From 23422e424c29c570d57fb74cd3227f876d1a4a40 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Thu, 3 Jun 2021 11:51:09 +0200
Subject: [PATCH] Note that the byte order in mpi_fill_random_internal() is
 deliberate

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 library/bignum.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/library/bignum.c b/library/bignum.c
index d1874031c2..3acc4b9b4a 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -2405,6 +2405,8 @@ cleanup:
 
 /* Fill X with n_bytes random bytes.
  * X must already have room for those bytes.
+ * The ordering of the bytes returned from the RNG is suitable for
+ * deterministic ECDSA (see RFC 6979 §3.3 and mbedtls_mpi_random()).
  * The size and sign of X are unchanged.
  * n_bytes must not be 0.
  */