From 36847ac0d7789c514a17168d49f8bd56b35b71aa Mon Sep 17 00:00:00 2001
From: Roman Zeyde <roman.zeyde@gmail.com>
Date: Sat, 27 Jun 2015 10:08:18 +0300
Subject: [PATCH] ecdsa: generate_k_rfc6979() should cleanup its stack before
 exit

---
 ecdsa.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/ecdsa.c b/ecdsa.c
index 1462ad5eb..afdd95773 100644
--- a/ecdsa.c
+++ b/ecdsa.c
@@ -608,7 +608,7 @@ int generate_k_random(bignum256 *k) {
 // http://tools.ietf.org/html/rfc6979
 int generate_k_rfc6979(bignum256 *secret, const uint8_t *priv_key, const uint8_t *hash)
 {
-	int i;
+	int i, error;
 	uint8_t v[32], k[32], bx[2*32], buf[32 + 1 + sizeof(bx)];
 	bignum256 z1;
 
@@ -632,11 +632,13 @@ int generate_k_rfc6979(bignum256 *secret, const uint8_t *priv_key, const uint8_t
 	hmac_sha256(k, sizeof(k), buf, sizeof(buf), k);
 	hmac_sha256(k, sizeof(k), v, sizeof(v), v);
 
+	error = 1;
 	for (i = 0; i < 10000; i++) {
 		hmac_sha256(k, sizeof(k), v, sizeof(v), v);
 		bn_read_be(v, secret);
 		if ( !bn_is_zero(secret) && bn_is_less(secret, &order256k1) ) {
-			return 0; // good number -> no error
+			error = 0; // good number -> no error
+			break;
 		}
 		memcpy(buf, v, sizeof(v));
 		buf[sizeof(v)] = 0x00;
@@ -644,7 +646,12 @@ int generate_k_rfc6979(bignum256 *secret, const uint8_t *priv_key, const uint8_t
 		hmac_sha256(k, sizeof(k), v, sizeof(v), v);
 	}
 	// we generated 10000 numbers, none of them is good -> fail
-	return 1;
+
+	MEMSET_BZERO(v, sizeof(v));
+	MEMSET_BZERO(k, sizeof(k));
+	MEMSET_BZERO(bx, sizeof(bx));
+	MEMSET_BZERO(buf, sizeof(buf));
+	return error;
 }
 
 // msg is a data to be signed