From 3c006a72493a50110dc80833ee4589d1707f47f3 Mon Sep 17 00:00:00 2001
From: Oldes <oldes.huhuman@gmail.com>
Date: Wed, 7 Oct 2020 20:26:13 +0200
Subject: [PATCH] FIX: Potentially SPA-vulnerability

cherry picked from: https://github.com/kmackay/micro-ecc/commit/1b5f5cea5145c96dd8791b9b2c41424fc74c2172
---
 src/core/u-uECC.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/core/u-uECC.c b/src/core/u-uECC.c
index 322adb22e6..2217667399 100644
--- a/src/core/u-uECC.c
+++ b/src/core/u-uECC.c
@@ -1239,6 +1239,7 @@ static int uECC_sign_with_k(const uint8_t *private_key,
     uECC_word_t tmp[uECC_MAX_WORDS];
     uECC_word_t s[uECC_MAX_WORDS];
     uECC_word_t *k2[2] = {tmp, s};
+	uECC_word_t *initial_Z = 0;
 #if uECC_VLI_NATIVE_LITTLE_ENDIAN
     uECC_word_t *p = (uECC_word_t *)signature;
 #else
@@ -1255,7 +1256,15 @@ static int uECC_sign_with_k(const uint8_t *private_key,
     }
 
     carry = regularize_k(k, tmp, s, curve);
-    EccPoint_mult(p, curve->G, k2[!carry], 0, num_n_bits + 1, curve);
+    /* If an RNG function was specified, try to get a random initial Z value to improve
+       protection against side-channel attacks. */
+    if (g_rng_function) {
+        if (!uECC_generate_random_int(k2[carry], curve->p, num_words)) {
+            return 0;
+        }
+        initial_Z = k2[carry];
+    }
+    EccPoint_mult(p, curve->G, k2[!carry], initial_Z, num_n_bits + 1, curve);
     if (uECC_vli_isZero(p, num_words)) {
         return 0;
     }