Make ecdsa_sig_sign constant-time again after reverting 25e3cfb

2020-03-31 14:57:19 +02:00 · 2020-03-31 14:57:19 +02:00 · 37ed51a7ea
commit 37ed51a7ea
parent 93d343bfc5
1 changed files with 4 additions and 9 deletions
--- a/src/ecdsa_impl.h
+++ b/src/ecdsa_impl.h
@ -288,14 +288,6 @@ static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, sec
    secp256k1_fe_normalize(&r.y);
    secp256k1_fe_get_b32(b, &r.x);
    secp256k1_scalar_set_b32(sigr, b, &overflow);
-    if (secp256k1_scalar_is_zero(sigr)) {
-        /* P.x = order is on the curve, so technically sig->r could end up zero, which would be an invalid signature.
-         * This branch is cryptographically unreachable as hitting it requires finding the discrete log of P.x = N.
-         */
-        secp256k1_gej_clear(&rp);
-        secp256k1_ge_clear(&r);
-        return 0;
-    }
    if (recid) {
        /* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log
         * of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria.
@ -314,7 +306,10 @@ static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, sec
    if (recid) {
            *recid ^= high;
    }
-    return !secp256k1_scalar_is_zero(sigs);
+    /* P.x = order is on the curve, so technically sig->r could end up being zero, which would be an invalid signature.
+     * This is cryptographically unreachable as hitting it requires finding the discrete log of P.x = N.
+     */
+    return !secp256k1_scalar_is_zero(sigr) & !secp256k1_scalar_is_zero(sigs);
 }

 #endif /* SECP256K1_ECDSA_IMPL_H */