fixup! check that secnonces are nonzero during load

jonasnick · jonasnick · commit e3ca4b716965 · 2021-12-16T21:42:28.000Z
diff --git a/src/modules/musig/session_impl.h b/src/modules/musig/session_impl.h
@@ -29,9 +29,15 @@ static void secp256k1_musig_secnonce_save(secp256k1_musig_secnonce *secnonce, se
 }
 
 static int secp256k1_musig_secnonce_load(const secp256k1_context* ctx, secp256k1_scalar *k, secp256k1_musig_secnonce *secnonce) {
+    int is_zero;
     ARG_CHECK(secp256k1_memcmp_var(&secnonce->data[0], secp256k1_musig_secnonce_magic, 4) == 0);
     secp256k1_scalar_set_b32(&k[0], &secnonce->data[4], NULL);
     secp256k1_scalar_set_b32(&k[1], &secnonce->data[36], NULL);
+    /* We make very sure that the nonce isn't invalidated by checking the values
+     * in addition to the magic. */
+    is_zero = secp256k1_scalar_is_zero(&k[0]) & secp256k1_scalar_is_zero(&k[1]);
+    secp256k1_declassify(ctx, &is_zero, sizeof(is_zero));
+    ARG_CHECK(!is_zero);
     return 1;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -29,9 +29,15 @@ static void secp256k1_musig_secnonce_save(secp256k1_musig_secnonce *secnonce, se`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`static int secp256k1_musig_secnonce_load(const secp256k1_context* ctx, secp256k1_scalar k, secp256k1_musig_secnonce secnonce) {`
	`32`	`+ int is_zero;`
`32`	`33`	`ARG_CHECK(secp256k1_memcmp_var(&secnonce->data[0], secp256k1_musig_secnonce_magic, 4) == 0);`
`33`	`34`	`secp256k1_scalar_set_b32(&k[0], &secnonce->data[4], NULL);`
`34`	`35`	`secp256k1_scalar_set_b32(&k[1], &secnonce->data[36], NULL);`
	`36`	`+ /* We make very sure that the nonce isn't invalidated by checking the values`
	`37`	`+ * in addition to the magic. */`
	`38`	`+ is_zero = secp256k1_scalar_is_zero(&k[0]) & secp256k1_scalar_is_zero(&k[1]);`
	`39`	`+ secp256k1_declassify(ctx, &is_zero, sizeof(is_zero));`
	`40`	`+ ARG_CHECK(!is_zero);`
`35`	`41`	`return 1;`
`36`	`42`	`}`
`37`	`43`