[secp256k1.git] / src / valgrind_ctime_test.c

/***********************************************************************
 * Copyright (c) 2020 Gregory Maxwell                                  *
 * Distributed under the MIT software license, see the accompanying    *
 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
 ***********************************************************************/

#include <valgrind/memcheck.h>
#include "include/secp256k1.h"
#include "assumptions.h"
#include "util.h"

#ifdef ENABLE_MODULE_ECDH
# include "include/secp256k1_ecdh.h"
#endif

#ifdef ENABLE_MODULE_RECOVERY
# include "include/secp256k1_recovery.h"
#endif

#ifdef ENABLE_MODULE_EXTRAKEYS
# include "include/secp256k1_extrakeys.h"
#endif

#ifdef ENABLE_MODULE_SCHNORRSIG
#include "include/secp256k1_schnorrsig.h"
#endif

int main(void) {
    secp256k1_context* ctx;
    secp256k1_ecdsa_signature signature;
    secp256k1_pubkey pubkey;
    size_t siglen = 74;
    size_t outputlen = 33;
    int i;
    int ret;
    unsigned char msg[32];
    unsigned char key[32];
    unsigned char sig[74];
    unsigned char spubkey[33];
#ifdef ENABLE_MODULE_RECOVERY
    secp256k1_ecdsa_recoverable_signature recoverable_signature;
    int recid;
#endif
#ifdef ENABLE_MODULE_EXTRAKEYS
    secp256k1_keypair keypair;
#endif

    if (!RUNNING_ON_VALGRIND) {
        fprintf(stderr, "This test can only usefully be run inside valgrind.\n");
        fprintf(stderr, "Usage: libtool --mode=execute valgrind ./valgrind_ctime_test\n");
        exit(1);
    }

    /** In theory, testing with a single secret input should be sufficient:
     *  If control flow depended on secrets the tool would generate an error.
     */
    for (i = 0; i < 32; i++) {
        key[i] = i + 65;
    }
    for (i = 0; i < 32; i++) {
        msg[i] = i + 1;
    }

    ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN
                                   | SECP256K1_CONTEXT_VERIFY
                                   | SECP256K1_CONTEXT_DECLASSIFY);

    /* Test keygen. */
    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_ec_pubkey_create(ctx, &pubkey, key);
    VALGRIND_MAKE_MEM_DEFINED(&pubkey, sizeof(secp256k1_pubkey));
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret);
    CHECK(secp256k1_ec_pubkey_serialize(ctx, spubkey, &outputlen, &pubkey, SECP256K1_EC_COMPRESSED) == 1);

    /* Test signing. */
    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_ecdsa_sign(ctx, &signature, msg, key, NULL, NULL);
    VALGRIND_MAKE_MEM_DEFINED(&signature, sizeof(secp256k1_ecdsa_signature));
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret);
    CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature));

#ifdef ENABLE_MODULE_ECDH
    /* Test ECDH. */
    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_ecdh(ctx, msg, &pubkey, key, NULL, NULL);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);
#endif

#ifdef ENABLE_MODULE_RECOVERY
    /* Test signing a recoverable signature. */
    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_ecdsa_sign_recoverable(ctx, &recoverable_signature, msg, key, NULL, NULL);
    VALGRIND_MAKE_MEM_DEFINED(&recoverable_signature, sizeof(recoverable_signature));
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret);
    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &recoverable_signature));
    CHECK(recid >= 0 && recid <= 3);
#endif

    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_ec_seckey_verify(ctx, key);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);

    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_ec_seckey_negate(ctx, key);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);

    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    VALGRIND_MAKE_MEM_UNDEFINED(msg, 32);
    ret = secp256k1_ec_seckey_tweak_add(ctx, key, msg);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);

    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    VALGRIND_MAKE_MEM_UNDEFINED(msg, 32);
    ret = secp256k1_ec_seckey_tweak_mul(ctx, key, msg);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);

    /* Test context randomisation. Do this last because it leaves the context tainted. */
    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_context_randomize(ctx, key);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret);

    /* Test keypair_create and keypair_xonly_tweak_add. */
#ifdef ENABLE_MODULE_EXTRAKEYS
    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_keypair_create(ctx, &keypair, key);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);

    /* The tweak is not treated as a secret in keypair_tweak_add */
    VALGRIND_MAKE_MEM_DEFINED(msg, 32);
    ret = secp256k1_keypair_xonly_tweak_add(ctx, &keypair, msg);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);

    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    VALGRIND_MAKE_MEM_UNDEFINED(&keypair, sizeof(keypair));
    ret = secp256k1_keypair_sec(ctx, key, &keypair);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);
#endif

#ifdef ENABLE_MODULE_SCHNORRSIG
    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_keypair_create(ctx, &keypair, key);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);
    ret = secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);
#endif

    secp256k1_context_destroy(ctx);
    return 0;
}
Commit	Line	Data
07aa4c70 DA	1	/***********************************************************************
	2	* Copyright (c) 2020 Gregory Maxwell *
	3	* Distributed under the MIT software license, see the accompanying *
	4	* file COPYING or https://www.opensource.org/licenses/mit-license.php.*
	5	***********************************************************************/
3d230225 GM	6
	7	#include <valgrind/memcheck.h>
	8	#include "include/secp256k1.h"
7c068998	9	#include "assumptions.h"
3d230225 GM	10	#include "util.h"
3d230225 GM	11
e73ff309	12	#ifdef ENABLE_MODULE_ECDH
3d230225 GM	13	# include "include/secp256k1_ecdh.h"
	14	#endif
	15
e73ff309	16	#ifdef ENABLE_MODULE_RECOVERY
73596a85 ET	17	# include "include/secp256k1_recovery.h"
	18	#endif
	19
e73ff309	20	#ifdef ENABLE_MODULE_EXTRAKEYS
58254463 JN	21	# include "include/secp256k1_extrakeys.h"
	22	#endif
	23
e73ff309	24	#ifdef ENABLE_MODULE_SCHNORRSIG
f431b3f2 JN	25	#include "include/secp256k1_schnorrsig.h"
	26	#endif
	27
3d230225 GM	28	int main(void) {
	29	secp256k1_context* ctx;
	30	secp256k1_ecdsa_signature signature;
	31	secp256k1_pubkey pubkey;
	32	size_t siglen = 74;
	33	size_t outputlen = 33;
	34	int i;
	35	int ret;
	36	unsigned char msg[32];
	37	unsigned char key[32];
	38	unsigned char sig[74];
	39	unsigned char spubkey[33];
e73ff309	40	#ifdef ENABLE_MODULE_RECOVERY
73596a85 ET	41	secp256k1_ecdsa_recoverable_signature recoverable_signature;
	42	int recid;
	43	#endif
e73ff309	44	#ifdef ENABLE_MODULE_EXTRAKEYS
58254463 JN	45	secp256k1_keypair keypair;
58254463 JN	46	#endif
3d230225 GM	47
	48	if (!RUNNING_ON_VALGRIND) {
	49	fprintf(stderr, "This test can only usefully be run inside valgrind.\n");
	50	fprintf(stderr, "Usage: libtool --mode=execute valgrind ./valgrind_ctime_test\n");
	51	exit(1);
	52	}
	53
	54	/** In theory, testing with a single secret input should be sufficient:
	55	* If control flow depended on secrets the tool would generate an error.
	56	*/
	57	for (i = 0; i < 32; i++) {
	58	key[i] = i + 65;
	59	}
	60	for (i = 0; i < 32; i++) {
	61	msg[i] = i + 1;
	62	}
	63
6fcb5b84 JN	64	ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN
	65	\| SECP256K1_CONTEXT_VERIFY
	66	\| SECP256K1_CONTEXT_DECLASSIFY);
3d230225 GM	67
	68	/* Test keygen. */
	69	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	70	ret = secp256k1_ec_pubkey_create(ctx, &pubkey, key);
	71	VALGRIND_MAKE_MEM_DEFINED(&pubkey, sizeof(secp256k1_pubkey));
	72	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	73	CHECK(ret);
	74	CHECK(secp256k1_ec_pubkey_serialize(ctx, spubkey, &outputlen, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
	75
	76	/* Test signing. */
	77	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	78	ret = secp256k1_ecdsa_sign(ctx, &signature, msg, key, NULL, NULL);
	79	VALGRIND_MAKE_MEM_DEFINED(&signature, sizeof(secp256k1_ecdsa_signature));
	80	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	81	CHECK(ret);
	82	CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature));
	83
e73ff309	84	#ifdef ENABLE_MODULE_ECDH
3d230225 GM	85	/* Test ECDH. */
	86	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	87	ret = secp256k1_ecdh(ctx, msg, &pubkey, key, NULL, NULL);
	88	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	89	CHECK(ret == 1);
	90	#endif
	91
e73ff309	92	#ifdef ENABLE_MODULE_RECOVERY
73596a85 ET	93	/* Test signing a recoverable signature. */
	94	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	95	ret = secp256k1_ecdsa_sign_recoverable(ctx, &recoverable_signature, msg, key, NULL, NULL);
	96	VALGRIND_MAKE_MEM_DEFINED(&recoverable_signature, sizeof(recoverable_signature));
	97	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	98	CHECK(ret);
	99	CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &recoverable_signature));
	100	CHECK(recid >= 0 && recid <= 3);
	101	#endif
	102
3d230225 GM	103	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	104	ret = secp256k1_ec_seckey_verify(ctx, key);
	105	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	106	CHECK(ret == 1);
	107
	108	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
41fc7856	109	ret = secp256k1_ec_seckey_negate(ctx, key);
3d230225 GM	110	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	111	CHECK(ret == 1);
	112
	113	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	114	VALGRIND_MAKE_MEM_UNDEFINED(msg, 32);
41fc7856	115	ret = secp256k1_ec_seckey_tweak_add(ctx, key, msg);
3d230225 GM	116	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	117	CHECK(ret == 1);
	118
	119	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	120	VALGRIND_MAKE_MEM_UNDEFINED(msg, 32);
41fc7856	121	ret = secp256k1_ec_seckey_tweak_mul(ctx, key, msg);
3d230225 GM	122	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	123	CHECK(ret == 1);
	124
	125	/* Test context randomisation. Do this last because it leaves the context tainted. */
	126	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	127	ret = secp256k1_context_randomize(ctx, key);
	128	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	129	CHECK(ret);
	130
6fcb5b84	131	/* Test keypair_create and keypair_xonly_tweak_add. */
e73ff309	132	#ifdef ENABLE_MODULE_EXTRAKEYS
58254463 JN	133	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	134	ret = secp256k1_keypair_create(ctx, &keypair, key);
	135	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	136	CHECK(ret == 1);
6fcb5b84 JN	137
	138	/* The tweak is not treated as a secret in keypair_tweak_add */
	139	VALGRIND_MAKE_MEM_DEFINED(msg, 32);
	140	ret = secp256k1_keypair_xonly_tweak_add(ctx, &keypair, msg);
	141	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	142	CHECK(ret == 1);
33cb3c2b ET	143
	144	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	145	VALGRIND_MAKE_MEM_UNDEFINED(&keypair, sizeof(keypair));
	146	ret = secp256k1_keypair_sec(ctx, key, &keypair);
	147	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	148	CHECK(ret == 1);
58254463 JN	149	#endif
58254463 JN	150
e73ff309	151	#ifdef ENABLE_MODULE_SCHNORRSIG
f431b3f2 JN	152	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	153	ret = secp256k1_keypair_create(ctx, &keypair, key);
	154	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	155	CHECK(ret == 1);
	156	ret = secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL);
	157	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	158	CHECK(ret == 1);
	159	#endif
	160
3d230225 GM	161	secp256k1_context_destroy(ctx);
	162	return 0;
	163	}