Similar fix for eddsa.

* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
reduced. Two of the three call sites need that.

2 files changed, 10 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index e32660dc..202dc275 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2021-03-13  Niels Möller  <nisse@lysator.liu.se>
 
+	* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
+	reduced. Two of the three call sites need that.
+
 	* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
 	to compute the scalars used for ecc multiplication.
 
diff --git a/eddsa-hash.c b/eddsa-hash.c
index 95e0dd70..6ebbe977 100644
--- a/eddsa-hash.c
+++ b/eddsa-hash.c
@@ -44,13 +44,14 @@
 #include "ecc-internal.h"
 #include "nettle-internal.h"
 
-/* Convert hash digest to integer, and reduce modulo q, to m->size
-   limbs. Needs space for 2*m->size + 1 at rp. */
+/* Convert hash digest to integer, and reduce canonically modulo q.
+   Needs space for 2*m->size + 1 at rp. */
 void
 _eddsa_hash (const struct ecc_modulo *m,
 	     mp_limb_t *rp, size_t digest_size, const uint8_t *digest)
 {
   mp_size_t nlimbs = (8*digest_size + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS;
+  mp_limb_t cy;
 
   mpn_set_base256_le (rp, nlimbs, digest, digest_size);
 
@@ -74,5 +75,8 @@ _eddsa_hash (const struct ecc_modulo *m,
       hi = mpn_cnd_add_n (hi, rp + m->size, rp + m->size, m->B, m->size);
       assert (hi == 0);
     }
-  m->mod (m, rp, rp);
+  m->mod (m, rp + m->size , rp);
+  /* Ensure canonical reduction. */
+  cy = mpn_sub_n (rp, rp + m->size, m->m, m->size);
+  cnd_copy (cy, rp, rp + m->size, m->size);
 }