From 0f9e69db555ea35b90f49fa48925c366261452ec Mon Sep 17 00:00:00 2001
From: bgorlick <ben@bengorlick.com>
Date: Fri, 21 Oct 2016 03:50:10 -0700
Subject: [PATCH 1/2] Restructure nonce clearing

Make sure we clear the nonce data even if the nonce function fails (it may have written partial data), and call memset only once in the case we iterate to produce a valid signature.
---
 src/modules/schnorr/main_impl.h | 4 ++--
 src/secp256k1.c                 | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)
 mode change 100644 => 100755 src/modules/schnorr/main_impl.h
 mode change 100644 => 100755 src/secp256k1.c

diff --git a/src/modules/schnorr/main_impl.h b/src/modules/schnorr/main_impl.h
old mode 100644
new mode 100755
index fa176a1767f..c88a7ea246b
--- a/src/modules/schnorr/main_impl.h
+++ b/src/modules/schnorr/main_impl.h
@@ -24,6 +24,7 @@ int secp256k1_schnorr_sign(const secp256k1_context* ctx, unsigned char *sig64, c
     secp256k1_scalar sec, non;
     int ret = 0;
     int overflow = 0;
+    unsigned char nonce32[32];
     unsigned int count = 0;
     VERIFY_CHECK(ctx != NULL);
     ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
@@ -36,13 +37,11 @@ int secp256k1_schnorr_sign(const secp256k1_context* ctx, unsigned char *sig64, c
 
     secp256k1_scalar_set_b32(&sec, seckey, NULL);
     while (1) {
-        unsigned char nonce32[32];
         ret = noncefp(nonce32, msg32, seckey, secp256k1_schnorr_algo16, (void*)noncedata, count);
         if (!ret) {
             break;
         }
         secp256k1_scalar_set_b32(&non, nonce32, &overflow);
-        memset(nonce32, 0, 32);
         if (!secp256k1_scalar_is_zero(&non) && !overflow) {
             if (secp256k1_schnorr_sig_sign(&ctx->ecmult_gen_ctx, sig64, &sec, &non, NULL, secp256k1_schnorr_msghash_sha256, msg32)) {
                 break;
@@ -53,6 +52,7 @@ int secp256k1_schnorr_sign(const secp256k1_context* ctx, unsigned char *sig64, c
     if (!ret) {
         memset(sig64, 0, 64);
     }
+    memset(nonce32, 0, 32);
     secp256k1_scalar_clear(&non);
     secp256k1_scalar_clear(&sec);
     return ret;
diff --git a/src/secp256k1.c b/src/secp256k1.c
old mode 100644
new mode 100755
index 7973d60c36a..fb8b882faaf
--- a/src/secp256k1.c
+++ b/src/secp256k1.c
@@ -359,16 +359,15 @@ int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature
     secp256k1_scalar_set_b32(&sec, seckey, &overflow);
     /* Fail if the secret key is invalid. */
     if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
+        unsigned char nonce32[32];
         unsigned int count = 0;
         secp256k1_scalar_set_b32(&msg, msg32, NULL);
         while (1) {
-            unsigned char nonce32[32];
             ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
             if (!ret) {
                 break;
             }
             secp256k1_scalar_set_b32(&non, nonce32, &overflow);
-            memset(nonce32, 0, 32);
             if (!overflow && !secp256k1_scalar_is_zero(&non)) {
                 if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL)) {
                     break;
@@ -376,6 +375,7 @@ int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature
             }
             count++;
         }
+        memset(nonce32, 0, 32);
         secp256k1_scalar_clear(&msg);
         secp256k1_scalar_clear(&non);
         secp256k1_scalar_clear(&sec);

From 37697832d633ea4debbf5a9d8e9b74ea5ea08a9b Mon Sep 17 00:00:00 2001
From: bgorlick <ben@bengorlick.com>
Date: Fri, 21 Oct 2016 04:59:32 -0700
Subject: [PATCH 2/2] Restructure nonce clearing

Make sure we clear the nonce data even if the nonce function fails (it may have written partial data), and call memset only once in the case we iterate to produce a valid signature.
---
 src/modules/recovery/main_impl.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 mode change 100644 => 100755 src/modules/recovery/main_impl.h

diff --git a/src/modules/recovery/main_impl.h b/src/modules/recovery/main_impl.h
old mode 100644
new mode 100755
index ec42f4bb6cd..86f2f0cb2b5
--- a/src/modules/recovery/main_impl.h
+++ b/src/modules/recovery/main_impl.h
@@ -138,16 +138,15 @@ int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecd
     secp256k1_scalar_set_b32(&sec, seckey, &overflow);
     /* Fail if the secret key is invalid. */
     if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
+        unsigned char nonce32[32];
         unsigned int count = 0;
         secp256k1_scalar_set_b32(&msg, msg32, NULL);
         while (1) {
-            unsigned char nonce32[32];
             ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
             if (!ret) {
                 break;
             }
             secp256k1_scalar_set_b32(&non, nonce32, &overflow);
-            memset(nonce32, 0, 32);
             if (!secp256k1_scalar_is_zero(&non) && !overflow) {
                 if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, &recid)) {
                     break;
@@ -155,6 +154,7 @@ int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecd
             }
             count++;
         }
+        memset(nonce32, 0, 32);
         secp256k1_scalar_clear(&msg);
         secp256k1_scalar_clear(&non);
         secp256k1_scalar_clear(&sec);