add extract_sec edge case tests

siv2r · siv2r · commit ad34c62e0134 · 2024-10-14T20:42:56.000+05:30
diff --git a/schnorr_adaptor_example b/schnorr_adaptor_example
diff --git a/src/modules/schnorr_adaptor/main_impl.h b/src/modules/schnorr_adaptor/main_impl.h
@@ -328,6 +328,14 @@ int secp256k1_schnorr_adaptor_extract_sec(const secp256k1_context *ctx, unsigned
         return 0;
     }
 
+    /*TODO: should we parse presig[0:33] & sig[0:32], to make sure the presig &
+     * has valid public nonce point?
+     *
+     * But we don't care about their validity here right? Then why do we ARG_CHECK
+     * presig[0] parity byte?
+     *
+     * Here, the inputs are invalid but the output is valid :/  */
+
     secp256k1_scalar_negate(&s, &s);
     secp256k1_scalar_add(&t, &t, &s);
     /* `adaptor_adapt` negates the secret adaptor t when R’.y is odd, during
diff --git a/src/modules/schnorr_adaptor/tests_impl.h b/src/modules/schnorr_adaptor/tests_impl.h
@@ -1147,17 +1147,52 @@ static void test_schnorr_adaptor_edge_cases(void) {
     CHECK(secp256k1_memcmp_var(extracted_sec_adaptor, sec_adaptor, sizeof(extracted_sec_adaptor)) == 0);
     {
         /* overflowing pre_sig[33:65] */
+        unsigned char extracted_sec_adaptor_tmp[32];
+        unsigned char pre_sig_tmp[65];
+        memcpy(pre_sig_tmp, pre_sig, sizeof(pre_sig_tmp));
+        memset(&pre_sig_tmp[33], 0xFF, 32);
+        CHECK(secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor_tmp, pre_sig_tmp, sig) == 0);
     }
     {
         /* overflowing sig[32:64] */
+        unsigned char extracted_sec_adaptor_tmp[32];
+        unsigned char sig_tmp[64];
+        memcpy(sig_tmp, sig, sizeof(sig_tmp));
+        memset(&sig_tmp[32], 0xFF, 32);
+        CHECK(secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor_tmp, pre_sig, sig_tmp) == 0);
     }
     {
-        /* any flipped bit in the pre-signature will extract
+        /* any flipped bit in pre_sig[33:65] will extract
          * an invalid secret adaptor */
+        unsigned char extracted_sec_adaptor_tmp[32];
+        unsigned char pre_sig_tmp[65];
+        memcpy(pre_sig_tmp, pre_sig, sizeof(pre_sig_tmp));
+        rand_flip_bit(&pre_sig_tmp[33], sizeof(pre_sig_tmp) - 33);
+        CHECK(secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor_tmp, pre_sig_tmp, sig) == 1);
+        CHECK(secp256k1_memcmp_var(extracted_sec_adaptor_tmp, sec_adaptor, sizeof(extracted_sec_adaptor_tmp)) != 0);
     }
     {
-        /* any flipped bit in the signature will extract
+        /* any flipped bit in sig[32:64] will extract
          * an invalid secret adaptor */
+        unsigned char extracted_sec_adaptor_tmp[32];
+        unsigned char sig_tmp[64];
+        memcpy(sig_tmp, sig, sizeof(sig_tmp));
+        rand_flip_bit(&sig_tmp[32], sizeof(sig_tmp) - 32);
+        CHECK(secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor_tmp, pre_sig, sig_tmp) == 1);
+        CHECK(secp256k1_memcmp_var(extracted_sec_adaptor_tmp, sec_adaptor, sizeof(extracted_sec_adaptor_tmp)) != 0);
+    }
+    {
+        /* invalid presig[0:33] or sig[0:32] does not
+         * result in an invalid output */
+        unsigned char extracted_sec_adaptor_tmp[32];
+        unsigned char pre_sig_tmp[65];
+        unsigned char sig_tmp[64];
+        memcpy(pre_sig_tmp, pre_sig, sizeof(pre_sig_tmp));
+        memcpy(sig_tmp, sig, sizeof(sig_tmp));
+        memset(&pre_sig_tmp[1], 0xFF, 32);
+        memset(sig_tmp, 0xFF, 32);
+        CHECK(secp256k1_schnorr_adaptor_extract_sec(CTX, extracted_sec_adaptor_tmp, pre_sig_tmp, sig_tmp) == 1);
+        CHECK(secp256k1_memcmp_var(extracted_sec_adaptor_tmp, sec_adaptor, sizeof(extracted_sec_adaptor_tmp)) == 0);
     }
 }
 
