Fix: Potential Vulnerability in Cloned Function (#2087)

tabudz · web-flow · commit d775036c9e58 · 2025-03-02T09:07:51.000+11:00
* Fix for #168 * Adapt style ecc_dsa.c * Update ecc_dsa.c
diff --git a/source/Core/BSP/Pinecilv2/bl_mcu_sdk/components/ble/ble_stack/common/tinycrypt/source/ecc_dsa.c b/source/Core/BSP/Pinecilv2/bl_mcu_sdk/components/ble/ble_stack/common/tinycrypt/source/ecc_dsa.c
@@ -100,7 +100,8 @@ static void bits2int(uECC_word_t *native, const uint8_t *bits, unsigned bits_siz
 int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash, unsigned hash_size, uECC_word_t *k, uint8_t *signature, uECC_Curve curve) {
   uECC_word_t  tmp[NUM_ECC_WORDS];
   uECC_word_t  s[NUM_ECC_WORDS];
-  uECC_word_t *k2[2] = {tmp, s};
+  uECC_word_t *k2[2]     = {tmp, s};
+  uECC_word_t *initial_Z = 0;
   uECC_word_t  p[NUM_ECC_WORDS * 2];
   uECC_word_t  carry;
   wordcount_t  num_words   = curve->num_words;
@@ -113,7 +114,15 @@ int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash, un
   }
 
   carry = regularize_k(k, tmp, s, curve);
-  EccPoint_mult(p, curve->G, k2[!carry], 0, num_n_bits + 1, curve);
+  /* If an RNG function was specified, try to get a random initial Z value to improve
+     protection against side-channel attacks. */
+  if (g_rng_function) {
+    if (!uECC_generate_random_int(k2[carry], curve->p, num_words)) {
+      return 0;
+    }
+    initial_Z = k2[carry];
+  }
+  EccPoint_mult(p, curve->G, k2[!carry], initial_Z, num_n_bits + 1, curve);
   if (uECC_vli_isZero(p, num_words)) {
     return 0;
   }
