Fix for Ralim#168

tabudz · Mar 1, 2025 · 79d8772 · 79d8772
1 parent 08002e0
commit 79d8772
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/.../Core/BSP/Pinecilv2/bl_mcu_sdk/components/ble/ble_stack/common/tinycrypt/source/ecc_dsa.c b/.../Core/BSP/Pinecilv2/bl_mcu_sdk/components/ble/ble_stack/common/tinycrypt/source/ecc_dsa.c
@@ -101,6 +101,7 @@ int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash, un
   uECC_word_t  tmp[NUM_ECC_WORDS];
   uECC_word_t  s[NUM_ECC_WORDS];
   uECC_word_t *k2[2] = {tmp, s};
+  uECC_word_t *initial_Z = 0;
   uECC_word_t  p[NUM_ECC_WORDS * 2];
   uECC_word_t  carry;
   wordcount_t  num_words   = curve->num_words;
@@ -113,7 +114,15 @@ int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash, un
   }
 
   carry = regularize_k(k, tmp, s, curve);
-  EccPoint_mult(p, curve->G, k2[!carry], 0, num_n_bits + 1, curve);
+  /* If an RNG function was specified, try to get a random initial Z value to improve
+     protection against side-channel attacks. */
+  if (g_rng_function) {
+      if (!uECC_generate_random_int(k2[carry], curve->p, num_words)) {
+          return 0;
+      }
+      initial_Z = k2[carry];
+  }
+  EccPoint_mult(p, curve->G, k2[!carry], initial_Z, num_n_bits + 1, curve);
   if (uECC_vli_isZero(p, num_words)) {
     return 0;
   }