From 6e8e34d61eee725e7940ed18836462d4d533fc90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Tue, 28 Jan 2014 19:30:56 +0100
Subject: [PATCH] Fix ecp_gen_keypair()

Too few tries caused failures for some curves (esp. secp224k1)
---
 ChangeLog     |  5 +++++
 library/ecp.c | 11 ++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 2f6a3c58d..7f7726bf8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
 PolarSSL ChangeLog (Sorted per branch, date)
 
+= PolarSSL 1.3 branch
+Bugfix
+   * ecp_gen_keypair() does more tries to prevent failure because of
+     statistics
+
 = PolarSSL 1.3.4 released on 2014-01-27
 Features
    * Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
diff --git a/library/ecp.c b/library/ecp.c
index b1c454872..a27d30e2a 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1796,7 +1796,16 @@ int ecp_gen_keypair( ecp_group *grp, mpi *d, ecp_point *Q,
             MPI_CHK( mpi_read_binary( d, rnd, n_size ) );
             MPI_CHK( mpi_shift_r( d, 8 * n_size - grp->nbits ) );
 
-            if( count++ > 10 )
+            /*
+             * Each try has at worst a probability 1/2 of failing (the msb has
+             * a probability 1/2 of being 0, and then the result will be < N),
+             * so after 30 tries failure probability is a most 2**(-30).
+             *
+             * For most curves, 1 try is enough with overwhelming probability,
+             * since N starts with a lot of 1s in binary, but some curves
+             * such as secp224k1 are actually very close to the worst case.
+             */
+            if( ++count > 30 )
                 return( POLARSSL_ERR_ECP_RANDOM_FAILED );
         }
         while( mpi_cmp_int( d, 1 ) < 0 ||