f don't allow counter != 0 in nonce function

Author: jonasnick

include/secp256k1.h

@@ -525,7 +525,8 @@ SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_rfc
 
 /** An implementation of the nonce generation function as defined in BIP-schnorr.
  * If a data pointer is passed, it is assumed to be a pointer to 32 bytes of
- * extra entropy.
+ * extra entropy. The attempt argument must be 0 or the function will fail and
+ * return 0.
  */
 SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_bipschnorr;
 

src/secp256k1.c

@@ -432,9 +432,10 @@ static void secp256k1_nonce_function_bipschnorr_sha256_tagged(secp256k1_sha256 *
  * (https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki) */
 static int nonce_function_bipschnorr(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
     secp256k1_sha256 sha;
-    (void) counter;
-    VERIFY_CHECK(counter == 0);
 
+    if (counter != 0) {
+        return 0;
+    }
     /* Tag the hash with algo16 which is important to avoid nonce reuse across
      * algorithms. If the this nonce function is used in BIP-schnorr signing as
      * defined in the spec, an optimized tagging implementation is used. */

src/tests.c

@@ -491,6 +491,10 @@ void run_nonce_function_bipschnorr_tests(void) {
     CHECK(nonce_function_bipschnorr(nonces[2], msg, key, (unsigned char *) "something16chars", NULL, 0));
     CHECK(memcmp(nonces[2], nonces[0], sizeof(nonces[2])) != 0);
     CHECK(memcmp(nonces[2], nonces[1], sizeof(nonces[2])) != 0);
+
+    /* Check that counter != 0 makes nonce function fail. */
+    CHECK(nonce_function_bipschnorr(nonces[0], msg, key, NULL, NULL, 0) == 1);
+    CHECK(nonce_function_bipschnorr(nonces[0], msg, key, NULL, NULL, 1) == 0);
 }
 
 void run_hmac_sha256_tests(void) {