Merge rust-bitcoin#798: More Musig2 followups

apoelstra · apoelstra · commit 2038b5e9e8da · 2025-06-11T21:19:21.000Z
480370c ci: disable broken WASM and cross tests (Andrew Poelstra) 98bfb48 musig: make zero-check in SessionSecretRand::assume_unique constant time (Andrew Poelstra) d318169 musig: rename `musig_sort_pubkeys` to just `sort_pubkeys` (Andrew Poelstra) fdae0fd typo: leak -> lead (Andrew Poelstra) Pull request description: Addresses review comments from rust-bitcoin#794, and also disables a couple broken CI jobs. ACKs for top commit: jonasnick: ACK 480370c Tree-SHA512: 33e4849389fcefb9916a1dcb5234497a42aa9759f81b4954cac85002a26f1d763ddc5b5c38c62795be339b84ffdb3544c6b3e7408ef8d95b67289fd697d5f1e1
diff --git a/.github/workflows/cross.yml b/.github/workflows/cross.yml
@@ -17,7 +17,7 @@ jobs:
           # - i686-pc-windows-msvc  # not supported by cross
           - i686-unknown-linux-gnu
           # - x86_64-apple-darwin  # proprietary apple stuff
-          - x86_64-pc-windows-gnu
+          # - x86_64-pc-windows-gnu # seems to be broken 2025-06
           # - x86_64-pc-windows-msvc  # not supported by cross
           - x86_64-unknown-linux-gnu
           ############ Tier 2 with Host Tools
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -253,19 +253,19 @@ jobs:
       - name: "Run test on i686"
         run: cargo test --target i686-unknown-linux-gnu
 
-  WASM:
-    name: WASM - stable toolchain
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      # Note we do not use the recent lock file for wasm testing.
-    steps:
-      - name: "Checkout repo"
-        uses: actions/checkout@v4
-      - name: "Select toolchain"
-        uses: dtolnay/rust-toolchain@stable
-      - name: "Run wasm script"
-        run: ./contrib/wasm.sh
+#  WASM:
+#    name: WASM - stable toolchain
+#    runs-on: ubuntu-latest
+#    strategy:
+#      fail-fast: false
+#      # Note we do not use the recent lock file for wasm testing.
+#    steps:
+#      - name: "Checkout repo"
+#        uses: actions/checkout@v4
+#      - name: "Select toolchain"
+#        uses: dtolnay/rust-toolchain@stable
+#      - name: "Run wasm script"
+#        run: ./contrib/wasm.sh
 
   NoStd:                      # 1 job, run no-std test from script.
     name: no-std - nightly toolchain
diff --git a/examples/musig.rs b/examples/musig.rs
@@ -19,7 +19,7 @@ fn main() {
     let mut pubkeys_ref: Vec<&PublicKey> = pubkeys.iter().collect();
     let pubkeys_ref = pubkeys_ref.as_mut_slice();
 
-    secp.musig_sort_pubkeys(pubkeys_ref);
+    secp.sort_pubkeys(pubkeys_ref);
 
     let mut musig_key_agg_cache = KeyAggCache::new(&secp, pubkeys_ref);
 
diff --git a/src/key.rs b/src/key.rs
@@ -1620,6 +1620,8 @@ impl<'de> serde::Deserialize<'de> for XOnlyPublicKey {
 impl<C: Verification> Secp256k1<C> {
     /// Sort public keys using lexicographic (of compressed serialization) order.
     ///
+    /// This is the canonical way to sort public keys for use with Musig2.
+    ///
     /// Example:
     ///
     /// ```rust
@@ -1636,10 +1638,10 @@ impl<C: Verification> Secp256k1<C> {
     /// # let mut pubkeys_ref: Vec<&PublicKey> = pubkeys.iter().collect();
     /// # let pubkeys_ref = pubkeys_ref.as_mut_slice();
     /// #
-    /// # secp.musig_sort_pubkeys(pubkeys_ref);
+    /// # secp.sort_pubkeys(pubkeys_ref);
     /// # }
     /// ```
-    pub fn musig_sort_pubkeys(&self, pubkeys: &mut [&PublicKey]) {
+    pub fn sort_pubkeys(&self, pubkeys: &mut [&PublicKey]) {
         let cx = self.ctx().as_ptr();
         unsafe {
             let mut pubkeys_ref = core::slice::from_raw_parts(
diff --git a/src/musig.rs b/src/musig.rs
@@ -65,7 +65,13 @@ impl SessionSecretRand {
     /// a random number generator, or if that is not available, the output of a
     /// stable monotonic counter.
     pub fn assume_unique_per_nonce_gen(inner: [u8; 32]) -> Self {
-        assert_ne!(inner, [0; 32], "session secrets may not be all zero");
+        // See SecretKey::eq for this "constant-time" algorithm for comparison against zero.
+        let inner_or = inner.iter().fold(0, |accum, x| accum | *x);
+        assert!(
+            unsafe { core::ptr::read_volatile(&inner_or) != 0 },
+            "session secrets may not be all zero",
+        );
+
         SessionSecretRand(inner)
     }
 
@@ -337,6 +343,7 @@ impl KeyAggCache {
     /// ensures the same resulting `agg_pk` for the same multiset of pubkeys.
     /// This is useful to do before aggregating pubkeys, such that the order of pubkeys
     /// does not affect the combined public key.
+    /// To do this, call [`Secp256k1::sort_pubkeys`].
     ///
     /// # Returns
     ///
@@ -660,7 +667,7 @@ impl SecretNonce {
     ///
     /// # Warning:
     ///
-    /// Storing and re-creating this structure may leak to nonce reuse, which will leak
+    /// Storing and re-creating this structure may lead to nonce reuse, which will leak
     /// your secret key in two signing sessions, even if neither session is completed.
     /// These functions should be avoided if possible and used with care.
     ///
