ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign

Whenever ecdsa_sig_sign is called, in the case that r == 0 or r overflows,
we want to retry with a different nonce rather than fail signing entirely.
Because of this, we always check the nonce conditions before calling
sig_sign, so these checks should always pass (and in particular, they
are inaccessible through the API and appear as uncovered code in test
coverage).
This commit is contained in:
Andrew Poelstra 2016-11-26 20:14:19 +00:00
parent a8abae7e5f
commit 25e3cfbf9b
1 changed files with 4 additions and 8 deletions

View File

@ -285,14 +285,10 @@ static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, sec
secp256k1_fe_normalize(&r.y); secp256k1_fe_normalize(&r.y);
secp256k1_fe_get_b32(b, &r.x); secp256k1_fe_get_b32(b, &r.x);
secp256k1_scalar_set_b32(sigr, b, &overflow); secp256k1_scalar_set_b32(sigr, b, &overflow);
if (secp256k1_scalar_is_zero(sigr)) { /* These two conditions should be checked before calling */
/* P.x = order is on the curve, so technically sig->r could end up zero, which would be an invalid signature. VERIFY_CHECK(!secp256k1_scalar_is_zero(sigr));
* This branch is cryptographically unreachable as hitting it requires finding the discrete log of P.x = N. VERIFY_CHECK(overflow == 0);
*/
secp256k1_gej_clear(&rp);
secp256k1_ge_clear(&r);
return 0;
}
if (recid) { if (recid) {
/* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log /* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log
* of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria. * of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria.