1 // Copyright (c) 2013 Pieter Wuille
2 // Distributed under the MIT/X11 software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
5 #if defined HAVE_CONFIG_H
6 #include "libsecp256k1-config.h"
12 #include "util_impl.h"
13 #include "secp256k1.c"
15 #ifdef ENABLE_OPENSSL_TESTS
16 #include "openssl/bn.h"
17 #include "openssl/ec.h"
18 #include "openssl/ecdsa.h"
19 #include "openssl/obj_mac.h"
22 static int count = 100;
24 /***** NUM TESTS *****/
26 void random_num_negate(secp256k1_num_t *num) {
27 if (secp256k1_rand32() & 1)
28 secp256k1_num_negate(num);
31 void random_num_order_test(secp256k1_num_t *num) {
33 unsigned char b32[32];
34 secp256k1_rand256_test(b32);
35 secp256k1_num_set_bin(num, b32, 32);
36 if (secp256k1_num_is_zero(num))
38 if (secp256k1_num_cmp(num, &secp256k1_ge_consts->order) >= 0)
44 void random_num_order(secp256k1_num_t *num) {
46 unsigned char b32[32];
47 secp256k1_rand256(b32);
48 secp256k1_num_set_bin(num, b32, 32);
49 if (secp256k1_num_is_zero(num))
51 if (secp256k1_num_cmp(num, &secp256k1_ge_consts->order) >= 0)
57 void test_num_copy_inc_cmp() {
58 secp256k1_num_t n1,n2;
59 secp256k1_num_init(&n1);
60 secp256k1_num_init(&n2);
61 random_num_order(&n1);
62 secp256k1_num_copy(&n2, &n1);
63 CHECK(secp256k1_num_eq(&n1, &n2));
64 CHECK(secp256k1_num_eq(&n2, &n1));
65 secp256k1_num_inc(&n2);
66 CHECK(!secp256k1_num_eq(&n1, &n2));
67 CHECK(!secp256k1_num_eq(&n2, &n1));
68 secp256k1_num_free(&n1);
69 secp256k1_num_free(&n2);
73 void test_num_get_set_hex() {
74 secp256k1_num_t n1,n2;
75 secp256k1_num_init(&n1);
76 secp256k1_num_init(&n2);
77 random_num_order_test(&n1);
79 secp256k1_num_get_hex(c, 64, &n1);
80 secp256k1_num_set_hex(&n2, c, 64);
81 CHECK(secp256k1_num_eq(&n1, &n2));
82 for (int i=0; i<64; i++) {
83 // check whether the lower 4 bits correspond to the last hex character
84 int low1 = secp256k1_num_shift(&n1, 4);
86 int low2 = (lowh>>6)*9+(lowh-'0')&15;
88 // shift bits off the hex representation, and compare
91 secp256k1_num_set_hex(&n2, c, 64);
92 CHECK(secp256k1_num_eq(&n1, &n2));
94 secp256k1_num_free(&n2);
95 secp256k1_num_free(&n1);
98 void test_num_get_set_bin() {
99 secp256k1_num_t n1,n2;
100 secp256k1_num_init(&n1);
101 secp256k1_num_init(&n2);
102 random_num_order_test(&n1);
104 secp256k1_num_get_bin(c, 32, &n1);
105 secp256k1_num_set_bin(&n2, c, 32);
106 CHECK(secp256k1_num_eq(&n1, &n2));
107 for (int i=0; i<32; i++) {
108 // check whether the lower 8 bits correspond to the last byte
109 int low1 = secp256k1_num_shift(&n1, 8);
112 // shift bits off the byte representation, and compare
115 secp256k1_num_set_bin(&n2, c, 32);
116 CHECK(secp256k1_num_eq(&n1, &n2));
118 secp256k1_num_free(&n2);
119 secp256k1_num_free(&n1);
124 secp256k1_num_init(&n1);
125 for (int i=-255; i<256; i++) {
126 unsigned char c1[3] = {};
128 unsigned char c2[3] = {0x11,0x22,0x33};
129 secp256k1_num_set_int(&n1, i);
130 secp256k1_num_get_bin(c2, 3, &n1);
131 CHECK(memcmp(c1, c2, 3) == 0);
133 secp256k1_num_free(&n1);
136 void test_num_negate() {
139 secp256k1_num_init(&n1);
140 secp256k1_num_init(&n2);
141 random_num_order_test(&n1); // n1 = R
142 random_num_negate(&n1);
143 secp256k1_num_copy(&n2, &n1); // n2 = R
144 secp256k1_num_sub(&n1, &n2, &n1); // n1 = n2-n1 = 0
145 CHECK(secp256k1_num_is_zero(&n1));
146 secp256k1_num_copy(&n1, &n2); // n1 = R
147 secp256k1_num_negate(&n1); // n1 = -R
148 CHECK(!secp256k1_num_is_zero(&n1));
149 secp256k1_num_add(&n1, &n2, &n1); // n1 = n2+n1 = 0
150 CHECK(secp256k1_num_is_zero(&n1));
151 secp256k1_num_copy(&n1, &n2); // n1 = R
152 secp256k1_num_negate(&n1); // n1 = -R
153 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
154 secp256k1_num_negate(&n1); // n1 = R
155 CHECK(secp256k1_num_eq(&n1, &n2));
156 secp256k1_num_free(&n2);
157 secp256k1_num_free(&n1);
160 void test_num_add_sub() {
161 int r = secp256k1_rand32();
164 secp256k1_num_init(&n1);
165 secp256k1_num_init(&n2);
166 random_num_order_test(&n1); // n1 = R1
168 random_num_negate(&n1);
170 random_num_order_test(&n2); // n2 = R2
172 random_num_negate(&n2);
174 secp256k1_num_t n1p2, n2p1, n1m2, n2m1;
175 secp256k1_num_init(&n1p2);
176 secp256k1_num_init(&n2p1);
177 secp256k1_num_init(&n1m2);
178 secp256k1_num_init(&n2m1);
179 secp256k1_num_add(&n1p2, &n1, &n2); // n1p2 = R1 + R2
180 secp256k1_num_add(&n2p1, &n2, &n1); // n2p1 = R2 + R1
181 secp256k1_num_sub(&n1m2, &n1, &n2); // n1m2 = R1 - R2
182 secp256k1_num_sub(&n2m1, &n2, &n1); // n2m1 = R2 - R1
183 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
184 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
185 secp256k1_num_negate(&n2m1); // n2m1 = -R2 + R1
186 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
187 CHECK(!secp256k1_num_eq(&n2m1, &n1));
188 secp256k1_num_add(&n2m1, &n2m1, &n2); // n2m1 = -R2 + R1 + R2 = R1
189 CHECK(secp256k1_num_eq(&n2m1, &n1));
190 CHECK(!secp256k1_num_eq(&n2p1, &n1));
191 secp256k1_num_sub(&n2p1, &n2p1, &n2); // n2p1 = R2 + R1 - R2 = R1
192 CHECK(secp256k1_num_eq(&n2p1, &n1));
193 secp256k1_num_free(&n2m1);
194 secp256k1_num_free(&n1m2);
195 secp256k1_num_free(&n2p1);
196 secp256k1_num_free(&n1p2);
197 secp256k1_num_free(&n2);
198 secp256k1_num_free(&n1);
201 void run_num_smalltests() {
202 for (int i=0; i<100*count; i++) {
203 test_num_copy_inc_cmp();
204 test_num_get_set_hex();
205 test_num_get_set_bin();
212 /***** FIELD TESTS *****/
214 void random_fe(secp256k1_fe_t *x) {
215 unsigned char bin[32];
216 secp256k1_rand256(bin);
217 secp256k1_fe_set_b32(x, bin);
220 void random_fe_non_zero(secp256k1_fe_t *nz) {
222 while (--tries >= 0) {
224 secp256k1_fe_normalize(nz);
225 if (!secp256k1_fe_is_zero(nz))
228 // Infinitesimal probability of spurious failure here
232 void random_fe_non_square(secp256k1_fe_t *ns) {
233 random_fe_non_zero(ns);
235 if (secp256k1_fe_sqrt(&r, ns)) {
236 secp256k1_fe_negate(ns, ns, 1);
240 int check_fe_equal(const secp256k1_fe_t *a, const secp256k1_fe_t *b) {
241 secp256k1_fe_t an = *a; secp256k1_fe_normalize(&an);
242 secp256k1_fe_t bn = *b; secp256k1_fe_normalize(&bn);
243 return secp256k1_fe_equal(&an, &bn);
246 int check_fe_inverse(const secp256k1_fe_t *a, const secp256k1_fe_t *ai) {
247 secp256k1_fe_t x; secp256k1_fe_mul(&x, a, ai);
248 secp256k1_fe_t one; secp256k1_fe_set_int(&one, 1);
249 return check_fe_equal(&x, &one);
252 void run_field_inv() {
253 secp256k1_fe_t x, xi, xii;
254 for (int i=0; i<10*count; i++) {
255 random_fe_non_zero(&x);
256 secp256k1_fe_inv(&xi, &x);
257 CHECK(check_fe_inverse(&x, &xi));
258 secp256k1_fe_inv(&xii, &xi);
259 CHECK(check_fe_equal(&x, &xii));
263 void run_field_inv_var() {
264 secp256k1_fe_t x, xi, xii;
265 for (int i=0; i<10*count; i++) {
266 random_fe_non_zero(&x);
267 secp256k1_fe_inv_var(&xi, &x);
268 CHECK(check_fe_inverse(&x, &xi));
269 secp256k1_fe_inv_var(&xii, &xi);
270 CHECK(check_fe_equal(&x, &xii));
274 void run_field_inv_all() {
275 secp256k1_fe_t x[16], xi[16], xii[16];
276 // Check it's safe to call for 0 elements
277 secp256k1_fe_inv_all(0, xi, x);
278 for (int i=0; i<count; i++) {
279 size_t len = (secp256k1_rand32() & 15) + 1;
280 for (int j=0; j<len; j++)
281 random_fe_non_zero(&x[j]);
282 secp256k1_fe_inv_all(len, xi, x);
283 for (int j=0; j<len; j++)
284 CHECK(check_fe_inverse(&x[j], &xi[j]));
285 secp256k1_fe_inv_all(len, xii, xi);
286 for (int j=0; j<len; j++)
287 CHECK(check_fe_equal(&x[j], &xii[j]));
291 void run_field_inv_all_var() {
292 secp256k1_fe_t x[16], xi[16], xii[16];
293 // Check it's safe to call for 0 elements
294 secp256k1_fe_inv_all_var(0, xi, x);
295 for (int i=0; i<count; i++) {
296 size_t len = (secp256k1_rand32() & 15) + 1;
297 for (int j=0; j<len; j++)
298 random_fe_non_zero(&x[j]);
299 secp256k1_fe_inv_all_var(len, xi, x);
300 for (int j=0; j<len; j++)
301 CHECK(check_fe_inverse(&x[j], &xi[j]));
302 secp256k1_fe_inv_all_var(len, xii, xi);
303 for (int j=0; j<len; j++)
304 CHECK(check_fe_equal(&x[j], &xii[j]));
312 secp256k1_fe_set_int(&x, 1);
313 secp256k1_fe_negate(&x, &x, 1);
315 for (int i=1; i<=512; ++i) {
316 secp256k1_fe_mul_int(&x, 2);
317 secp256k1_fe_normalize(&x);
318 secp256k1_fe_sqr(&s, &x);
323 void test_sqrt(const secp256k1_fe_t *a, const secp256k1_fe_t *k) {
324 secp256k1_fe_t r1, r2;
325 int v = secp256k1_fe_sqrt(&r1, a);
326 CHECK((v == 0) == (k == NULL));
329 // Check that the returned root is +/- the given known answer
330 secp256k1_fe_negate(&r2, &r1, 1);
331 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
332 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
333 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
338 secp256k1_fe_t ns, x, s, t;
340 // Check sqrt(0) is 0
341 secp256k1_fe_set_int(&x, 0);
342 secp256k1_fe_sqr(&s, &x);
345 // Check sqrt of small squares (and their negatives)
346 for (int i=1; i<=100; i++) {
347 secp256k1_fe_set_int(&x, i);
348 secp256k1_fe_sqr(&s, &x);
350 secp256k1_fe_negate(&t, &s, 1);
354 // Consistency checks for large random values
355 for (int i=0; i<10; i++) {
356 random_fe_non_square(&ns);
357 for (int j=0; j<count; j++) {
359 secp256k1_fe_sqr(&s, &x);
361 secp256k1_fe_negate(&t, &s, 1);
363 secp256k1_fe_mul(&t, &s, &ns);
369 /***** ECMULT TESTS *****/
371 void run_ecmult_chain() {
372 // random starting point A (on the curve)
373 secp256k1_fe_t ax; secp256k1_fe_set_hex(&ax, "8b30bbe9ae2a990696b22f670709dff3727fd8bc04d3362c6c7bf458e2846004", 64);
374 secp256k1_fe_t ay; secp256k1_fe_set_hex(&ay, "a357ae915c4a65281309edf20504740f0eb3343990216b4f81063cb65f2f7e0f", 64);
375 secp256k1_gej_t a; secp256k1_gej_set_xy(&a, &ax, &ay);
376 // two random initial factors xn and gn
378 secp256k1_num_init(&xn);
379 secp256k1_num_set_hex(&xn, "84cc5452f7fde1edb4d38a8ce9b1b84ccef31f146e569be9705d357a42985407", 64);
381 secp256k1_num_init(&gn);
382 secp256k1_num_set_hex(&gn, "a1e58d22553dcd42b23980625d4c57a96e9323d42b3152e5ca2c3990edc7c9de", 64);
383 // two small multipliers to be applied to xn and gn in every iteration:
385 secp256k1_num_init(&xf);
386 secp256k1_num_set_hex(&xf, "1337", 4);
388 secp256k1_num_init(&gf);
389 secp256k1_num_set_hex(&gf, "7113", 4);
390 // accumulators with the resulting coefficients to A and G
392 secp256k1_num_init(&ae);
393 secp256k1_num_set_int(&ae, 1);
395 secp256k1_num_init(&ge);
396 secp256k1_num_set_int(&ge, 0);
397 // the point being computed
398 secp256k1_gej_t x = a;
399 const secp256k1_num_t *order = &secp256k1_ge_consts->order;
400 for (int i=0; i<200*count; i++) {
401 // in each iteration, compute X = xn*X + gn*G;
402 secp256k1_ecmult(&x, &x, &xn, &gn);
403 // also compute ae and ge: the actual accumulated factors for A and G
404 // if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G)
405 secp256k1_num_mod_mul(&ae, &ae, &xn, order);
406 secp256k1_num_mod_mul(&ge, &ge, &xn, order);
407 secp256k1_num_add(&ge, &ge, &gn);
408 secp256k1_num_mod(&ge, order);
410 secp256k1_num_mod_mul(&xn, &xn, &xf, order);
411 secp256k1_num_mod_mul(&gn, &gn, &gf, order);
415 char res[132]; int resl = 132;
416 secp256k1_gej_get_hex(res, &resl, &x);
417 CHECK(strcmp(res, "(D6E96687F9B10D092A6F35439D86CEBEA4535D0D409F53586440BD74B933E830,B95CBCA2C77DA786539BE8FD53354D2D3B4F566AE658045407ED6015EE1B2A88)") == 0);
420 // redo the computation, but directly with the resulting ae and ge coefficients:
421 secp256k1_gej_t x2; secp256k1_ecmult(&x2, &a, &ae, &ge);
422 char res[132]; int resl = 132;
423 char res2[132]; int resl2 = 132;
424 secp256k1_gej_get_hex(res, &resl, &x);
425 secp256k1_gej_get_hex(res2, &resl2, &x2);
426 CHECK(strcmp(res, res2) == 0);
427 CHECK(strlen(res) == 131);
428 secp256k1_num_free(&xn);
429 secp256k1_num_free(&gn);
430 secp256k1_num_free(&xf);
431 secp256k1_num_free(&gf);
432 secp256k1_num_free(&ae);
433 secp256k1_num_free(&ge);
436 void test_point_times_order(const secp256k1_gej_t *point) {
437 // multiplying a point by the order results in O
438 const secp256k1_num_t *order = &secp256k1_ge_consts->order;
439 secp256k1_num_t zero;
440 secp256k1_num_init(&zero);
441 secp256k1_num_set_int(&zero, 0);
443 secp256k1_ecmult(&res, point, order, order); // calc res = order * point + order * G;
444 CHECK(secp256k1_gej_is_infinity(&res));
445 secp256k1_num_free(&zero);
448 void run_point_times_order() {
449 secp256k1_fe_t x; secp256k1_fe_set_hex(&x, "02", 2);
450 for (int i=0; i<500; i++) {
452 if (secp256k1_ge_set_xo(&p, &x, 1)) {
453 CHECK(secp256k1_ge_is_valid(&p));
455 secp256k1_gej_set_ge(&j, &p);
456 CHECK(secp256k1_gej_is_valid(&j));
457 test_point_times_order(&j);
459 secp256k1_fe_sqr(&x, &x);
461 char c[65]; int cl=65;
462 secp256k1_fe_get_hex(c, &cl, &x);
463 CHECK(strcmp(c, "7603CB59B0EF6C63FE6084792A0C378CDB3233A80F8A9A09A877DEAD31B38C45") == 0);
466 void test_wnaf(const secp256k1_num_t *number, int w) {
467 secp256k1_num_t x, two, t;
468 secp256k1_num_init(&x);
469 secp256k1_num_init(&two);
470 secp256k1_num_init(&t);
471 secp256k1_num_set_int(&x, 0);
472 secp256k1_num_set_int(&two, 2);
474 int bits = secp256k1_ecmult_wnaf(wnaf, number, w);
476 for (int i=bits-1; i>=0; i--) {
477 secp256k1_num_mul(&x, &x, &two);
480 CHECK(zeroes == -1 || zeroes >= w-1); // check that distance between non-zero elements is at least w-1
482 CHECK((v & 1) == 1); // check non-zero elements are odd
483 CHECK(v <= (1 << (w-1)) - 1); // check range below
484 CHECK(v >= -(1 << (w-1)) - 1); // check range above
486 CHECK(zeroes != -1); // check that no unnecessary zero padding exists
489 secp256k1_num_set_int(&t, v);
490 secp256k1_num_add(&x, &x, &t);
492 CHECK(secp256k1_num_eq(&x, number)); // check that wnaf represents number
493 secp256k1_num_free(&x);
494 secp256k1_num_free(&two);
495 secp256k1_num_free(&t);
500 secp256k1_num_init(&n);
501 for (int i=0; i<count; i++) {
502 random_num_order(&n);
504 secp256k1_num_negate(&n);
505 test_wnaf(&n, 4+(i%10));
507 secp256k1_num_free(&n);
510 void random_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_num_t *key, const secp256k1_num_t *msg, int *recid) {
511 secp256k1_num_t nonce;
512 secp256k1_num_init(&nonce);
514 random_num_order_test(&nonce);
515 } while(!secp256k1_ecdsa_sig_sign(sig, key, msg, &nonce, recid));
516 secp256k1_num_free(&nonce);
519 void test_ecdsa_sign_verify() {
520 const secp256k1_ge_consts_t *c = secp256k1_ge_consts;
521 secp256k1_num_t msg, key;
522 secp256k1_num_init(&msg);
523 random_num_order_test(&msg);
524 secp256k1_num_init(&key);
525 random_num_order_test(&key);
526 secp256k1_gej_t pubj; secp256k1_ecmult_gen(&pubj, &key);
527 secp256k1_ge_t pub; secp256k1_ge_set_gej(&pub, &pubj);
528 secp256k1_ecdsa_sig_t sig;
529 secp256k1_ecdsa_sig_init(&sig);
530 random_sign(&sig, &key, &msg, NULL);
531 CHECK(secp256k1_ecdsa_sig_verify(&sig, &pub, &msg));
532 secp256k1_num_inc(&msg);
533 CHECK(!secp256k1_ecdsa_sig_verify(&sig, &pub, &msg));
534 secp256k1_ecdsa_sig_free(&sig);
535 secp256k1_num_free(&msg);
536 secp256k1_num_free(&key);
539 void run_ecdsa_sign_verify() {
540 for (int i=0; i<10*count; i++) {
541 test_ecdsa_sign_verify();
545 void test_ecdsa_end_to_end() {
546 unsigned char privkey[32];
547 unsigned char message[32];
549 // Generate a random key and message.
551 secp256k1_num_t msg, key;
552 secp256k1_num_init(&msg);
553 random_num_order_test(&msg);
554 secp256k1_num_init(&key);
555 random_num_order_test(&key);
556 secp256k1_num_get_bin(privkey, 32, &key);
557 secp256k1_num_get_bin(message, 32, &msg);
558 secp256k1_num_free(&msg);
559 secp256k1_num_free(&key);
562 // Construct and verify corresponding public key.
563 CHECK(secp256k1_ecdsa_seckey_verify(privkey) == 1);
564 char pubkey[65]; int pubkeylen = 65;
565 CHECK(secp256k1_ecdsa_pubkey_create(pubkey, &pubkeylen, privkey, secp256k1_rand32() % 2) == 1);
566 CHECK(secp256k1_ecdsa_pubkey_verify(pubkey, pubkeylen));
568 // Verify private key import and export.
569 unsigned char seckey[300]; int seckeylen = 300;
570 CHECK(secp256k1_ecdsa_privkey_export(privkey, seckey, &seckeylen, secp256k1_rand32() % 2) == 1);
571 unsigned char privkey2[32];
572 CHECK(secp256k1_ecdsa_privkey_import(privkey2, seckey, seckeylen) == 1);
573 CHECK(memcmp(privkey, privkey2, 32) == 0);
575 // Optionally tweak the keys using addition.
576 if (secp256k1_rand32() % 3 == 0) {
577 unsigned char rnd[32];
578 secp256k1_rand256_test(rnd);
579 int ret1 = secp256k1_ecdsa_privkey_tweak_add(privkey, rnd);
580 int ret2 = secp256k1_ecdsa_pubkey_tweak_add(pubkey, pubkeylen, rnd);
582 if (ret1 == 0) return;
583 char pubkey2[65]; int pubkeylen2 = 65;
584 CHECK(secp256k1_ecdsa_pubkey_create(pubkey2, &pubkeylen2, privkey, pubkeylen == 33) == 1);
585 CHECK(memcmp(pubkey, pubkey2, pubkeylen) == 0);
588 // Optionally tweak the keys using multiplication.
589 if (secp256k1_rand32() % 3 == 0) {
590 unsigned char rnd[32];
591 secp256k1_rand256_test(rnd);
592 int ret1 = secp256k1_ecdsa_privkey_tweak_mul(privkey, rnd);
593 int ret2 = secp256k1_ecdsa_pubkey_tweak_mul(pubkey, pubkeylen, rnd);
595 if (ret1 == 0) return;
596 char pubkey2[65]; int pubkeylen2 = 65;
597 CHECK(secp256k1_ecdsa_pubkey_create(pubkey2, &pubkeylen2, privkey, pubkeylen == 33) == 1);
598 CHECK(memcmp(pubkey, pubkey2, pubkeylen) == 0);
602 unsigned char signature[72]; unsigned int signaturelen = 72;
604 unsigned char rnd[32];
605 secp256k1_rand256_test(rnd);
606 if (secp256k1_ecdsa_sign(message, 32, signature, &signaturelen, privkey, rnd) == 1) {
611 CHECK(secp256k1_ecdsa_verify(message, 32, signature, signaturelen, pubkey, pubkeylen) == 1);
612 // Destroy signature and verify again.
613 signature[signaturelen - 1 - secp256k1_rand32() % 20] += 1 + (secp256k1_rand32() % 255);
614 CHECK(secp256k1_ecdsa_verify(message, 32, signature, signaturelen, pubkey, pubkeylen) != 1);
617 unsigned char csignature[64]; unsigned int recid = 0;
619 unsigned char rnd[32];
620 secp256k1_rand256_test(rnd);
621 if (secp256k1_ecdsa_sign_compact(message, 32, csignature, privkey, rnd, &recid) == 1) {
626 unsigned char recpubkey[65]; unsigned recpubkeylen = 0;
627 CHECK(secp256k1_ecdsa_recover_compact(message, 32, csignature, recpubkey, &recpubkeylen, pubkeylen == 33, recid) == 1);
628 CHECK(recpubkeylen == pubkeylen);
629 CHECK(memcmp(pubkey, recpubkey, pubkeylen) == 0);
630 // Destroy signature and verify again.
631 csignature[secp256k1_rand32() % 64] += 1 + (secp256k1_rand32() % 255);
632 CHECK(secp256k1_ecdsa_recover_compact(message, 32, csignature, recpubkey, &recpubkeylen, pubkeylen == 33, recid) != 1 ||
633 memcmp(pubkey, recpubkey, pubkeylen) != 0);
634 CHECK(recpubkeylen == pubkeylen);
637 void run_ecdsa_end_to_end() {
638 for (int i=0; i<64*count; i++) {
639 test_ecdsa_end_to_end();
644 #ifdef ENABLE_OPENSSL_TESTS
645 EC_KEY *get_openssl_key(const secp256k1_num_t *key) {
646 unsigned char privkey[300];
648 int compr = secp256k1_rand32() & 1;
649 const unsigned char* pbegin = privkey;
650 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
651 CHECK(secp256k1_ecdsa_privkey_serialize(privkey, &privkeylen, key, compr));
652 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
653 CHECK(EC_KEY_check_key(ec_key));
657 void test_ecdsa_openssl() {
658 const secp256k1_ge_consts_t *c = secp256k1_ge_consts;
659 secp256k1_num_t key, msg;
660 secp256k1_num_init(&msg);
661 unsigned char message[32];
662 secp256k1_rand256_test(message);
663 secp256k1_num_set_bin(&msg, message, 32);
664 secp256k1_num_init(&key);
665 random_num_order_test(&key);
667 secp256k1_ecmult_gen(&qj, &key);
669 secp256k1_ge_set_gej(&q, &qj);
670 EC_KEY *ec_key = get_openssl_key(&key);
672 unsigned char signature[80];
674 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
675 secp256k1_ecdsa_sig_t sig;
676 secp256k1_ecdsa_sig_init(&sig);
677 CHECK(secp256k1_ecdsa_sig_parse(&sig, signature, sigsize));
678 CHECK(secp256k1_ecdsa_sig_verify(&sig, &q, &msg));
679 secp256k1_num_inc(&sig.r);
680 CHECK(!secp256k1_ecdsa_sig_verify(&sig, &q, &msg));
682 random_sign(&sig, &key, &msg, NULL);
684 CHECK(secp256k1_ecdsa_sig_serialize(signature, &sigsize, &sig));
685 CHECK(ECDSA_verify(0, message, sizeof(message), signature, sigsize, ec_key) == 1);
687 secp256k1_ecdsa_sig_free(&sig);
689 secp256k1_num_free(&key);
690 secp256k1_num_free(&msg);
693 void run_ecdsa_openssl() {
694 for (int i=0; i<10*count; i++) {
695 test_ecdsa_openssl();
700 int main(int argc, char **argv) {
702 count = strtol(argv[1], NULL, 0)*47;
704 printf("test count = %i\n", count);
707 secp256k1_start(SECP256K1_START_SIGN | SECP256K1_START_VERIFY);
710 run_num_smalltests();
716 run_field_inv_all_var();
722 run_point_times_order();
726 run_ecdsa_sign_verify();
727 run_ecdsa_end_to_end();
728 #ifdef ENABLE_OPENSSL_TESTS
projects / secp256k1.git / blob