Pad coordinates coordinates to 32 bytes. Return better errors from sc…

…hnorrVerify.
btcsuite · Dec 18, 2020 · 0281d97 · 0281d97
1 parent 6c0f525
commit 0281d97
Showing 1 changed file with 18 additions and 18 deletions.
diff --git a/btcec/schnorr.go b/btcec/schnorr.go
@@ -143,10 +143,10 @@ func schnorrSign(privKey, msg []byte, a []byte) (sig [64]byte, err error) {
 
 	// Get a deterministic nonce k.
 	{
-		m := make([]byte, 96)
-		copy(m[:32], t.Bytes())
-		copy(m[32:64], Px.Bytes())
-		copy(m[64:], msg)
+		m := make([]byte, 0, 96)
+		copy(m[:32], paddedAppend(32, make([]byte, 0, 32), t.Bytes()))
+		copy(m[32:64], paddedAppend(32, make([]byte, 0, 32), Px.Bytes()))
+		copy(m[64:96], msg[:])
 
 		// rand = sha256(BIP0340/nonce || (t || P || m))
 		k.SetBytes(taggedHash(BIP340Nonce, m))
@@ -171,9 +171,9 @@ func schnorrSign(privKey, msg []byte, a []byte) (sig [64]byte, err error) {
 	// e = int(hashBIP0340/challenge(R || P || m)) mod n
 	{
 		m := make([]byte, 96)
-		copy(m[:32], Rx.Bytes())
-		copy(m[32:64], Px.Bytes())
-		copy(m[64:], msg)
+		copy(m[:32], paddedAppend(32, make([]byte, 0, 32), Rx.Bytes()))
+		copy(m[32:64], paddedAppend(32, make([]byte, 0, 32), Px.Bytes()))
+		copy(m[64:96], msg)
 		e.SetBytes(taggedHash(BIP340Challenge, m))
 		e.Mod(e, n)
 	}
@@ -184,12 +184,12 @@ func schnorrSign(privKey, msg []byte, a []byte) (sig [64]byte, err error) {
 	s.Mod(s, n)
 
 	// Signature is (x(R), s).
-	copy(sig[:32], Rx.Bytes())
-	copy(sig[32:], s.Bytes())
+	copy(sig[:32], paddedAppend(32, make([]byte, 0, 32), Rx.Bytes()))
+	copy(sig[32:], paddedAppend(32, make([]byte, 0, 32), s.Bytes()))
 
 	// Verify signature before returning.
-	if verify, err := schnorrVerify(msg, Px.Bytes(), sig[:]); !verify || err != nil {
-		return sig, errors.New("cannot create signature")
+	if verify, err := schnorrVerify(msg, paddedAppend(32, make([]byte, 0, 32), Px.Bytes()), sig[:]); !verify || err != nil {
+		return sig, fmt.Errorf("cannot create signature: %w", err)
 	}
 
 	return sig, nil
@@ -257,27 +257,27 @@ func schnorrVerify(msg, publicKey, signature []byte) (bool, error) {
 
 	// Check that P is on the curve.
 	if !curve.IsOnCurve(Px, Py) {
-		return false, errors.New("public key is not on the curve")
+		return false, errors.New("point P is not on the curve")
 	}
 
 	r.SetBytes(signature[:32])
 	s.SetBytes(signature[32:])
 
 	// Fail if s >= n
 	if s.Cmp(n) >= 0 {
-		return false, nil
+		return false, errors.New("s is greater than curve order")
 	}
 
 	// Fail if r >= p
 	if r.Cmp(p) >= 0 {
-		return false, nil
+		return false, errors.New("r is greater than p")
 	}
 
 	// e = sha256(hashBIP0340/challenge || r || P || m) mod n.
 	{
 		m := make([]byte, 96)
 		copy(m[:32], signature[:32])
-		copy(m[32:64], publicKey)
+		copy(m[32:64], publicKey[:])
 		copy(m[64:], msg)
 		e.SetBytes(taggedHash(BIP340Challenge, m))
 		e.Mod(e, n)
@@ -294,17 +294,17 @@ func schnorrVerify(msg, publicKey, signature []byte) (bool, error) {
 
 	// Fail if R is at infinity.
 	if Rx.Cmp(zero) == 0 || Ry.Cmp(zero) == 0 {
-		return false, nil
+		return false, errors.New("point R is at infinity")
 	}
 
 	// Fail if y(R) is not even
 	if !hasEvenY(Ry) {
-		return false, nil
+		return false, errors.New("coordinate R(y) is not even")
 	}
 
 	// Fail if x(R) != r
 	if Rx.Cmp(r) != 0 {
-		return false, nil
+		return false, errors.New("coordinate R(x) != r")
 	}
 
 	return true, nil