Add ElligatorSwift ctime tests

sipa · sipa · commit f4aba161171b · 2022-12-12T13:05:29.000-05:00
diff --git a/src/modules/ellswift/main_impl.h b/src/modules/ellswift/main_impl.h
@@ -354,6 +354,7 @@ int secp256k1_ellswift_create(const secp256k1_context* ctx, unsigned char *ell64
 
     /* Compute (affine) public key */
     ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey32);
+    secp256k1_declassify(ctx, &p, sizeof(p)); /* not constant time in produced pubkey */
     secp256k1_fe_normalize_var(&p.x);
     secp256k1_fe_normalize_var(&p.y);
 
@@ -363,6 +364,7 @@ int secp256k1_ellswift_create(const secp256k1_context* ctx, unsigned char *ell64
     secp256k1_sha256_write(&hash, seckey32, 32);
     secp256k1_sha256_write(&hash, rnd32 ? rnd32 : ZERO, 32);
     secp256k1_sha256_write(&hash, ZERO, 32 - 9 - 4);
+    secp256k1_declassify(ctx, &hash, sizeof(hash)); /* hasher gets to declassify private key */
 
     /* Compute ElligatorSwift encoding and construct output. */
     secp256k1_ellswift_elligatorswift_var(&u, &t, &p, &hash);
diff --git a/src/valgrind_ctime_test.c b/src/valgrind_ctime_test.c
@@ -27,6 +27,10 @@
 #include "../include/secp256k1_schnorrsig.h"
 #endif
 
+#ifdef ENABLE_MODULE_ELLSWIFT
+#include "../include/secp256k1_ellswift.h"
+#endif
+
 void run_tests(secp256k1_context *ctx, unsigned char *key);
 
 int main(void) {
@@ -77,6 +81,9 @@ void run_tests(secp256k1_context *ctx, unsigned char *key) {
 #ifdef ENABLE_MODULE_EXTRAKEYS
     secp256k1_keypair keypair;
 #endif
+#ifdef ENABLE_MODULE_ELLSWIFT
+    unsigned char ellswift[64];
+#endif
 
     for (i = 0; i < 32; i++) {
         msg[i] = i + 1;
@@ -168,4 +175,22 @@ void run_tests(secp256k1_context *ctx, unsigned char *key) {
     VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
     CHECK(ret == 1);
 #endif
+
+#ifdef ENABLE_MODULE_ELLSWIFT
+    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
+    ret = secp256k1_ellswift_create(ctx, ellswift, key, NULL);
+    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
+    CHECK(ret == 1);
+
+    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
+    ret = secp256k1_ellswift_create(ctx, ellswift, key, key);
+    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
+    CHECK(ret == 1);
+
+    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
+    VALGRIND_MAKE_MEM_DEFINED(&ellswift, sizeof(ellswift));
+    ret = secp256k1_ellswift_xdh(ctx, msg, ellswift, ellswift, key, NULL, NULL);
+    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
+    CHECK(ret == 1);
+#endif
 }
