contexts: Forbid randomizing secp256k1_context_static

real-or-random · real-or-random · commit 348727814428 · 2023-01-04T15:24:10.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 #### Changed
  - Forbade cloning or destroying `secp256k1_context_static`. Create a new context instead of cloning the static context. (If this change breaks your code, your code is probably wrong.)
+ - Forbade randomizing (copies of) `secp256k1_context_static`. Randomizing a copy of `secp256k1_context_static` did not have any effect and did not provide defense-in-depth protection against side-channel attacks. Create a new context if you want to benefit from randomization.
 
 ## [0.2.0] - 2022-12-12
 
diff --git a/include/secp256k1.h b/include/secp256k1.h
@@ -824,10 +824,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(
 
 /** Randomizes the context to provide enhanced protection against side-channel leakage.
  *
- *  Returns: 1: randomization successful (or called on copy of secp256k1_context_static)
+ *  Returns: 1: randomization successful
  *           0: error
- *  Args:    ctx:       pointer to a context object.
- *  In:      seed32:    pointer to a 32-byte random seed (NULL resets to initial state)
+ *  Args:    ctx:       pointer to a context object (not secp256k1_context_static).
+ *  In:      seed32:    pointer to a 32-byte random seed (NULL resets to initial state).
  *
  * While secp256k1 code is written and tested to be constant-time no matter what
  * secret values are, it is possible that a compiler may output code which is not,
@@ -842,21 +842,17 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(
  * functions that perform computations involving secret keys, e.g., signing and
  * public key generation. It is possible to call this function more than once on
  * the same context, and doing so before every few computations involving secret
- * keys is recommended as a defense-in-depth measure.
+ * keys is recommended as a defense-in-depth measure. Randomization of the static
+ * context secp256k1_context_static is not supported.
  *
  * Currently, the random seed is mainly used for blinding multiplications of a
  * secret scalar with the elliptic curve base point. Multiplications of this
  * kind are performed by exactly those API functions which are documented to
- * require a context that is not the secp256k1_context_static. As a rule of thumb,
+ * require a context that is not secp256k1_context_static. As a rule of thumb,
  * these are all functions which take a secret key (or a keypair) as an input.
  * A notable exception to that rule is the ECDH module, which relies on a different
  * kind of elliptic curve point multiplication and thus does not benefit from
  * enhanced protection against side-channel leakage currently.
- *
- * It is safe to call this function on a copy of secp256k1_context_static in writable
- * memory (e.g., obtained via secp256k1_context_clone). In that case, this
- * function is guaranteed to return 1, but the call will have no effect because
- * the static context (or a copy thereof) is not meant to be randomized.
  */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(
     secp256k1_context* ctx,
diff --git a/src/secp256k1.c b/src/secp256k1.c
@@ -753,6 +753,8 @@ int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey
 
 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
     VERIFY_CHECK(ctx != NULL);
+    ARG_CHECK(secp256k1_context_is_proper(ctx));
+
     if (secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) {
         secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
     }
diff --git a/src/tests.c b/src/tests.c
@@ -306,10 +306,10 @@ void run_context_tests(int use_prealloc) {
     CHECK(ecount2 == 11);
     CHECK(secp256k1_ec_pubkey_tweak_mul(my_sttc, &pubkey, ctmp) == 1);
     CHECK(ecount == 3);
-    CHECK(secp256k1_context_randomize(my_sttc, ctmp) == 1);
-    CHECK(ecount == 3);
-    CHECK(secp256k1_context_randomize(my_sttc, NULL) == 1);
-    CHECK(ecount == 3);
+    CHECK(secp256k1_context_randomize(my_sttc, ctmp) == 0);
+    CHECK(ecount == 4);
+    CHECK(secp256k1_context_randomize(my_sttc, NULL) == 0);
+    CHECK(ecount == 5);
     CHECK(secp256k1_context_randomize(ctx, ctmp) == 1);
     CHECK(ecount2 == 11);
     CHECK(secp256k1_context_randomize(ctx, NULL) == 1);

Original file line number	Diff line number	Diff line change
`@@ -753,6 +753,8 @@ int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey`
`753`	`753`
`754`	`754`	`int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {`
`755`	`755`	`VERIFY_CHECK(ctx != NULL);`
	`756`	`+ ARG_CHECK(secp256k1_context_is_proper(ctx));`
	`757`	`+`
`756`	`758`	`if (secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) {`
`757`	`759`	`secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);`
`758`	`760`	`}`