schnorrsig: Securely clear buf containing k or its negation #1731

pull john-moffett wants to merge 1 commits into bitcoin-core:master from john-moffett:schnorr-clear-buf changing 1 files +4 −3
  1. john-moffett commented at 1:56 pm on September 2, 2025: contributor
    Follow-up to #1579. buf still holds the nonce or its negation, so ought to be cleared.
  2. real-or-random approved
  3. real-or-random commented at 2:47 pm on September 2, 2025: contributor

    utACK 366b125eadaaffc48260791f09497b55c737cafb

    It’s a bit crazy that we clear rj because the non-uniqueness of the Jacobian representation could leak information about k but we forgot the damn buffer where k has been serialized.

    Love that someone is reading the code. I take a closer look occasionally when I need to convince myself that it is correct, but it’s not a very systematic effort.

  4. real-or-random added the label bug on Sep 2, 2025
  5. real-or-random added the label side-channel on Sep 2, 2025
  6. real-or-random commented at 2:50 pm on September 2, 2025: contributor
    @theStack Want to review this? :)
  7. theStack approved
  8. theStack commented at 3:43 pm on September 2, 2025: contributor

    Code-review ACK 366b125eadaaffc48260791f09497b55c737cafb

    Nice find, and a bit surprising indeed that this was missed :grimacing: nit: as this buffer is only used for the serialization of the nonce, we could rename it to reflect that, e.g. to nonce_buf (fwiw, in the ECDSA signing routine the name nonce32 is used)

  9. Rename and clear var containing k or -k 
    buf currently holds k or -k and isn't cleared, so clear it and rename to
nonce32 to clarify its sensitivity and match how it is named in the
corresponding ECDSA sign_inner.
    325d65a8cf
  10. john-moffett commented at 4:46 pm on September 2, 2025: contributor

    we could rename it to reflect that, e.g. to nonce_buf (fwiw, in the ECDSA signing routine the name nonce32 is used)

    Good idea, as it makes it clearer that it’s sensitive information, too.

  11. john-moffett force-pushed on Sep 2, 2025
  12. theStack approved
  13. theStack commented at 7:03 pm on September 2, 2025: contributor
    Code review re-ACK 325d65a8cfae6d4c34098709d0a9e942e4963d03
  14. real-or-random approved
  15. real-or-random commented at 8:37 pm on September 2, 2025: contributor
    utACK 325d65a8cfae6d4c34098709d0a9e942e4963d03
  16. real-or-random merged this on Sep 2, 2025
  17. real-or-random closed this on Sep 2, 2025


john-moffett real-or-random theStack

Labels
bug side-channel

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-10-13 19:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me