musig: clear pubnonce output for invalid seckey#1850
Open
l0rinc wants to merge 2 commits intobitcoin-core:masterfrom
Open
musig: clear pubnonce output for invalid seckey#1850l0rinc wants to merge 2 commits intobitcoin-core:masterfrom
pubnonce output for invalid seckey#1850l0rinc wants to merge 2 commits intobitcoin-core:masterfrom
Conversation
theStack
reviewed
Apr 29, 2026
Contributor
theStack
left a comment
theStack
left a comment
There was a problem hiding this comment.
Concept ACK
AFAICT this pattern matches what we do in similar API functions (e.g. _schnorrsig_sign32, _keypair_create, _ellswift_create).
Contributor
|
ACK 7ed2abc |
`secp256k1_musig_nonce_gen_internal` clears `pubnonce` at the top of the function, before the later validation steps covered here. Extend the existing MuSig API failure-path checks for `nonce_gen` and `nonce_gen_counter` to assert that these paths leave the public nonce output cleared.
`secp256k1_musig_nonce_gen` returns failure for invalid arguments, including a non-NULL `seckey` that fails validation. `secp256k1_musig_nonce_gen_internal` already invalidates `secnonce` on that failure, but it still saves derived nonce points into `pubnonce` before returning. Clear `pubnonce` with a conditional clear after the save, so the cleanup stays branchless with respect to the secret-key validation result and reverting this cleanup leaves stale derived nonce data in the MuSig API test.
l0rinc
force-pushed
the
l0rinc/musig-clear-invalid-seckey-pubnonce
branch
from
7ed2abc to
d679d2c
Compare
theStack
approved these changes
Apr 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a follow-up to PR #1849.
Problem
secp256k1_musig_nonce_genreturns failure if its arguments are invalid, for example when a non-NULLseckeyfails secret-key validation.On that path,
secp256k1_musig_nonce_gen_internalinvalidates the secret nonce on failure, but still unconditionally saves the derived public nonce output before returning failure.Fix
Clear
pubnoncebefore returning the invalid-seckeyfailure, so a failed nonce-generation call does not leave a newly writtenpubnoncebehind.The implementation still saves the public nonce before clearing it on failure (instead of branching around the save), to preserve constant-time control flow with respect to the secret-key validation result.
The second commit only extends existing MuSig API failure-path coverage for paths where
secp256k1_musig_nonce_gen_internalalready clearspubnonceat function entry before any of its own validation steps.