1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
diff --git a/eddsa-hash.c b/eddsa-hash.c
index e05f6ac1..743dc4be 100644
--- a/eddsa-hash.c
+++ b/eddsa-hash.c
@@ -44,13 +44,14 @@
#include "ecc-internal.h"
#include "nettle-internal.h"
-/* Convert hash digest to integer, and reduce modulo q, to m->size
- limbs. Needs space for 2*m->size + 1 at rp. */
+/* Convert hash digest to integer, and reduce canonically modulo q.
+ Needs space for 2*m->size + 1 at rp. */
void
_eddsa_hash (const struct ecc_modulo *m,
mp_limb_t *rp, size_t digest_size, const uint8_t *digest)
{
mp_size_t nlimbs = (8*digest_size + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS;
+ mp_limb_t cy;
mpn_set_base256_le (rp, nlimbs, digest, digest_size);
@@ -75,4 +76,8 @@ _eddsa_hash (const struct ecc_modulo *m,
assert (hi == 0);
}
m->mod (m, rp);
+ /* Ensure canonical reduction. */
+ cy = mpn_sub_n (rp + m->size, rp, m->m, m->size);
+ cnd_copy (cy, rp + m->size, rp, m->size);
+ mpn_copyi (rp, rp + m->size, m->size);
}
|
