commit 979728838375f7d750c50c60f1672f41b32c008e
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Jun 17 12:57:33 2020 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Jun 19 11:00:11 2020 +0200
tree a3cdf0b7d6898d0a48abe1a0f0c5a53b4e27cc35
parent 874598669971cf6f0ee6157a487d906af63e01a3

Improve comment justifying a hard-coded limitation

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

library/ecp.c

diff --git a/library/ecp.c b/library/ecp.c
index 6fdadf2..e537dbb 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -295,8 +295,19 @@
     {
         uint8_t use_len;
 
-        /* We don't need to draw more that 255 blocks, so don't bother with
-         * carry propagation and just return an error instead. */
+        /* This function is only called for coordinate randomisation, which
+         * happens only twice in a scalar multiplication. Each time needs a
+         * random value in the range [2, p-1], and gets it by drawing len(p)
+         * bytes from this function, and retrying up to 10 times if unlucky.
+         *
+         * So for the largest curve, each scalar multiplication draws at most
+         * 2 * 66 bytes. The minimum block size is 20 bytes (with SHA-1), so
+         * that means at most 66 blocks.
+         *
+         * Since we don't need to draw more that 255 blocks, don't bother
+         * with carry propagation and just return an error instead. We can
+         * change that it we even need to draw more blinding values.
+         */
         ctx->buf[3] += 1;
         if( ctx->buf[3] == 0 )
             return( MBEDTLS_ERR_ECP_RANDOM_FAILED );