diff options
author | Jack Lloyd <[email protected]> | 2018-07-30 15:33:56 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-07-30 15:35:49 -0400 |
commit | 66b7c7e1fe6d979fdd9b879b2ec63fe06c1f6fd9 (patch) | |
tree | f651efc2cb0330e6f2766331c8774be76ef38f76 /src | |
parent | cb14e9ce95bcaae2ada7ffe96ef0cce6a2b38593 (diff) |
Ensure values are fully reduced during ECDSA signature
It was possible that the Barrett reduction code would fall back
to standard division due to getting an input that was >= order^2.
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/pubkey/ecdsa/ecdsa.cpp | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/lib/pubkey/ecdsa/ecdsa.cpp b/src/lib/pubkey/ecdsa/ecdsa.cpp index 2409d8f0d..a239aab73 100644 --- a/src/lib/pubkey/ecdsa/ecdsa.cpp +++ b/src/lib/pubkey/ecdsa/ecdsa.cpp @@ -106,10 +106,10 @@ ECDSA_Signature_Operation::raw_sign(const uint8_t msg[], size_t msg_len, m_b = m_group.square_mod_order(m_b); m_b_inv = m_group.square_mod_order(m_b_inv); - m = m_group.multiply_mod_order(m_b, m); - const BigInt xr = m_group.multiply_mod_order(m_x, m_b, r); + m = m_group.multiply_mod_order(m_b, m_group.mod_order(m)); + const BigInt xr_m = m_group.mod_order(m_group.multiply_mod_order(m_x, m_b, r) + m); - const BigInt s = m_group.multiply_mod_order(k_inv, xr + m, m_b_inv); + const BigInt s = m_group.multiply_mod_order(k_inv, xr_m, m_b_inv); // With overwhelming probability, a bug rather than actual zero r/s if(r.is_zero() || s.is_zero()) |