[secp256k1.git] / src / valgrind_ctime_test.c

/***********************************************************************
 * Copyright (c) 2020 Gregory Maxwell                                  *
 * Distributed under the MIT software license, see the accompanying    *
 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
 ***********************************************************************/

#include <valgrind/memcheck.h>
#include <stdio.h>

#include "include/secp256k1.h"
#include "assumptions.h"
#include "util.h"

#ifdef ENABLE_MODULE_ECDH
# include "include/secp256k1_ecdh.h"
#endif

#ifdef ENABLE_MODULE_RECOVERY
# include "include/secp256k1_recovery.h"
#endif

#ifdef ENABLE_MODULE_EXTRAKEYS
# include "include/secp256k1_extrakeys.h"
#endif

#ifdef ENABLE_MODULE_SCHNORRSIG
#include "include/secp256k1_schnorrsig.h"
#endif

void run_tests(secp256k1_context *ctx, unsigned char *key);

int main(void) {
    secp256k1_context* ctx;
    unsigned char key[32];
    int ret, i;

    if (!RUNNING_ON_VALGRIND) {
        fprintf(stderr, "This test can only usefully be run inside valgrind.\n");
        fprintf(stderr, "Usage: libtool --mode=execute valgrind ./valgrind_ctime_test\n");
        return 1;
    }
    ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN
                                   | SECP256K1_CONTEXT_VERIFY
                                   | SECP256K1_CONTEXT_DECLASSIFY);
    /** In theory, testing with a single secret input should be sufficient:
     *  If control flow depended on secrets the tool would generate an error.
     */
    for (i = 0; i < 32; i++) {
        key[i] = i + 65;
    }

    run_tests(ctx, key);

    /* Test context randomisation. Do this last because it leaves the context
     * tainted. */
    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_context_randomize(ctx, key);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret);

    secp256k1_context_destroy(ctx);
    return 0;
}

void run_tests(secp256k1_context *ctx, unsigned char *key) {
    secp256k1_ecdsa_signature signature;
    secp256k1_pubkey pubkey;
    size_t siglen = 74;
    size_t outputlen = 33;
    int i;
    int ret;
    unsigned char msg[32];
    unsigned char sig[74];
    unsigned char spubkey[33];
#ifdef ENABLE_MODULE_RECOVERY
    secp256k1_ecdsa_recoverable_signature recoverable_signature;
    int recid;
#endif
#ifdef ENABLE_MODULE_EXTRAKEYS
    secp256k1_keypair keypair;
#endif

    for (i = 0; i < 32; i++) {
        msg[i] = i + 1;
    }

    /* Test keygen. */
    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_ec_pubkey_create(ctx, &pubkey, key);
    VALGRIND_MAKE_MEM_DEFINED(&pubkey, sizeof(secp256k1_pubkey));
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret);
    CHECK(secp256k1_ec_pubkey_serialize(ctx, spubkey, &outputlen, &pubkey, SECP256K1_EC_COMPRESSED) == 1);

    /* Test signing. */
    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_ecdsa_sign(ctx, &signature, msg, key, NULL, NULL);
    VALGRIND_MAKE_MEM_DEFINED(&signature, sizeof(secp256k1_ecdsa_signature));
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret);
    CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature));

#ifdef ENABLE_MODULE_ECDH
    /* Test ECDH. */
    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_ecdh(ctx, msg, &pubkey, key, NULL, NULL);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);
#endif

#ifdef ENABLE_MODULE_RECOVERY
    /* Test signing a recoverable signature. */
    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_ecdsa_sign_recoverable(ctx, &recoverable_signature, msg, key, NULL, NULL);
    VALGRIND_MAKE_MEM_DEFINED(&recoverable_signature, sizeof(recoverable_signature));
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret);
    CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &recoverable_signature));
    CHECK(recid >= 0 && recid <= 3);
#endif

    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_ec_seckey_verify(ctx, key);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);

    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_ec_seckey_negate(ctx, key);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);

    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    VALGRIND_MAKE_MEM_UNDEFINED(msg, 32);
    ret = secp256k1_ec_seckey_tweak_add(ctx, key, msg);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);

    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    VALGRIND_MAKE_MEM_UNDEFINED(msg, 32);
    ret = secp256k1_ec_seckey_tweak_mul(ctx, key, msg);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);

    /* Test keypair_create and keypair_xonly_tweak_add. */
#ifdef ENABLE_MODULE_EXTRAKEYS
    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_keypair_create(ctx, &keypair, key);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);

    /* The tweak is not treated as a secret in keypair_tweak_add */
    VALGRIND_MAKE_MEM_DEFINED(msg, 32);
    ret = secp256k1_keypair_xonly_tweak_add(ctx, &keypair, msg);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);

    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    VALGRIND_MAKE_MEM_UNDEFINED(&keypair, sizeof(keypair));
    ret = secp256k1_keypair_sec(ctx, key, &keypair);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);
#endif

#ifdef ENABLE_MODULE_SCHNORRSIG
    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
    ret = secp256k1_keypair_create(ctx, &keypair, key);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);
    ret = secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL);
    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
    CHECK(ret == 1);
#endif
}
Commit	Line	Data
07aa4c70 DA	1	/***********************************************************************
	2	* Copyright (c) 2020 Gregory Maxwell *
	3	* Distributed under the MIT software license, see the accompanying *
	4	* file COPYING or https://www.opensource.org/licenses/mit-license.php.*
	5	***********************************************************************/
3d230225 GM	6
3d230225 GM	7	#include <valgrind/memcheck.h>
7d3497cd JN	8	#include <stdio.h>
7d3497cd JN	9
3d230225	10	#include "include/secp256k1.h"
7c068998	11	#include "assumptions.h"
3d230225 GM	12	#include "util.h"
3d230225 GM	13
e73ff309	14	#ifdef ENABLE_MODULE_ECDH
3d230225 GM	15	# include "include/secp256k1_ecdh.h"
	16	#endif
	17
e73ff309	18	#ifdef ENABLE_MODULE_RECOVERY
73596a85 ET	19	# include "include/secp256k1_recovery.h"
	20	#endif
	21
e73ff309	22	#ifdef ENABLE_MODULE_EXTRAKEYS
58254463 JN	23	# include "include/secp256k1_extrakeys.h"
	24	#endif
	25
e73ff309	26	#ifdef ENABLE_MODULE_SCHNORRSIG
f431b3f2 JN	27	#include "include/secp256k1_schnorrsig.h"
	28	#endif
	29
7d3497cd JN	30	void run_tests(secp256k1_context ctx, unsigned char key);
7d3497cd JN	31
3d230225 GM	32	int main(void) {
3d230225 GM	33	secp256k1_context* ctx;
7d3497cd JN	34	unsigned char key[32];
	35	int ret, i;
	36
	37	if (!RUNNING_ON_VALGRIND) {
	38	fprintf(stderr, "This test can only usefully be run inside valgrind.\n");
	39	fprintf(stderr, "Usage: libtool --mode=execute valgrind ./valgrind_ctime_test\n");
	40	return 1;
	41	}
	42	ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN
	43	\| SECP256K1_CONTEXT_VERIFY
	44	\| SECP256K1_CONTEXT_DECLASSIFY);
	45	/** In theory, testing with a single secret input should be sufficient:
	46	* If control flow depended on secrets the tool would generate an error.
	47	*/
	48	for (i = 0; i < 32; i++) {
	49	key[i] = i + 65;
	50	}
	51
	52	run_tests(ctx, key);
	53
	54	/* Test context randomisation. Do this last because it leaves the context
	55	* tainted. */
	56	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	57	ret = secp256k1_context_randomize(ctx, key);
	58	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	59	CHECK(ret);
	60
	61	secp256k1_context_destroy(ctx);
	62	return 0;
	63	}
	64
	65	void run_tests(secp256k1_context ctx, unsigned char key) {
3d230225 GM	66	secp256k1_ecdsa_signature signature;
	67	secp256k1_pubkey pubkey;
	68	size_t siglen = 74;
	69	size_t outputlen = 33;
	70	int i;
	71	int ret;
	72	unsigned char msg[32];
3d230225 GM	73	unsigned char sig[74];
3d230225 GM	74	unsigned char spubkey[33];
e73ff309	75	#ifdef ENABLE_MODULE_RECOVERY
73596a85 ET	76	secp256k1_ecdsa_recoverable_signature recoverable_signature;
	77	int recid;
	78	#endif
e73ff309	79	#ifdef ENABLE_MODULE_EXTRAKEYS
58254463 JN	80	secp256k1_keypair keypair;
58254463 JN	81	#endif
3d230225	82
3d230225 GM	83	for (i = 0; i < 32; i++) {
	84	msg[i] = i + 1;
	85	}
	86
3d230225 GM	87	/* Test keygen. */
	88	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	89	ret = secp256k1_ec_pubkey_create(ctx, &pubkey, key);
	90	VALGRIND_MAKE_MEM_DEFINED(&pubkey, sizeof(secp256k1_pubkey));
	91	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	92	CHECK(ret);
	93	CHECK(secp256k1_ec_pubkey_serialize(ctx, spubkey, &outputlen, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
	94
	95	/* Test signing. */
	96	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	97	ret = secp256k1_ecdsa_sign(ctx, &signature, msg, key, NULL, NULL);
	98	VALGRIND_MAKE_MEM_DEFINED(&signature, sizeof(secp256k1_ecdsa_signature));
	99	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	100	CHECK(ret);
	101	CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature));
	102
e73ff309	103	#ifdef ENABLE_MODULE_ECDH
3d230225 GM	104	/* Test ECDH. */
	105	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	106	ret = secp256k1_ecdh(ctx, msg, &pubkey, key, NULL, NULL);
	107	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	108	CHECK(ret == 1);
	109	#endif
	110
e73ff309	111	#ifdef ENABLE_MODULE_RECOVERY
73596a85 ET	112	/* Test signing a recoverable signature. */
	113	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	114	ret = secp256k1_ecdsa_sign_recoverable(ctx, &recoverable_signature, msg, key, NULL, NULL);
	115	VALGRIND_MAKE_MEM_DEFINED(&recoverable_signature, sizeof(recoverable_signature));
	116	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	117	CHECK(ret);
	118	CHECK(secp256k1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &recoverable_signature));
	119	CHECK(recid >= 0 && recid <= 3);
	120	#endif
	121
3d230225 GM	122	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	123	ret = secp256k1_ec_seckey_verify(ctx, key);
	124	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	125	CHECK(ret == 1);
	126
	127	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
41fc7856	128	ret = secp256k1_ec_seckey_negate(ctx, key);
3d230225 GM	129	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	130	CHECK(ret == 1);
	131
	132	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	133	VALGRIND_MAKE_MEM_UNDEFINED(msg, 32);
41fc7856	134	ret = secp256k1_ec_seckey_tweak_add(ctx, key, msg);
3d230225 GM	135	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	136	CHECK(ret == 1);
	137
	138	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	139	VALGRIND_MAKE_MEM_UNDEFINED(msg, 32);
41fc7856	140	ret = secp256k1_ec_seckey_tweak_mul(ctx, key, msg);
3d230225 GM	141	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	142	CHECK(ret == 1);
	143
6fcb5b84	144	/* Test keypair_create and keypair_xonly_tweak_add. */
e73ff309	145	#ifdef ENABLE_MODULE_EXTRAKEYS
58254463 JN	146	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	147	ret = secp256k1_keypair_create(ctx, &keypair, key);
	148	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	149	CHECK(ret == 1);
6fcb5b84 JN	150
	151	/* The tweak is not treated as a secret in keypair_tweak_add */
	152	VALGRIND_MAKE_MEM_DEFINED(msg, 32);
	153	ret = secp256k1_keypair_xonly_tweak_add(ctx, &keypair, msg);
	154	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	155	CHECK(ret == 1);
33cb3c2b ET	156
	157	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	158	VALGRIND_MAKE_MEM_UNDEFINED(&keypair, sizeof(keypair));
	159	ret = secp256k1_keypair_sec(ctx, key, &keypair);
	160	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	161	CHECK(ret == 1);
58254463 JN	162	#endif
58254463 JN	163
e73ff309	164	#ifdef ENABLE_MODULE_SCHNORRSIG
f431b3f2 JN	165	VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
	166	ret = secp256k1_keypair_create(ctx, &keypair, key);
	167	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	168	CHECK(ret == 1);
	169	ret = secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL, NULL);
	170	VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
	171	CHECK(ret == 1);
	172	#endif
3d230225	173	}