Hi, I'm one of the upstream developers.
We believe we fixed this in our development branch for the next release, which should be out in a few days. In case you want to test the fix right now, the patch is attached. We plan to add a big-endian machine to our buildbot installation in the next future, in order to catch this kind of problem before the code is released. Thanks for your report, Manuel.
diff --git a/library/bignum.c b/library/bignum.c index 012e9e3..af04883 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1773,16 +1773,27 @@ cleanup: return( ret ); } +/* + * Fill X with size bytes of random. + * + * Use a temporary bytes representation to make sure the result is the same + * regardless of the platform endianness (usefull when f_rng is actually + * deterministic, eg for tests). + */ int mpi_fill_random( mpi *X, size_t size, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret; + unsigned char *buf; - MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( size ) ) ); - MPI_CHK( mpi_lset( X, 0 ) ); + if( ( buf = polarssl_malloc( size ) ) == NULL ) + return( POLARSSL_ERR_MPI_MALLOC_FAILED ); + + MPI_CHK( f_rng( p_rng, buf, size ) ); + MPI_CHK( mpi_read_binary( X, buf, size ) ); - MPI_CHK( f_rng( p_rng, (unsigned char *) X->p, size ) ); + polarssl_free( buf ); cleanup: return( ret );