commit 79f73b96d9301d3c3be6986375d359fa29a082fe
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Fri Jan 03 12:35:05 2014 +0100
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Mon Jan 06 10:19:35 2014 +0100
tree 59de35e2cfaaf864d1ff6e59f03bae0fd955595c
parent 217a29c844e3a12e71ff89c77d16fef6ef2045ce

Remove bias in EC private key generation

library/ecp.c

diff --git a/library/ecp.c b/library/ecp.c
index 8b34bf3..95ff4f0 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1771,17 +1771,26 @@
     {
         /* SEC1 3.2.1: Generate d such that 1 <= n < N */
         int count = 0;
+        unsigned char rnd[POLARSSL_ECP_MAX_BYTES];
+
+        /*
+         * Match the procedure given in RFC 6979 (deterministic ECDSA):
+         * - use the same byte ordering;
+         * - keep the leftmost nbits bits of the generated octet string;
+         * - try until result is in the desired range.
+         * This also avoids any biais, which is especially important for ECDSA.
+         */
         do
         {
-            mpi_fill_random( d, n_size, f_rng, p_rng );
-
-            while( mpi_cmp_mpi( d, &grp->N ) >= 0 )
-                mpi_shift_r( d, 1 );
+            f_rng( p_rng, rnd, n_size );
+            mpi_read_binary( d, rnd, n_size );
+            mpi_shift_r( d, 8 * n_size - grp->nbits );
 
             if( count++ > 10 )
                 return( POLARSSL_ERR_ECP_RANDOM_FAILED );
         }
-        while( mpi_cmp_int( d, 1 ) < 0 );
+        while( mpi_cmp_int( d, 1 ) < 0 ||
+               mpi_cmp_mpi( d, &grp->N ) >= 0 );
     }
     else
 #endif