Fix canonical reduction in gostdsa_vko.

* gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to
compute the scalar used for ecc multiplication.

diff --git a/ChangeLog b/ChangeLog
index 202dc275d75ad7612e102171f6c1d90393b00faf..468b98a58afcaeb6fdaee145137357e0eab92352 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2021-03-13  Niels Möller  <nisse@lysator.liu.se>
 
+       * gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to
+       compute the scalar used for ecc multiplication.
+
        * eddsa-hash.c (_eddsa_hash): Ensure result is canonically
        reduced. Two of the three call sites need that.
 

diff --git a/gostdsa-vko.c b/gostdsa-vko.c
index a02d59a96e09ebbcc4f7c2036dd37b9651e4baf1..3dc42a1e45e93ccc333f0193ab5a9ef21380f996 100644 (file)
--- a/gostdsa-vko.c
+++ b/gostdsa-vko.c
@@ -87,7 +87,7 @@ gostdsa_vko (const struct ecc_scalar *priv,
   if (mpn_zero_p (UKM, size))
     UKM[0] = 1;
 
-  ecc_mod_mul (&ecc->q, TEMP, priv->p, UKM, TEMP); /* TEMP = UKM * priv */
+  ecc_mod_mul_canonical (&ecc->q, TEMP, priv->p, UKM, TEMP); /* TEMP = UKM * priv */
   ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * priv * pub */
   ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */
   mpn_get_base256_le (out, bsize, TEMP, size);