fuzz: implement ECDH

It is now possible for the fuzzer to generate (a) an ECDH pair that'll pass some
form of verification (at least assuming the user passes a crappy hash); (b) a
signature that will pass verification.

The one remaining crypto-hard thing in this lib is the keypair tweak_add and
tweak_add_check API; there isn't a good way to simulate this in the fuzzer
without completely rewriting the public key parsing/serialization framework,
which is a lot of work and would also reduce the fuzztest coverage of the C
library.

Author: apoelstra

secp256k1-sys/src/lib.rs

@@ -414,16 +414,6 @@ extern "C" {
                                        n: c_int)
                                        -> c_int;
 
-    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_3_1_ecdh")]
-    pub fn secp256k1_ecdh(
-        cx: *const Context,
-        output: *mut c_uchar,
-        pubkey: *const PublicKey,
-        seckey: *const c_uchar,
-        hashfp: EcdhHashFn,
-        data: *mut c_void,
-    ) -> c_int;
-
     // Extra keys
     #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_3_1_keypair_create")]
     pub fn secp256k1_keypair_create(
@@ -489,6 +479,17 @@ extern "C" {
 
 #[cfg(not(rust_secp_fuzz))]
 extern "C" {
+    // ECDH
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_3_1_ecdh")]
+    pub fn secp256k1_ecdh(
+        cx: *const Context,
+        output: *mut c_uchar,
+        pubkey: *const PublicKey,
+        seckey: *const c_uchar,
+        hashfp: EcdhHashFn,
+        data: *mut c_void,
+    ) -> c_int;
+
     // ECDSA
     #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_3_1_ecdsa_verify")]
     pub fn secp256k1_ecdsa_verify(cx: *const Context,
@@ -678,6 +679,38 @@ impl<T> CPtr for [T] {
 mod fuzz_dummy {
     use super::*;
 
+    // ECDH
+    /// Sets out to point[0..32] ^ seckey[0..32] ^ data
+    pub unsafe fn secp256k1_ecdh(
+        cx: *const Context,
+        output: *mut c_uchar,
+        pubkey: *const PublicKey,
+        seckey: *const c_uchar,
+        hashfp: EcdhHashFn,
+        data: *mut c_void,
+    ) -> c_int {
+        // No context requirements
+        assert!(!cx.is_null());
+
+        if let Some(hashfp) = hashfp {
+            hashfp(output, (*pubkey).0[0..32].as_ptr(), seckey, data)
+        } else {
+            let output_sl = slice::from_raw_parts_mut(output as *mut u8, 32);
+            let sk_sl = slice::from_raw_parts(seckey as *const u8, 32);
+            output_sl.copy_from_slice(&(*pubkey).0[0..32]);
+            for i in 0..32 {
+                output_sl[i] ^= sk_sl[i];
+            }
+            if !data.is_null() {
+                let data_sl = slice::from_raw_parts(data as *const u8, 32);
+                for i in 0..32 {
+                    output_sl[i] ^= data_sl[i];
+                }
+            }
+            1
+        }
+    }
+
     // ECDSA
     /// Verifies that sig is msg32||pk[..32]
     pub unsafe fn secp256k1_ecdsa_verify(cx: *const Context,
@@ -745,8 +778,8 @@ mod fuzz_dummy {
         sig64: *mut c_uchar,
         msg32: *const c_uchar,
         keypair: *const KeyPair,
-        noncefp: SchnorrNonceFn,
-        noncedata: *const c_void
+        _noncefp: SchnorrNonceFn,
+        _noncedata: *const c_void
     ) -> c_int {
         // Check context is built for signing
         let mut new_kp = KeyPair::new();