From 33dc46b080a254d6639f6c5cf07a864a32f05c78 Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Wed, 30 Apr 2014 16:11:39 +0200
Subject: [PATCH] Fix bug with mpi_fill_random() on big-endian

---
 ChangeLog        |  2 ++
 library/bignum.c | 14 +++++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 2f5be94a9..5598467e3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,8 @@ Bugfix
      ServerHello when no extensions are present (found by Matthew Page)
    * rsa_check_pubkey() now allows an E up to N
    * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
+   * mpi_fill_random() was creating numbers larger than requested on
+     big-endian platform when size was not an integer number of limbs
 
 = PolarSSL 1.3.6 released on 2014-04-11
 
diff --git a/library/bignum.c b/library/bignum.c
index 012e9e3e4..5fbb7d354 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -1773,16 +1773,28 @@ cleanup:
     return( ret );
 }
 
+/*
+ * Fill X with size bytes of random.
+ *
+ * Use a temporary bytes representation to make sure the result is the same
+ * regardless of the platform endianness (usefull when f_rng is actually
+ * deterministic, eg for tests).
+ */
 int mpi_fill_random( mpi *X, size_t size,
                      int (*f_rng)(void *, unsigned char *, size_t),
                      void *p_rng )
 {
     int ret;
+    unsigned char buf[POLARSSL_MPI_MAX_SIZE];
+
+    if( size > POLARSSL_MPI_MAX_SIZE )
+        return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
 
     MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( size ) ) );
     MPI_CHK( mpi_lset( X, 0 ) );
 
-    MPI_CHK( f_rng( p_rng, (unsigned char *) X->p, size ) );
+    MPI_CHK( f_rng( p_rng, buf, size ) );
+    MPI_CHK( mpi_read_binary( X, buf, size ) );
 
 cleanup:
     return( ret );