Bitcoin Core 28.99.0
P2P Digital Currency
tests_impl.h
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#ifndef SECP256K1_MODULE_RECOVERY_TESTS_H
8#define SECP256K1_MODULE_RECOVERY_TESTS_H
9
10static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
11 (void) msg32;
12 (void) key32;
13 (void) algo16;
14 (void) data;
15
16 /* On the first run, return 0 to force a second run */
17 if (counter == 0) {
18 memset(nonce32, 0, 32);
19 return 1;
20 }
21 /* On the second run, return an overflow to force a third run */
22 if (counter == 1) {
23 memset(nonce32, 0xff, 32);
24 return 1;
25 }
26 /* On the next run, return a valid nonce, but flip a coin as to whether or not to fail signing. */
27 memset(nonce32, 1, 32);
28 return testrand_bits(1);
29}
30
31static void test_ecdsa_recovery_api(void) {
32 /* Setup contexts that just count errors */
33 secp256k1_pubkey pubkey;
34 secp256k1_pubkey recpubkey;
35 secp256k1_ecdsa_signature normal_sig;
36 secp256k1_ecdsa_recoverable_signature recsig;
37 unsigned char privkey[32] = { 1 };
38 unsigned char message[32] = { 2 };
39 int recid = 0;
40 unsigned char sig[74];
41 unsigned char zero_privkey[32] = { 0 };
42 unsigned char over_privkey[32] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
43 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
44 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
45 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
46
47 /* Construct and verify corresponding public key. */
48 CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
49 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
50
51 /* Check bad contexts and NULLs for signing */
52 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, NULL, NULL) == 1);
53 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign_recoverable(CTX, NULL, message, privkey, NULL, NULL));
54 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign_recoverable(CTX, &recsig, NULL, privkey, NULL, NULL));
55 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, NULL, NULL, NULL));
56 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ecdsa_sign_recoverable(STATIC_CTX, &recsig, message, privkey, NULL, NULL));
57 /* This will fail or succeed randomly, and in either case will not ARG_CHECK failure */
58 secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, recovery_test_nonce_function, NULL);
59 /* These will all fail, but not in ARG_CHECK way */
60 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, zero_privkey, NULL, NULL) == 0);
61 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, over_privkey, NULL, NULL) == 0);
62 /* This one will succeed. */
63 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, NULL, NULL) == 1);
64
65 /* Check signing with a goofy nonce function */
66
67 /* Check bad contexts and NULLs for recovery */
68 CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, &recsig, message) == 1);
69 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_recover(CTX, NULL, &recsig, message));
70 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_recover(CTX, &recpubkey, NULL, message));
71 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_recover(CTX, &recpubkey, &recsig, NULL));
72
73 /* Check NULLs for conversion */
74 CHECK(secp256k1_ecdsa_sign(CTX, &normal_sig, message, privkey, NULL, NULL) == 1);
75 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_recoverable_signature_convert(CTX, NULL, &recsig));
76 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_recoverable_signature_convert(CTX, &normal_sig, NULL));
77 CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &normal_sig, &recsig) == 1);
78
79 /* Check NULLs for de/serialization */
80 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &recsig, message, privkey, NULL, NULL) == 1);
81 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, NULL, &recid, &recsig));
82 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, NULL, &recsig));
83 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, NULL));
84 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, &recsig) == 1);
85
86 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, NULL, sig, recid));
87 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, NULL, recid));
88 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, sig, -1));
89 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, sig, 5));
90 /* overflow in signature will not result in calling illegal_callback */
91 memcpy(sig, over_privkey, 32);
92 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &recsig, sig, recid) == 0);
93}
94
95static void test_ecdsa_recovery_end_to_end(void) {
96 unsigned char extra[32] = {0x00};
97 unsigned char privkey[32];
98 unsigned char message[32];
99 secp256k1_ecdsa_signature signature[5];
100 secp256k1_ecdsa_recoverable_signature rsignature[5];
101 unsigned char sig[74];
102 secp256k1_pubkey pubkey;
103 secp256k1_pubkey recpubkey;
104 int recid = 0;
105
106 /* Generate a random key and message. */
107 {
108 secp256k1_scalar msg, key;
109 testutil_random_scalar_order_test(&msg);
110 testutil_random_scalar_order_test(&key);
111 secp256k1_scalar_get_b32(privkey, &key);
112 secp256k1_scalar_get_b32(message, &msg);
113 }
114
115 /* Construct and verify corresponding public key. */
116 CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
117 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
118
119 /* Serialize/parse compact and verify/recover. */
120 extra[0] = 0;
121 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[0], message, privkey, NULL, NULL) == 1);
122 CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1);
123 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[4], message, privkey, NULL, NULL) == 1);
124 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[1], message, privkey, NULL, extra) == 1);
125 extra[31] = 1;
126 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[2], message, privkey, NULL, extra) == 1);
127 extra[31] = 0;
128 extra[0] = 1;
129 CHECK(secp256k1_ecdsa_sign_recoverable(CTX, &rsignature[3], message, privkey, NULL, extra) == 1);
130 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, &rsignature[4]) == 1);
131 CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &signature[4], &rsignature[4]) == 1);
132 CHECK(secp256k1_memcmp_var(&signature[4], &signature[0], 64) == 0);
133 CHECK(secp256k1_ecdsa_verify(CTX, &signature[4], message, &pubkey) == 1);
134 memset(&rsignature[4], 0, sizeof(rsignature[4]));
135 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsignature[4], sig, recid) == 1);
136 CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &signature[4], &rsignature[4]) == 1);
137 CHECK(secp256k1_ecdsa_verify(CTX, &signature[4], message, &pubkey) == 1);
138 /* Parse compact (with recovery id) and recover. */
139 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsignature[4], sig, recid) == 1);
140 CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, &rsignature[4], message) == 1);
141 CHECK(secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) == 0);
142 /* Serialize/destroy/parse signature and verify again. */
143 CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(CTX, sig, &recid, &rsignature[4]) == 1);
144 sig[testrand_bits(6)] += 1 + testrand_int(255);
145 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsignature[4], sig, recid) == 1);
146 CHECK(secp256k1_ecdsa_recoverable_signature_convert(CTX, &signature[4], &rsignature[4]) == 1);
147 CHECK(secp256k1_ecdsa_verify(CTX, &signature[4], message, &pubkey) == 0);
148 /* Recover again */
149 CHECK(secp256k1_ecdsa_recover(CTX, &recpubkey, &rsignature[4], message) == 0 ||
150 secp256k1_memcmp_var(&pubkey, &recpubkey, sizeof(pubkey)) != 0);
151}
152
153/* Tests several edge cases. */
154static void test_ecdsa_recovery_edge_cases(void) {
155 const unsigned char msg32[32] = {
156 'T', 'h', 'i', 's', ' ', 'i', 's', ' ',
157 'a', ' ', 'v', 'e', 'r', 'y', ' ', 's',
158 'e', 'c', 'r', 'e', 't', ' ', 'm', 'e',
159 's', 's', 'a', 'g', 'e', '.', '.', '.'
160 };
161 const unsigned char sig64[64] = {
162 /* Generated by signing the above message with nonce 'This is the nonce we will use...'
163 * and secret key 0 (which is not valid), resulting in recid 1. */
164 0x67, 0xCB, 0x28, 0x5F, 0x9C, 0xD1, 0x94, 0xE8,
165 0x40, 0xD6, 0x29, 0x39, 0x7A, 0xF5, 0x56, 0x96,
166 0x62, 0xFD, 0xE4, 0x46, 0x49, 0x99, 0x59, 0x63,
167 0x17, 0x9A, 0x7D, 0xD1, 0x7B, 0xD2, 0x35, 0x32,
168 0x4B, 0x1B, 0x7D, 0xF3, 0x4C, 0xE1, 0xF6, 0x8E,
169 0x69, 0x4F, 0xF6, 0xF1, 0x1A, 0xC7, 0x51, 0xDD,
170 0x7D, 0xD7, 0x3E, 0x38, 0x7E, 0xE4, 0xFC, 0x86,
171 0x6E, 0x1B, 0xE8, 0xEC, 0xC7, 0xDD, 0x95, 0x57
172 };
173 secp256k1_pubkey pubkey;
174 /* signature (r,s) = (4,4), which can be recovered with all 4 recids. */
175 const unsigned char sigb64[64] = {
176 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
177 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
178 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
179 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
180 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
181 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
182 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
183 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
184 };
185 secp256k1_pubkey pubkeyb;
186 secp256k1_ecdsa_recoverable_signature rsig;
187 secp256k1_ecdsa_signature sig;
188 int recid;
189
190 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 0));
191 CHECK(!secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32));
192 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 1));
193 CHECK(secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32));
194 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 2));
195 CHECK(!secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32));
196 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sig64, 3));
197 CHECK(!secp256k1_ecdsa_recover(CTX, &pubkey, &rsig, msg32));
198
199 for (recid = 0; recid < 4; recid++) {
200 int i;
201 int recid2;
202 /* (4,4) encoded in DER. */
203 unsigned char sigbder[8] = {0x30, 0x06, 0x02, 0x01, 0x04, 0x02, 0x01, 0x04};
204 unsigned char sigcder_zr[7] = {0x30, 0x05, 0x02, 0x00, 0x02, 0x01, 0x01};
205 unsigned char sigcder_zs[7] = {0x30, 0x05, 0x02, 0x01, 0x01, 0x02, 0x00};
206 unsigned char sigbderalt1[39] = {
207 0x30, 0x25, 0x02, 0x20, 0x00, 0x00, 0x00, 0x00,
208 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
209 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
210 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
211 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
212 };
213 unsigned char sigbderalt2[39] = {
214 0x30, 0x25, 0x02, 0x01, 0x04, 0x02, 0x20, 0x00,
215 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
216 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
217 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
218 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
219 };
220 unsigned char sigbderalt3[40] = {
221 0x30, 0x26, 0x02, 0x21, 0x00, 0x00, 0x00, 0x00,
222 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
223 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
224 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
225 0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
226 };
227 unsigned char sigbderalt4[40] = {
228 0x30, 0x26, 0x02, 0x01, 0x04, 0x02, 0x21, 0x00,
229 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
230 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
231 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
232 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
233 };
234 /* (order + r,4) encoded in DER. */
235 unsigned char sigbderlong[40] = {
236 0x30, 0x26, 0x02, 0x21, 0x00, 0xFF, 0xFF, 0xFF,
237 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
238 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC,
239 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E,
240 0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04
241 };
242 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigb64, recid) == 1);
243 CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyb, &rsig, msg32) == 1);
244 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder)) == 1);
245 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 1);
246 for (recid2 = 0; recid2 < 4; recid2++) {
247 secp256k1_pubkey pubkey2b;
248 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigb64, recid2) == 1);
249 CHECK(secp256k1_ecdsa_recover(CTX, &pubkey2b, &rsig, msg32) == 1);
250 /* Verifying with (order + r,4) should always fail. */
251 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderlong, sizeof(sigbderlong)) == 1);
252 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0);
253 }
254 /* DER parsing tests. */
255 /* Zero length r/s. */
256 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0);
257 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0);
258 /* Leading zeros. */
259 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt1, sizeof(sigbderalt1)) == 0);
260 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt2, sizeof(sigbderalt2)) == 0);
261 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0);
262 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0);
263 sigbderalt3[4] = 1;
264 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1);
265 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0);
266 sigbderalt4[7] = 1;
267 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1);
268 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0);
269 /* Damage signature. */
270 sigbder[7]++;
271 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder)) == 1);
272 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0);
273 sigbder[7]--;
274 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, 6) == 0);
275 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder) - 1) == 0);
276 for(i = 0; i < 8; i++) {
277 int c;
278 unsigned char orig = sigbder[i];
279 /*Try every single-byte change.*/
280 for (c = 0; c < 256; c++) {
281 if (c == orig ) {
282 continue;
283 }
284 sigbder[i] = c;
285 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigbder, sizeof(sigbder)) == 0 || secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyb) == 0);
286 }
287 sigbder[i] = orig;
288 }
289 }
290
291 /* Test r/s equal to zero */
292 {
293 /* (1,1) encoded in DER. */
294 unsigned char sigcder[8] = {0x30, 0x06, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01};
295 unsigned char sigc64[64] = {
296 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
297 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
298 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
299 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
300 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
301 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
302 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
303 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
304 };
305 secp256k1_pubkey pubkeyc;
306 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigc64, 0) == 1);
307 CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyc, &rsig, msg32) == 1);
308 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder, sizeof(sigcder)) == 1);
309 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyc) == 1);
310 sigcder[4] = 0;
311 sigc64[31] = 0;
312 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigc64, 0) == 1);
313 CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyb, &rsig, msg32) == 0);
314 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder, sizeof(sigcder)) == 1);
315 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyc) == 0);
316 sigcder[4] = 1;
317 sigcder[7] = 0;
318 sigc64[31] = 1;
319 sigc64[63] = 0;
320 CHECK(secp256k1_ecdsa_recoverable_signature_parse_compact(CTX, &rsig, sigc64, 0) == 1);
321 CHECK(secp256k1_ecdsa_recover(CTX, &pubkeyb, &rsig, msg32) == 0);
322 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, sigcder, sizeof(sigcder)) == 1);
323 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg32, &pubkeyc) == 0);
324 }
325}
326
327static void run_recovery_tests(void) {
328 int i;
329 for (i = 0; i < COUNT; i++) {
330 test_ecdsa_recovery_api();
331 }
332 for (i = 0; i < 64*COUNT; i++) {
333 test_ecdsa_recovery_end_to_end();
334 }
335 test_ecdsa_recovery_edge_cases();
336}
337
338#endif /* SECP256K1_MODULE_RECOVERY_TESTS_H */
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98
tests_wycheproof_generate.msg
def msg
Definition: tests_wycheproof_generate.py:56
test_ecdsa_recovery_edge_cases
static void test_ecdsa_recovery_edge_cases(void)
Definition: tests_impl.h:154
recovery_test_nonce_function
static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests_impl.h:10
test_ecdsa_recovery_api
static void test_ecdsa_recovery_api(void)
Definition: tests_impl.h:31
test_ecdsa_recovery_end_to_end
static void test_ecdsa_recovery_end_to_end(void)
Definition: tests_impl.h:95
run_recovery_tests
static void run_recovery_tests(void)
Definition: tests_impl.h:327
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:255
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an elliptic curve secret key.
Definition: secp256k1.c:580
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:566
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:369
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:604
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:450
secp256k1_ecdsa_recoverable_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_recoverable_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in compact format (64 bytes + recovery id).
Definition: main_impl.h:60
secp256k1_ecdsa_recoverable_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *input64, int recid) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a compact ECDSA signature (64 bytes + recovery id).
Definition: main_impl.h:38
secp256k1_ecdsa_sign_recoverable
SECP256K1_API int secp256k1_ecdsa_sign_recoverable(const secp256k1_context *ctx, secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create a recoverable ECDSA signature.
Definition: main_impl.h:123
secp256k1_ecdsa_recoverable_signature_convert
SECP256K1_API int secp256k1_ecdsa_recoverable_signature_convert(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const secp256k1_ecdsa_recoverable_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Convert a recoverable signature into a normal signature.
Definition: main_impl.h:74
secp256k1_ecdsa_recover
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *sig, const unsigned char *msghash32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Recover an ECDSA public key from a signature.
Definition: main_impl.h:137
secp256k1_ecdsa_recoverable_signature
Opaque data structure that holds a parsed ECDSA signature, supporting pubkey recovery.
Definition: secp256k1_recovery.h:24
secp256k1_ecdsa_signature
Opaque data structure that holds a parsed ECDSA signature.
Definition: secp256k1.h:74
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:61
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
testrand_bits
static SECP256K1_INLINE uint64_t testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_int
static uint32_t testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
COUNT
static int COUNT
Definition: tests.c:40
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:78
CTX
static secp256k1_context * CTX
Definition: tests.c:41
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:42
testutil_random_scalar_order_test
static void testutil_random_scalar_order_test(secp256k1_scalar *num)
Definition: testutil.h:116
Generated on Wed Dec 18 2024 20:00:11 for Bitcoin Core by doxygen 1.9.4