secp256k1::Message::from_slice fails on all-0x00 hash

[junderw]

In the upstream tests, we test the extreme bounds of most of the parameters.

We accept 32 0x00 bytes for input as a hash message for signing.

https://github.com/rust-bitcoin/rust-secp256k1/blob/a5147bbf015ca61bb0e4e09adb8e9b324965c291/src/lib.rs#L490-L504

Need to find some way to get around this:

        if data == [0; constants::MESSAGE_SIZE] {
            return Err(Error::InvalidMessage);
        }

[junderw]

Temp fix:
junderw/rust-secp256k1@e657814

However, this brings up a good point... perhaps we should throw on all 0x00 in tiny-secp256k1 as well???

[yuki-js]

Did you see rust-bitcoin/rust-secp256k1#207 ?
I think all zero hash should be treated as invalid.

[junderw]

Yes. I've known that for a while.

The problem is:

32 0x00 bytes is a valid hash. and they allow the curve order, even though since it is modulo, it is equivalent to 0 in a mathmatical sense (and therefore just as dangerous)

1 is also a valid private key (whose public key is the generator point)

If someone tried to rewrite bitcoin-core in rust, and used this library, any tx whose sighash happens to be 0x00 32 bytes will cause a hardfork.

[junderw]

Also see this comment:

rust-bitcoin/rust-secp256k1#211 (comment)