1 files changed, 30 insertions, 0 deletions

diff --git a/lib/nettle/ecc/override/eddsa-hash.c.diff b/lib/nettle/ecc/override/eddsa-hash.c.diff
new file mode 100644
index 0000000000..f2237e503f
--- /dev/null
+++ b/lib/nettle/ecc/override/eddsa-hash.c.diff
@@ -0,0 +1,30 @@
+diff --git a/eddsa-hash.c b/eddsa-hash.c
+index e05f6ac1..743dc4be 100644
+--- a/eddsa-hash.c
++++ b/eddsa-hash.c
+@@ -44,13 +44,14 @@
+ #include "ecc-internal.h"
+ #include "nettle-internal.h"
+ 
+-/* Convert hash digest to integer, and reduce modulo q, to m->size
+-   limbs. Needs space for 2*m->size + 1 at rp. */
++/* Convert hash digest to integer, and reduce canonically modulo q.
++   Needs space for 2*m->size + 1 at rp. */
+ void
+ _eddsa_hash (const struct ecc_modulo *m,
+ 	     mp_limb_t *rp, size_t digest_size, const uint8_t *digest)
+ {
+   mp_size_t nlimbs = (8*digest_size + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS;
++  mp_limb_t cy;
+ 
+   mpn_set_base256_le (rp, nlimbs, digest, digest_size);
+ 
+@@ -75,4 +76,8 @@ _eddsa_hash (const struct ecc_modulo *m,
+       assert (hi == 0);
+     }
+   m->mod (m, rp);
++  /* Ensure canonical reduction. */
++  cy = mpn_sub_n (rp + m->size, rp, m->m, m->size);
++  cnd_copy (cy, rp + m->size, rp, m->size);
++  mpn_copyi (rp, rp + m->size, m->size);
+ }