Alien-libsecp256k1
view release on metacpan or search on metacpan
libsecp256k1/src/tests.c view on Meta::CPAN
0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 },
{ 0x02, 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10, 0x49, 0x34,
0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29, 0xB5, 0x31, 0xC8, 0x45, 0x83,
0x6F, 0x99, 0xB0, 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9 },
{ 0x03, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 0x36, 0x18,
0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2,
0xDE, 0xCE, 0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 },
{ 0x02, 0x35, 0x90, 0xA9, 0x4E, 0x76, 0x8F, 0x8E, 0x18, 0x15, 0xC2,
0xF2, 0x4B, 0x4D, 0x80, 0xA8, 0xE3, 0x14, 0x93, 0x16, 0xC3, 0x51,
0x8C, 0xE7, 0xB7, 0xAD, 0x33, 0x83, 0x68, 0xD0, 0x38, 0xCA, 0x66 },
{ 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F,
0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09,
0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xFF },
{ 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F,
0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09,
0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 }
};
secp256k1_pubkey pubkeys[N_PUBKEYS];
secp256k1_pubkey *sorted[N_PUBKEYS];
const secp256k1_pubkey *pks_ptr[N_PUBKEYS];
int i;
sorted[0] = &pubkeys[3];
sorted[1] = &pubkeys[0];
sorted[2] = &pubkeys[0];
sorted[3] = &pubkeys[4];
sorted[4] = &pubkeys[1];
sorted[5] = &pubkeys[2];
for (i = 0; i < N_PUBKEYS; i++) {
CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkeys[i], pk_ser[i], sizeof(pk_ser[i])));
pks_ptr[i] = &pubkeys[i];
}
CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, N_PUBKEYS) == 1);
for (i = 0; i < N_PUBKEYS; i++) {
CHECK(secp256k1_memcmp_var(pks_ptr[i], sorted[i], sizeof(secp256k1_pubkey)) == 0);
}
}
static void run_pubkey_sort(void) {
test_sort_api();
test_sort();
test_sort_vectors();
}
static void run_random_pubkeys(void) {
int i;
for (i = 0; i < 10*COUNT; i++) {
test_random_pubkeys();
}
}
static void run_ecdsa_end_to_end(void) {
int i;
for (i = 0; i < 64*COUNT; i++) {
test_ecdsa_end_to_end();
}
}
static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
static const unsigned char zeroes[32] = {0};
int ret = 0;
secp256k1_ecdsa_signature sig_der;
unsigned char roundtrip_der[2048];
unsigned char compact_der[64];
size_t len_der = 2048;
int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
secp256k1_ecdsa_signature sig_der_lax;
unsigned char roundtrip_der_lax[2048];
unsigned char compact_der_lax[64];
size_t len_der_lax = 2048;
int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
parsed_der = secp256k1_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen);
if (parsed_der) {
ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0;
valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
}
if (valid_der) {
ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1;
roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
}
parsed_der_lax = ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen);
if (parsed_der_lax) {
ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10;
valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
}
if (valid_der_lax) {
ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
}
if (certainly_der) {
ret |= (!parsed_der) << 2;
}
if (certainly_not_der) {
ret |= (parsed_der) << 17;
}
if (valid_der) {
ret |= (!roundtrips_der) << 3;
}
if (valid_der) {
ret |= (!roundtrips_der_lax) << 12;
ret |= (len_der != len_der_lax) << 13;
ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
}
ret |= (roundtrips_der != roundtrips_der_lax) << 15;
if (parsed_der) {
ret |= (!parsed_der_lax) << 16;
}
return ret;
}
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
size_t i;
for (i = 0; i < ptrlen; i++) {
int shift = ptrlen - 1 - i;
if (shift >= 4) {
ptr[i] = 0;
} else {
ptr[i] = (val >> shift) & 0xFF;
}
}
}
static void damage_array(unsigned char *sig, size_t *len) {
int pos;
int action = testrand_bits(3);
if (action < 1 && *len > 3) {
/* Delete a byte. */
pos = testrand_int(*len);
memmove(sig + pos, sig + pos + 1, *len - pos - 1);
(*len)--;
return;
} else if (action < 2 && *len < 2048) {
/* Insert a byte. */
pos = testrand_int(1 + *len);
memmove(sig + pos + 1, sig + pos, *len - pos);
sig[pos] = testrand_bits(8);
(*len)++;
return;
} else if (action < 4) {
/* Modify a byte. */
sig[testrand_int(*len)] += 1 + testrand_int(255);
return;
} else { /* action < 8 */
/* Modify a bit. */
sig[testrand_int(*len)] ^= 1 << testrand_bits(3);
return;
}
}
static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
int der;
int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
size_t tlen, elen, glen;
int indet;
int n;
*len = 0;
der = testrand_bits(2) == 0;
*certainly_der = der;
*certainly_not_der = 0;
indet = der ? 0 : testrand_int(10) == 0;
for (n = 0; n < 2; n++) {
/* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
nlow[n] = der ? 1 : (testrand_bits(3) != 0);
/* The length of the number in bytes (the first byte of which will always be nonzero) */
nlen[n] = nlow[n] ? testrand_int(33) : 32 + testrand_int(200) * testrand_bits(3) / 8;
CHECK(nlen[n] <= 232);
/* The top bit of the number. */
nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : testrand_bits(1));
/* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + testrand_bits(7) : 1 + testrand_int(127));
/* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? testrand_int(3) : testrand_int(300 - nlen[n]) * testrand_bits(3) / 8);
if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
*certainly_not_der = 1;
}
CHECK(nlen[n] + nzlen[n] <= 300);
/* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
if (!der) {
/* nlenlen[n] max 127 bytes */
int add = testrand_int(127 - nlenlen[n]) * testrand_bits(4) * testrand_bits(4) / 256;
nlenlen[n] += add;
if (add != 0) {
*certainly_not_der = 1;
}
}
CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
}
/* The total length of the data to go, so far */
tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
CHECK(tlen <= 856);
/* The length of the garbage inside the tuple. */
elen = (der || indet) ? 0 : testrand_int(980 - tlen) * testrand_bits(3) / 8;
if (elen != 0) {
*certainly_not_der = 1;
}
tlen += elen;
CHECK(tlen <= 980);
/* The length of the garbage after the end of the tuple. */
glen = der ? 0 : testrand_int(990 - tlen) * testrand_bits(3) / 8;
if (glen != 0) {
*certainly_not_der = 1;
}
CHECK(tlen + glen <= 990);
/* Write the tuple header. */
sig[(*len)++] = 0x30;
if (indet) {
/* Indeterminate length */
sig[(*len)++] = 0x80;
*certainly_not_der = 1;
} else {
int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
if (!der) {
int add = testrand_int(127 - tlenlen) * testrand_bits(4) * testrand_bits(4) / 256;
tlenlen += add;
if (add != 0) {
*certainly_not_der = 1;
}
}
if (tlenlen == 0) {
/* Short length notation */
sig[(*len)++] = tlen;
} else {
/* Long length notation */
sig[(*len)++] = 128 + tlenlen;
assign_big_endian(sig + *len, tlenlen, tlen);
*len += tlenlen;
}
tlen += tlenlen;
}
tlen += 2;
CHECK(tlen + glen <= 1119);
for (n = 0; n < 2; n++) {
/* Write the integer header. */
sig[(*len)++] = 0x02;
if (nlenlen[n] == 0) {
/* Short length notation */
sig[(*len)++] = nlen[n] + nzlen[n];
} else {
/* Long length notation. */
sig[(*len)++] = 128 + nlenlen[n];
assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
*len += nlenlen[n];
}
/* Write zero padding */
while (nzlen[n] > 0) {
sig[(*len)++] = 0x00;
nzlen[n]--;
}
if (nlen[n] == 32 && !nlow[n]) {
/* Special extra 16 0xFF bytes in "high" 32-byte numbers */
int i;
for (i = 0; i < 16; i++) {
sig[(*len)++] = 0xFF;
}
nlen[n] -= 16;
}
/* Write first byte of number */
if (nlen[n] > 0) {
sig[(*len)++] = nhbyte[n];
nlen[n]--;
}
/* Generate remaining random bytes of number */
testrand_bytes_test(sig + *len, nlen[n]);
*len += nlen[n];
nlen[n] = 0;
}
/* Generate random garbage inside tuple. */
testrand_bytes_test(sig + *len, elen);
*len += elen;
/* Generate end-of-contents bytes. */
if (indet) {
sig[(*len)++] = 0;
sig[(*len)++] = 0;
tlen += 2;
}
CHECK(tlen + glen <= 1121);
/* Generate random garbage outside tuple. */
testrand_bytes_test(sig + *len, glen);
*len += glen;
tlen += glen;
CHECK(tlen <= 1121);
CHECK(tlen == *len);
}
static void run_ecdsa_der_parse(void) {
int i,j;
for (i = 0; i < 200 * COUNT; i++) {
unsigned char buffer[2048];
size_t buflen = 0;
int certainly_der = 0;
int certainly_not_der = 0;
random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
CHECK(buflen <= 2048);
for (j = 0; j < 16; j++) {
int ret = 0;
if (j > 0) {
damage_array(buffer, &buflen);
/* We don't know anything anymore about the DERness of the result */
certainly_der = 0;
certainly_not_der = 0;
}
ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
if (ret != 0) {
size_t k;
fprintf(stderr, "Failure %x on ", ret);
for (k = 0; k < buflen; k++) {
fprintf(stderr, "%02x ", buffer[k]);
}
fprintf(stderr, "\n");
}
CHECK(ret == 0);
}
}
}
/* Tests several edge cases. */
static void test_ecdsa_edge_cases(void) {
int t;
secp256k1_ecdsa_signature sig;
/* Test the case where ECDSA recomputes a point that is infinity. */
{
secp256k1_gej keyj;
secp256k1_ge key;
secp256k1_scalar msg;
secp256k1_scalar sr, ss;
secp256k1_scalar_set_int(&ss, 1);
secp256k1_scalar_negate(&ss, &ss);
secp256k1_scalar_inverse(&ss, &ss);
secp256k1_scalar_set_int(&sr, 1);
secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &keyj, &sr);
secp256k1_ge_set_gej(&key, &keyj);
msg = ss;
CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
}
/* Verify signature with r of zero fails. */
{
const unsigned char pubkey_mods_zero[33] = {
0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
0x41
};
secp256k1_ge key;
secp256k1_scalar msg;
secp256k1_scalar sr, ss;
secp256k1_scalar_set_int(&ss, 1);
secp256k1_scalar_set_int(&msg, 0);
secp256k1_scalar_set_int(&sr, 0);
CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
}
/* Verify signature with s of zero fails. */
{
const unsigned char pubkey[33] = {
0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
( run in 0.622 second using v1.01-cache-2.11-cpan-5a3173703d6 )