof(rsignature[4]));
195 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
196 CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
197 CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1);
198 /* Parse compact (with recovery id) and recover. */
199 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
200 CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 1);
201 CHECK(secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) == 0);
202 /* Serialize/destroy/parse signature and verify again. */
203 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1);
204 sig[secp256k1_testrand_bits(6)] += 1 + secp256k1_testrand_int(255);
205 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1);
206 CHECK(secp256k1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1);
207 CHECK(secp256k1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 0);
208 /* Recover again */
209 CHECK(secp256k1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 0 ||
210 secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) != 0);
211}
212
213/* Tests several edge cases. */
214void test_ecdsa_recovery_edge_cases(void) {
215 const unsigned char msg32[32] = {
216 'T', 'h', 'i', 's', ' ', 'i', 's', ' ',
217 'a', ' ', 'v', 'e', 'r', 'y', ' ', 's',
218 'e', 'c', 'r', 'e', 't', ' ', 'm', 'e',
219 's', 's', 'a', 'g', 'e', '.', '.', '.'
220 };
221 const unsigned char sig64[64] = {
222 /* Generated by signing the above message with nonce 'This is the nonce we will use...'
223 * and secret key 0 (which is not valid), resulting in recid 1. */
224 0x67, 0xCB, 0x28, 0x5F, 0x9C, 0xD1, 0x94, 0xE8,
225 0x40, 0xD6, 0x29, 0x39, 0x7A, 0xF5, 0x56, 0x96,
226 0x62, 0xFD, 0xE4, 0x46, 0x49, 0x99, 0x59, 0x63,
227 0x17, 0x9A, 0x7D, 0xD1, 0x7B, 0xD2, 0x35, 0x32,
228 0x4B, 0x1B, 0x7D, 0xF3, 0x4C, 0xE1, 0xF6, 0x8E,
229 0x69, 0x4F, 0xF6, 0xF1, 0x1A, 0xC7, 0x51, 0xDD,
230 0x7D, 0xD7, 0x3E, 0x38, 0x7E, 0xE4, 0xFC, 0x86,
231 0x6E, 0x1B, 0xE8, 0xEC, 0xC7, 0xDD, 0x95, 0x57
232 };
233 secp256k1_pubkey pubkey;
234 /* signature (r,s) = (4,4), which can be recovered with all 4 recids. */
235 const unsigned char sigb64[64] = {
236 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
237 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
238 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
239 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
240 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
241 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
242 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
243 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
244 };
245 secp256k1_pubkey pubkeyb;
246 secp256k1_ecdsa_recoverable_signature rsig;
247 secp256k1_ecdsa_signature sig;
248 int recid;
249
250 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 0));
251 CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
252 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 1));
253 CHECK(secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
254 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 2));
255 CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
256 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 3));
257 CHECK(!secp256k1_ecdsa_recover(ctx, &pubkey, &rsig, msg32));
258
259 for (recid = 0; recid < 4; recid++) {
260 int i;
261 int recid2;
262 /* (4,4) encoded in DER. */
263 unsigned char sigbder[8] = {0x30, 0x06, 0x02, 0x01, 0x04, 0x02, 0x01, 0x04};
264 unsigned char sigcder_zr[7] = {0x30, 0x05, 0x02, 0x00, 0x02, 0x01, 0x01};
265 unsigned char sigcder_zs[7] = {0x30, 0x05, 0x02, 0x01, 0x01, 0x02, 0x00};
266 unsigned char sigbderalt1[39] = {
267 0x30, 0x25, 0x02, 0x20, 0x00, 0x00, 0x00, 0x00,
268 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
269 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
270 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
271 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
272 };
273 unsigned char sigbderalt2[39] = {
274 0x30, 0x25, 0x02, 0x01, 0x04, 0x02, 0x20, 0x00,
275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
276 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
277 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
278 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
279 };
280 unsigned char sigbderalt3[40] = {
281 0x30, 0x26, 0x02, 0x21, 0x00, 0x00, 0x00, 0x00,
282 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
283 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
284 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
285 0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
286 };
287 unsigned char sigbderalt4[40] = {
288 0x30, 0x26, 0x02, 0x01, 0x04, 0x02, 0x21, 0x00,
289 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
290 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
291 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
292 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
293 };
294 /* (order + r,4) encoded in DER. */
295 unsigned char sigbderlong[40] = {
296 0x30, 0x26, 0x02, 0x21, 0x00, 0xFF, 0xFF, 0xFF,
297 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
298 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC,
299 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E,
300 0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04
301 };
302 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid) == 1);
303 CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 1);
304 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1);
305 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 1);
306 for (recid2 = 0; recid2 < 4; recid2++) {
307 secp256k1_pubkey pubkey2b;
308 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid2) == 1);
309 CHECK(secp256k1_ecdsa_recover(ctx, &pubkey2b, &rsig, msg32) == 1);
310 /* Verifying with (order + r,4) should always fail. */
311 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderlong, sizeof(sigbderlong)) == 1);
312 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
313 }
314 /* DER parsing tests. */
315 /* Zero length r/s. */
316 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0);
317 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0);
318 /* Leading zeros. */
319 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt1, sizeof(sigbderalt1)) == 0);
320 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt2, sizeof(sigbderalt2)) == 0);
321 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0);
322 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0);
323 sigbderalt3[4] = 1;
324 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1);
325 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
326 sigbderalt4[7] = 1;
327 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1);
328 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
329 /* Damage signature. */
330 sigbder[7]++;
331 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1);
332 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
333 sigbder[7]--;
334 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, 6) == 0);
335 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder) - 1) == 0);
336 for(i = 0; i < 8; i++) {
337 int c;
338 unsigned char orig = sigbder[i];
339 /*Try every single-byte change.*/
340 for (c = 0; c < 256; c++) {
341 if (c == orig ) {
342 continue;
343 }
344 sigbder[i] = c;
345 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 0 || secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0);
346 }
347 sigbder[i] = orig;
348 }
349 }
350
351 /* Test r/s equal to zero */
352 {
353 /* (1,1) encoded in DER. */
354 unsigned char sigcder[8] = {0x30, 0x06, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01};
355 unsigned char sigc64[64] = {
356 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
357 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
358 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
359 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
360 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
361 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
362 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
363 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
364 };
365 secp256k1_pubkey pubkeyc;
366 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
367 CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyc, &rsig, msg32) == 1);
368 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
369 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 1);
370 sigcder[4] = 0;
371 sigc64[31] = 0;
372 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
373 CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0);
374 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
375 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0);
376 sigcder[4] = 1;
377 sigcder[7] = 0;
378 sigc64[31] = 1;
379 sigc64[63] = 0;
380 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1);
381 CHECK(secp256k1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0);
382 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
383 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0);
384 }
385}
386
387void run_recovery_tests(void) {
388 int i;
389 for (i = 0; i < count; i++) {
390 test_ecdsa_recovery_api();
391 }
392 for (i = 0; i < 64*count; i++) {
393 test_ecdsa_recovery_end_to_end();
394 }
395 test_ecdsa_recovery_edge_cases();
396}
397
398#endif /* SECP256K1_MODULE_RECOVERY_TESTS_H */
ctx
secp256k1_context * ctx
Definition: bench_impl.h:13
sig
SchnorrSig sig
Definition: processor.cpp:523
test_ecdsa_recovery_api
void test_ecdsa_recovery_api(void)
Definition: tests_impl.h:31
run_recovery_tests
void run_recovery_tests(void)
Definition: tests_impl.h:387
test_ecdsa_recovery_end_to_end
void test_ecdsa_recovery_end_to_end(void)
Definition: tests_impl.h:156
recovery_test_nonce_function
static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests_impl.h:10
test_ecdsa_recovery_edge_cases
void test_ecdsa_recovery_edge_cases(void)
Definition: tests_impl.h:214
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:221
CHECK
#define CHECK(cond)
Definition: util.h:80
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:146
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:185
secp256k1_context_no_precomp
SECP256K1_API const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:60
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:162
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:525
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:107
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:153
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:510
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:187
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:319
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:548
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:400
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:128
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:184
secp256k1_ecdsa_recoverable_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_recoverable_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in compact format (64 bytes + recovery id).
Definition: main_impl.h:60
secp256k1_ecdsa_recoverable_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38
secp256k1_ecdsa_sign_recoverable
SECP256K1_API int secp256k1_ecdsa_sign_recoverable(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a recoverable ECDSA signature.
Definition: main_impl.h:123
secp256k1_ecdsa_recoverable_signature_convert
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_convert(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const secp256k1_ecdsa_recoverable_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Convert a recoverable signature into a normal signature.
Definition: main_impl.h:74
secp256k1_ecdsa_recover
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:138
secp256k1_context_struct
Definition: secp256k1.c:47
secp256k1_ecdsa_recoverable_signature
Opaque data structured that holds a parsed ECDSA signature, supporting pubkey recovery.
Definition: secp256k1_recovery.h:24
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:83
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand_bits
static SECP256K1_INLINE uint64_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
random_scalar_order_test
void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:105
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:36
count
static int count
Definition: tests.c:33
Generated on Mon Jan 26 2026 20:04:56 for Bitcoin ABC by doxygen 1.9.4