Ensure values are fully reduced during ECDSA signature

It was possible that the Barrett reduction code would fall back to standard division due to getting an input that was >= order^2.
author: Jack Lloyd <[email protected]> 2018-07-30 15:33:56 -0400
committer: Jack Lloyd <[email protected]> 2018-07-30 15:35:49 -0400
commit: 66b7c7e1fe6d979fdd9b879b2ec63fe06c1f6fd9 (patch)
tree: f651efc2cb0330e6f2766331c8774be76ef38f76 /src/lib/pubkey
parent: cb14e9ce95bcaae2ada7ffe96ef0cce6a2b38593 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/src/lib/pubkey/ecdsa/ecdsa.cpp b/src/lib/pubkey/ecdsa/ecdsa.cpp
index 2409d8f0d..a239aab73 100644
--- a/src/lib/pubkey/ecdsa/ecdsa.cpp
+++ b/src/lib/pubkey/ecdsa/ecdsa.cpp
@@ -106,10 +106,10 @@ ECDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len,
    m_b = m_group.square_mod_order(m_b);
    m_b_inv = m_group.square_mod_order(m_b_inv);
 
-   m = m_group.multiply_mod_order(m_b, m);
-   const BigInt xr = m_group.multiply_mod_order(m_x, m_b, r);
+   m = m_group.multiply_mod_order(m_b, m_group.mod_order(m));
+   const BigInt xr_m = m_group.mod_order(m_group.multiply_mod_order(m_x, m_b, r) + m);
 
-   const BigInt s = m_group.multiply_mod_order(k_inv, xr + m, m_b_inv);
+   const BigInt s = m_group.multiply_mod_order(k_inv, xr_m, m_b_inv);
 
    // With overwhelming probability, a bug rather than actual zero r/s
    if(r.is_zero() || s.is_zero())
author	Jack Lloyd <[email protected]>	2018-07-30 15:33:56 -0400
committer	Jack Lloyd <[email protected]>	2018-07-30 15:35:49 -0400
commit	66b7c7e1fe6d979fdd9b879b2ec63fe06c1f6fd9 (patch)
tree	f651efc2cb0330e6f2766331c8774be76ef38f76 /src/lib/pubkey
parent	cb14e9ce95bcaae2ada7ffe96ef0cce6a2b38593 (diff)