From 979728838375f7d750c50c60f1672f41b32c008e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 17 Jun 2020 12:57:33 +0200 Subject: [PATCH] Improve comment justifying a hard-coded limitation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/ecp.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/library/ecp.c b/library/ecp.c index 6fdadf22e..e537dbb49 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -295,8 +295,19 @@ static int ecp_drbg_random( void *p_rng, unsigned char *output, size_t output_le { uint8_t use_len; - /* We don't need to draw more that 255 blocks, so don't bother with - * carry propagation and just return an error instead. */ + /* This function is only called for coordinate randomisation, which + * happens only twice in a scalar multiplication. Each time needs a + * random value in the range [2, p-1], and gets it by drawing len(p) + * bytes from this function, and retrying up to 10 times if unlucky. + * + * So for the largest curve, each scalar multiplication draws at most + * 2 * 66 bytes. The minimum block size is 20 bytes (with SHA-1), so + * that means at most 66 blocks. + * + * Since we don't need to draw more that 255 blocks, don't bother + * with carry propagation and just return an error instead. We can + * change that it we even need to draw more blinding values. + */ ctx->buf[3] += 1; if( ctx->buf[3] == 0 ) return( MBEDTLS_ERR_ECP_RANDOM_FAILED );