Retry if r is zero during signing

src/ecdsa_impl.h

@@ -288,10 +288,6 @@ static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, sec
  secp256k1_fe_normalize(&r.y);
  secp256k1_fe_get_b32(b, &r.x);
  secp256k1_scalar_set_b32(sigr, b, &overflow);
- /* These two conditions should be checked before calling */
- VERIFY_CHECK(!secp256k1_scalar_is_zero(sigr));
- VERIFY_CHECK(overflow == 0);
-
  if (recid) {
  /* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log
  * of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria.
@@ -310,7 +306,10 @@ static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, sec
  if (recid) {
  *recid ^= high;
  }
- return !secp256k1_scalar_is_zero(sigs);
+ /* P.x = order is on the curve, so technically sig->r could end up being zero, which would be an invalid signature.
+ * This is cryptographically unreachable as hitting it requires finding the discrete log of P.x = N.
+ */
+ return !secp256k1_scalar_is_zero(sigr) & !secp256k1_scalar_is_zero(sigs);
 }
 
 #endif /* SECP256K1_ECDSA_IMPL_H */