Commit d9b564e4 authored by Niels Möller's avatar Niels Möller
Browse files

Similar fix for eddsa.

* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
reduced. Two of the three call sites need that.
parent fbaefb64
2021-03-13 Niels Möller <nisse@lysator.liu.se>
* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
reduced. Two of the three call sites need that.
* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
to compute the scalars used for ecc multiplication.
......
......@@ -44,13 +44,14 @@
#include "ecc-internal.h"
#include "nettle-internal.h"
/* Convert hash digest to integer, and reduce modulo q, to m->size
limbs. Needs space for 2*m->size + 1 at rp. */
/* Convert hash digest to integer, and reduce canonically modulo q.
Needs space for 2*m->size + 1 at rp. */
void
_eddsa_hash (const struct ecc_modulo *m,
mp_limb_t *rp, size_t digest_size, const uint8_t *digest)
{
mp_size_t nlimbs = (8*digest_size + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS;
mp_limb_t cy;
mpn_set_base256_le (rp, nlimbs, digest, digest_size);
......@@ -74,5 +75,8 @@ _eddsa_hash (const struct ecc_modulo *m,
hi = mpn_cnd_add_n (hi, rp + m->size, rp + m->size, m->B, m->size);
assert (hi == 0);
}
m->mod (m, rp, rp);
m->mod (m, rp + m->size , rp);
/* Ensure canonical reduction. */
cy = mpn_sub_n (rp, rp + m->size, m->m, m->size);
cnd_copy (cy, rp, rp + m->size, m->size);
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment