Note that the byte order in mpi_fill_random_internal() is deliberate

Signed-off-by: Gilles Peskine <[email protected]>
Mbed-TLS · Jun 3, 2021 · 23422e4 · 23422e4
1 parent c0b68bf
commit 23422e4
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/library/bignum.c b/library/bignum.c
@@ -2405,6 +2405,8 @@ int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B
 
 /* Fill X with n_bytes random bytes.
  * X must already have room for those bytes.
+ * The ordering of the bytes returned from the RNG is suitable for
+ * deterministic ECDSA (see RFC 6979 §3.3 and mbedtls_mpi_random()).
  * The size and sign of X are unchanged.
  * n_bytes must not be 0.
  */