tests: Add Wycheproof ECDSA vectors

Adds a test using the Wycheproof vectors as outlined in #1106. The vectors are pulled from the Wycheproof repo using a python script to emit C code. The script is embedded as a comment. Co-authored-by: Sean Andersen <[email protected]>
bitcoin-core · Mar 22, 2023 · a1cce06 · a1cce06
1 parent 9c8c4f4
commit a1cce06
Show file tree

Hide file tree

Showing 5 changed files with 7,410 additions and 0 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -213,6 +213,9 @@ src/precomputed_ecmult_gen.c:
 PRECOMP = src/precomputed_ecmult_gen.c src/precomputed_ecmult.c
 precomp: $(PRECOMP)
 
+src/vectors/ecdsa_secp256k1_sha256_bitcoin_test.inc: src/vectors/ecdsa_secp256k1_sha256_bitcoin_test.json
+	python3 src/vectors/tests_wycheproof_generate.py $< > $@
+
 # Ensure the prebuilt files will be build first (only if they don't exist,
 # e.g., after `make maintainer-clean`).
 BUILT_SOURCES = $(PRECOMP)

diff --git a/src/tests.c b/src/tests.c
@@ -7306,6 +7306,40 @@ static void run_ecdsa_edge_cases(void) {
     test_ecdsa_edge_cases();
 }
 
+/** Wycheproof tests
+
+The tests check for known attacks (range checks in (r,s), arithmetic errors, malleability).
+*/
+static void test_ecdsa_wycheproof(void) {
+    #include "vectors/ecdsa_secp256k1_sha256_bitcoin_test.inc"
+
+    int t;
+    for (t = 0; t < SECP256K1_TEST_ECDSA_WYCHEPROOF_NUMBER_TESTS; t++) {
+        secp256k1_ecdsa_signature signature;
+        secp256k1_sha256 hasher;
+        secp256k1_pubkey pubkey;
+        unsigned char out[32] = {0};
+        int actual_verify = 0;
+
+        memset(&pubkey, 0, sizeof(pubkey));
+        CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, testcases[t].pk, 65) == 1);
+
+        secp256k1_sha256_initialize(&hasher);
+        secp256k1_sha256_write(&hasher, (const unsigned char*)testcases[t].msg, testcases[t].msglen);
+        secp256k1_sha256_finalize(&hasher, out);
+
+        if (secp256k1_ecdsa_signature_parse_der(CTX, &signature, testcases[t].sig, testcases[t].siglen) == 1) {
+            actual_verify = secp256k1_ecdsa_verify(CTX, (const secp256k1_ecdsa_signature *)&signature, out, &pubkey);
+        }
+        CHECK(testcases[t].expected_verify == actual_verify);
+    }
+}
+
+/* Tests cases from Wycheproof test suite. */
+static void run_ecdsa_wycheproof(void) {
+    test_ecdsa_wycheproof();
+}
+
 #ifdef ENABLE_MODULE_ECDH
 # include "modules/ecdh/tests_impl.h"
 #endif
@@ -7638,6 +7672,7 @@ int main(int argc, char **argv) {
     run_ecdsa_sign_verify();
     run_ecdsa_end_to_end();
     run_ecdsa_edge_cases();
+    run_ecdsa_wycheproof();
 
 #ifdef ENABLE_MODULE_RECOVERY
     /* ECDSA pubkey recovery tests */