From 2d1d41acf85a385be6c436307eb826122c21846f Mon Sep 17 00:00:00 2001
From: Pieter Wuille <pieter@wuille.net>
Date: Fri, 4 Nov 2022 15:52:12 -0400
Subject: [PATCH] Add ctime tests for ellswift module

---
 src/ctime_tests.c                | 35 ++++++++++++++++++++++++++++++++
 src/modules/ellswift/main_impl.h |  2 ++
 2 files changed, 37 insertions(+)

diff --git a/src/ctime_tests.c b/src/ctime_tests.c
index 713eb427d32f6..af7891a91ce29 100644
--- a/src/ctime_tests.c
+++ b/src/ctime_tests.c
@@ -30,6 +30,10 @@
 #include "../include/secp256k1_schnorrsig.h"
 #endif
 
+#ifdef ENABLE_MODULE_ELLSWIFT
+#include "../include/secp256k1_ellswift.h"
+#endif
+
 static void run_tests(secp256k1_context *ctx, unsigned char *key);
 
 int main(void) {
@@ -80,6 +84,10 @@ static void run_tests(secp256k1_context *ctx, unsigned char *key) {
 #ifdef ENABLE_MODULE_EXTRAKEYS
     secp256k1_keypair keypair;
 #endif
+#ifdef ENABLE_MODULE_ELLSWIFT
+    unsigned char ellswift[64];
+    static const unsigned char prefix[64] = {'t', 'e', 's', 't'};
+#endif
 
     for (i = 0; i < 32; i++) {
         msg[i] = i + 1;
@@ -171,4 +179,31 @@ static void run_tests(secp256k1_context *ctx, unsigned char *key) {
     SECP256K1_CHECKMEM_DEFINE(&ret, sizeof(ret));
     CHECK(ret == 1);
 #endif
+
+#ifdef ENABLE_MODULE_ELLSWIFT
+    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
+    ret = secp256k1_ellswift_create(ctx, ellswift, key, NULL);
+    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
+    CHECK(ret == 1);
+
+    VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
+    ret = secp256k1_ellswift_create(ctx, ellswift, key, ellswift);
+    VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
+    CHECK(ret == 1);
+
+    for (i = 0; i < 2; i++) {
+        VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
+        VALGRIND_MAKE_MEM_DEFINED(&ellswift, sizeof(ellswift));
+        ret = secp256k1_ellswift_xdh(ctx, msg, ellswift, ellswift, key, i, secp256k1_ellswift_xdh_hash_function_bip324, NULL);
+        VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
+        CHECK(ret == 1);
+
+        VALGRIND_MAKE_MEM_UNDEFINED(key, 32);
+        VALGRIND_MAKE_MEM_DEFINED(&ellswift, sizeof(ellswift));
+        ret = secp256k1_ellswift_xdh(ctx, msg, ellswift, ellswift, key, i, secp256k1_ellswift_xdh_hash_function_prefix, (void *)prefix);
+        VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret));
+        CHECK(ret == 1);
+    }
+
+#endif
 }
diff --git a/src/modules/ellswift/main_impl.h b/src/modules/ellswift/main_impl.h
index c824fc972b38f..00bb8a3da587b 100644
--- a/src/modules/ellswift/main_impl.h
+++ b/src/modules/ellswift/main_impl.h
@@ -463,6 +463,7 @@ int secp256k1_ellswift_create(const secp256k1_context *ctx, unsigned char *ell64
 
     /* Compute (affine) public key */
     ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey32);
+    secp256k1_declassify(ctx, &p, sizeof(p)); /* not constant time in produced pubkey */
     secp256k1_fe_normalize_var(&p.x);
     secp256k1_fe_normalize_var(&p.y);
 
@@ -471,6 +472,7 @@ int secp256k1_ellswift_create(const secp256k1_context *ctx, unsigned char *ell64
     secp256k1_ellswift_sha256_init_create(&hash);
     secp256k1_sha256_write(&hash, seckey32, 32);
     secp256k1_sha256_write(&hash, zero32, sizeof(zero32));
+    secp256k1_declassify(ctx, &hash, sizeof(hash)); /* private key is hashed now */
     if (auxrnd32) secp256k1_sha256_write(&hash, auxrnd32, 32);
 
     /* Compute ElligatorSwift encoding and construct output. */