commit 5fb8efe71e765632677b068d5b7ed710082f8a0e
author Paul Bakker <p.j.bakker@polarssl.org> Wed Feb 05 15:54:34 2014 +0100
committer Paul Bakker <p.j.bakker@polarssl.org> Wed Feb 05 15:55:18 2014 +0100
tree 56c0dd178ac0452616b11a0c74c088e9668cd9d2
parent ffd94cce6b34170124de81012e7ba7902d920734
parent 725afd8b559c0726433bdf69361618966e769170

Merged HMAC-DRBG code

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index 2f6a3c5..d097d71 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 PolarSSL ChangeLog (Sorted per branch, date)
 
+= PolarSSL 1.3 branch
+Features
+   * HMAC-DRBG as a separate module
+
+Bugfix
+   * ecp_gen_keypair() does more tries to prevent failure because of
+     statistics
+
 = PolarSSL 1.3.4 released on 2014-01-27
 Features
    * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1

include/polarssl/config.h

diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index ced277e..1ed203c 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -1995,7 +1995,11 @@
     !defined(POLARSSL_ECP_DP_SECP521R1_ENABLED) &&                  \
     !defined(POLARSSL_ECP_DP_BP256R1_ENABLED)   &&                  \
     !defined(POLARSSL_ECP_DP_BP384R1_ENABLED)   &&                  \
-    !defined(POLARSSL_ECP_DP_BP512R1_ENABLED) ) )
+    !defined(POLARSSL_ECP_DP_BP512R1_ENABLED)   &&                  \
+    !defined(POLARSSL_ECP_DP_M255_ENABLED)      &&                  \
+    !defined(POLARSSL_ECP_DP_SECP192K1_ENABLED) &&                  \
+    !defined(POLARSSL_ECP_DP_SECP224K1_ENABLED) &&                  \
+    !defined(POLARSSL_ECP_DP_SECP256K1_ENABLED) ) )
 #error "POLARSSL_ECP_C defined, but not all prerequisites"
 #endif
 

include/polarssl/ecp.h

diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h
index d98146c..1635b70 100644
--- a/include/polarssl/ecp.h
+++ b/include/polarssl/ecp.h
@@ -68,9 +68,9 @@
     POLARSSL_ECP_DP_M255,           /*!< Curve25519               */
     POLARSSL_ECP_DP_M383,           /*!< (not implemented yet)    */
     POLARSSL_ECP_DP_M511,           /*!< (not implemented yet)    */
-    POLARSSL_ECP_DP_SECP192K1,      /*!< (not implemented yet)    */
-    POLARSSL_ECP_DP_SECP224K1,      /*!< (not implemented yet)    */
-    POLARSSL_ECP_DP_SECP256K1,      /*!< 256-bits Koblitz curve   */
+    POLARSSL_ECP_DP_SECP192K1,      /*!< 192-bits "Koblitz" curve */
+    POLARSSL_ECP_DP_SECP224K1,      /*!< 224-bits "Koblitz" curve */
+    POLARSSL_ECP_DP_SECP256K1,      /*!< 256-bits "Koblitz" curve */
 } ecp_group_id;
 
 /**

library/ecp.c

diff --git a/library/ecp.c b/library/ecp.c
index b1c4548..a27d30e 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1796,7 +1796,16 @@
             MPI_CHK( mpi_read_binary( d, rnd, n_size ) );
             MPI_CHK( mpi_shift_r( d, 8 * n_size - grp->nbits ) );
 
-            if( count++ > 10 )
+            /*
+             * Each try has at worst a probability 1/2 of failing (the msb has
+             * a probability 1/2 of being 0, and then the result will be < N),
+             * so after 30 tries failure probability is a most 2**(-30).
+             *
+             * For most curves, 1 try is enough with overwhelming probability,
+             * since N starts with a lot of 1s in binary, but some curves
+             * such as secp224k1 are actually very close to the worst case.
+             */
+            if( ++count > 30 )
                 return( POLARSSL_ERR_ECP_RANDOM_FAILED );
         }
         while( mpi_cmp_int( d, 1 ) < 0 ||