From 0e08558b4b4affde3f0651619c4277b0800272c6 Mon Sep 17 00:00:00 2001
From: Pieter Wuille <pieter@wuille.net>
Date: Fri, 4 Nov 2022 15:52:12 -0400
Subject: [PATCH] Add ElligatorSwift ctime tests

---
 src/modules/ellswift/main_impl.h |  2 ++
 src/valgrind_ctime_test.c        | 25 +++++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/src/modules/ellswift/main_impl.h b/src/modules/ellswift/main_impl.h
index 8d91b22e0c..f341ee8dbe 100644
--- a/src/modules/ellswift/main_impl.h
+++ b/src/modules/ellswift/main_impl.h
@@ -350,6 +350,7 @@ int secp256k1_ellswift_create(const secp256k1_context* ctx, unsigned char *ell64
 
     /* Compute (affine) public key */
     ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey32);
+    secp256k1_declassify(ctx, &p, sizeof(p)); /* not constant time in produced pubkey */
     secp256k1_fe_normalize_var(&p.x);
     secp256k1_fe_normalize_var(&p.y);
 
@@ -359,6 +360,7 @@ int secp256k1_ellswift_create(const secp256k1_context* ctx, unsigned char *ell64
     secp256k1_sha256_write(&hash, seckey32, 32);
     secp256k1_sha256_write(&hash, rnd32 ? rnd32 : ZERO, 32);
     secp256k1_sha256_write(&hash, ZERO, 32 - 9 - 4);
+    secp256k1_declassify(ctx, &hash, sizeof(hash)); /* hasher gets to declassify private key */
 
     /* Compute ElligatorSwift encoding and construct output. */
     secp256k1_ellswift_elligatorswift_var(&u, &t, &p, &hash);
diff --git a/src/valgrind_ctime_test.c b/src/valgrind_ctime_test.c
index 6ff0085d34..b9e7937a1c 100644
--- a/src/valgrind_ctime_test.c
+++ b/src/valgrind_ctime_test.c
@@ -27,6 +27,10 @@
 #include "../include/secp256k1_schnorrsig.h"
 #endif
 
+#ifdef ENABLE_MODULE_ELLSWIFT
+#include "../include/secp256k1_ellswift.h"
+#endif
+
 void run_tests(secp256k1_context *ctx, unsigned char *key);
 
 int main(void) {
@@ -79,6 +83,9 @@ void run_tests(secp256k1_context *ctx, unsigned char *key) {
 #ifdef ENABLE_MODULE_EXTRAKEYS
     secp256k1_keypair keypair;
 #endif
+#ifdef ENABLE_MODULE_ELLSWIFT
+    unsigned char ellswift[64];
+#endif
 
     for (i = 0; i < 32; i++) {
         msg[i] = i + 1;
@@ -170,4 +177,22 @@ void run_tests(secp256k1_context *ctx, unsigned char *key) {
     VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
     CHECK(ret == 1);
 #endif
+
+#ifdef ENABLE_MODULE_ELLSWIFT
+    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
+    ret = secp256k1_ellswift_create(ctx, ellswift, key, NULL);
+    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
+    CHECK(ret == 1);
+
+    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
+    ret = secp256k1_ellswift_create(ctx, ellswift, key, key);
+    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
+    CHECK(ret == 1);
+
+    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
+    VALGRIND_MAKE_MEM_DEFINED(&ellswift, sizeof(ellswift));
+    ret = secp256k1_ellswift_xdh(ctx, msg, ellswift, ellswift, key, NULL, NULL);
+    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
+    CHECK(ret == 1);
+#endif
 }