Skip to content

Commit 25d125e

Browse files
sipasipa
committed
Merge pull request #126
24b3c65 Add a test case for ECDSA recomputing infinity (Pieter Wuille) 32600e5 Add a test for r >= order signature handling (Pieter Wuille)
2 parents 0af5b47 + 24b3c65 commit 25d125e

File tree

1 file changed

+31
-0
lines changed

1 file changed

+31
-0
lines changed

src/tests.c

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -998,13 +998,44 @@ void test_ecdsa_edge_cases(void) {
998998
unsigned char pubkeyb[33];
999999
int pubkeyblen = 33;
10001000
for (int recid = 0; recid < 4; recid++) {
1001+
// (4,4) encoded in DER.
10011002
unsigned char sigbder[8] = {0x30, 0x06, 0x02, 0x01, 0x04, 0x02, 0x01, 0x04};
1003+
// (order + r,4) encoded in DER.
1004+
unsigned char sigbderlong[40] = {
1005+
0x30, 0x26, 0x02, 0x21, 0x00, 0xFF, 0xFF, 0xFF,
1006+
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
1007+
0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC,
1008+
0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E,
1009+
0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04
1010+
};
10021011
CHECK(secp256k1_ecdsa_recover_compact(msg32, 32, sigb64, pubkeyb, &pubkeyblen, 1, recid));
10031012
CHECK(secp256k1_ecdsa_verify(msg32, 32, sigbder, sizeof(sigbder), pubkeyb, pubkeyblen) == 1);
1013+
for (int recid2 = 0; recid2 < 4; recid2++) {
1014+
unsigned char pubkey2b[33];
1015+
int pubkey2blen = 33;
1016+
CHECK(secp256k1_ecdsa_recover_compact(msg32, 32, sigb64, pubkey2b, &pubkey2blen, 1, recid2));
1017+
// Verifying with (order + r,4) should always fail.
1018+
CHECK(secp256k1_ecdsa_verify(msg32, 32, sigbderlong, sizeof(sigbderlong), pubkey2b, pubkey2blen) != 1);
1019+
}
10041020
/* Damage signature. */
10051021
sigbder[7]++;
10061022
CHECK(secp256k1_ecdsa_verify(msg32, 32, sigbder, sizeof(sigbder), pubkeyb, pubkeyblen) == 0);
10071023
}
1024+
1025+
/* Test the case where ECDSA recomputes a point that is infinity. */
1026+
{
1027+
secp256k1_ecdsa_sig_t sig;
1028+
secp256k1_scalar_set_int(&sig.s, 1);
1029+
secp256k1_scalar_negate(&sig.s, &sig.s);
1030+
secp256k1_scalar_inverse(&sig.s, &sig.s);
1031+
secp256k1_scalar_set_int(&sig.r, 1);
1032+
secp256k1_gej_t keyj;
1033+
secp256k1_ecmult_gen(&keyj, &sig.r);
1034+
secp256k1_ge_t key;
1035+
secp256k1_ge_set_gej(&key, &keyj);
1036+
secp256k1_scalar_t msg = sig.s;
1037+
CHECK(secp256k1_ecdsa_sig_verify(&sig, &key, &msg) == 0);
1038+
}
10081039
}
10091040

10101041
void run_ecdsa_edge_cases(void) {

0 commit comments

Comments
 (0)