Avoid constructing an invalid signature with probability 1:2^256.

gmaxwell · gmaxwell · commit d26e26f2f46e · 2014-12-28T19:40:40.000-08:00
diff --git a/src/ecdsa_impl.h b/src/ecdsa_impl.h
@@ -198,6 +198,12 @@ static int secp256k1_ecdsa_sig_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_
     secp256k1_fe_get_b32(b, &r.x);
     int overflow = 0;
     secp256k1_scalar_set_b32(&sig->r, b, &overflow);
+    if (secp256k1_scalar_is_zero(&sig->r)) {
+        /* P.x = order is on the curve, so technically sig->r could end up zero, which would be an invalid signature. */
+        secp256k1_gej_clear(&rp);
+        secp256k1_ge_clear(&r);
+        return 0;
+    }
     if (recid)
         *recid = (overflow ? 2 : 0) | (secp256k1_fe_is_odd(&r.y) ? 1 : 0);
     secp256k1_scalar_t n;
