Merge pull request #35 from romanz/master

ecdsa: generate_k_rfc6979() should cleanup its stack before exit

ecdsa.c

@@ -608,7 +608,7 @@ int generate_k_random(bignum256 *k) {
 // http://tools.ietf.org/html/rfc6979
 int generate_k_rfc6979(bignum256 *secret, const uint8_t *priv_key, const uint8_t *hash)
 {
-	int i;
+	int i, error;
 	uint8_t v[32], k[32], bx[2*32], buf[32 + 1 + sizeof(bx)];
 	bignum256 z1;
 
@@ -632,11 +632,13 @@ int generate_k_rfc6979(bignum256 *secret, const uint8_t *priv_key, const uint8_t
 	hmac_sha256(k, sizeof(k), buf, sizeof(buf), k);
 	hmac_sha256(k, sizeof(k), v, sizeof(v), v);
 
+	error = 1;
 	for (i = 0; i < 10000; i++) {
 		hmac_sha256(k, sizeof(k), v, sizeof(v), v);
 		bn_read_be(v, secret);
 		if ( !bn_is_zero(secret) && bn_is_less(secret, &order256k1) ) {
-			return 0; // good number -> no error
+			error = 0; // good number -> no error
+			break;
 		}
 		memcpy(buf, v, sizeof(v));
 		buf[sizeof(v)] = 0x00;
@@ -644,7 +646,12 @@ int generate_k_rfc6979(bignum256 *secret, const uint8_t *priv_key, const uint8_t
 		hmac_sha256(k, sizeof(k), v, sizeof(v), v);
 	}
 	// we generated 10000 numbers, none of them is good -> fail
-	return 1;
+
+	MEMSET_BZERO(v, sizeof(v));
+	MEMSET_BZERO(k, sizeof(k));
+	MEMSET_BZERO(bx, sizeof(bx));
+	MEMSET_BZERO(buf, sizeof(buf));
+	return error;
 }
 
 // msg is a data to be signed