Restructure nonce clearing

Make sure we clear the nonce data even if the nonce function fails (it may have written partial data), and call memset only once in the case we iterate to produce a valid signature.
2016-10-21 03:50:10 -07:00 · 2016-10-21 03:50:10 -07:00 · 0f9e69db55
parent 7d15cd7859
commit 0f9e69db55
2 changed files with 4 additions and 4 deletions
--- a/src/modules/schnorr/main_impl.h
+++ b/src/modules/schnorr/main_impl.h
@ -24,6 +24,7 @@ int secp256k1_schnorr_sign(const secp256k1_context* ctx, unsigned char *sig64, c
    secp256k1_scalar sec, non;
    int ret = 0;
    int overflow = 0;
+    unsigned char nonce32[32];
    unsigned int count = 0;
    VERIFY_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
@ -36,13 +37,11 @@ int secp256k1_schnorr_sign(const secp256k1_context* ctx, unsigned char *sig64, c

    secp256k1_scalar_set_b32(&sec, seckey, NULL);
    while (1) {
-        unsigned char nonce32[32];
        ret = noncefp(nonce32, msg32, seckey, secp256k1_schnorr_algo16, (void*)noncedata, count);
        if (!ret) {
            break;
        }
        secp256k1_scalar_set_b32(&non, nonce32, &overflow);
-        memset(nonce32, 0, 32);
        if (!secp256k1_scalar_is_zero(&non) && !overflow) {
            if (secp256k1_schnorr_sig_sign(&ctx->ecmult_gen_ctx, sig64, &sec, &non, NULL, secp256k1_schnorr_msghash_sha256, msg32)) {
                break;
@ -53,6 +52,7 @@ int secp256k1_schnorr_sign(const secp256k1_context* ctx, unsigned char *sig64, c
    if (!ret) {
        memset(sig64, 0, 64);
    }
+    memset(nonce32, 0, 32);
    secp256k1_scalar_clear(&non);
    secp256k1_scalar_clear(&sec);
    return ret;
--- a/src/secp256k1.c
+++ b/src/secp256k1.c
@ -359,16 +359,15 @@ int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature
    secp256k1_scalar_set_b32(&sec, seckey, &overflow);
    /* Fail if the secret key is invalid. */
    if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
+        unsigned char nonce32[32];
        unsigned int count = 0;
        secp256k1_scalar_set_b32(&msg, msg32, NULL);
        while (1) {
-            unsigned char nonce32[32];
            ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
            if (!ret) {
                break;
            }
            secp256k1_scalar_set_b32(&non, nonce32, &overflow);
-            memset(nonce32, 0, 32);
            if (!overflow && !secp256k1_scalar_is_zero(&non)) {
                if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL)) {
                    break;
@ -376,6 +375,7 @@ int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature
            }
            count++;
        }
+        memset(nonce32, 0, 32);
        secp256k1_scalar_clear(&msg);
        secp256k1_scalar_clear(&non);
        secp256k1_scalar_clear(&sec);