Fix ecp_gen_keypair() Too few tries caused failures for some curves (esp. secp224k1)

commit: 6e8e34d61eee725e7940ed18836462d4d533fc90 [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue Jan 28 19:30:56 2014 +0100
committer: Paul Bakker <p.j.bakker@polarssl.org> Wed Feb 05 15:53:45 2014 +0100
tree: 338a5383e7a2c893fc62b89543ec90f238e57400
parent: 2cb1a0c4009ecf368ecc74eb428394e10f9e6d00 [diff] [blame]
diff --git a/library/ecp.c b/library/ecp.c
index b1c4548..a27d30e 100644
--- a/library/ecp.c
+++ b/library/ecp.c

@@ -1796,7 +1796,16 @@
             MPI_CHK( mpi_read_binary( d, rnd, n_size ) );
             MPI_CHK( mpi_shift_r( d, 8 * n_size - grp->nbits ) );
 
-            if( count++ > 10 )
+            /*
+             * Each try has at worst a probability 1/2 of failing (the msb has
+             * a probability 1/2 of being 0, and then the result will be < N),
+             * so after 30 tries failure probability is a most 2**(-30).
+             *
+             * For most curves, 1 try is enough with overwhelming probability,
+             * since N starts with a lot of 1s in binary, but some curves
+             * such as secp224k1 are actually very close to the worst case.
+             */
+            if( ++count > 30 )
                 return( POLARSSL_ERR_ECP_RANDOM_FAILED );
         }
         while( mpi_cmp_int( d, 1 ) < 0 ||
commit	6e8e34d61eee725e7940ed18836462d4d533fc90	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Tue Jan 28 19:30:56 2014 +0100
committer	Paul Bakker <p.j.bakker@polarssl.org>	Wed Feb 05 15:53:45 2014 +0100
tree	338a5383e7a2c893fc62b89543ec90f238e57400
parent	2cb1a0c4009ecf368ecc74eb428394e10f9e6d00 [diff] [blame]