Analogous fix to ecc_gostdsa_verify.

* ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
to compute the scalars used for ecc multiplication.

diff --git a/ChangeLog b/ChangeLog
index 7e162d7f6ec1aeba5abb78999a323201f3d8d7b7..e32660dcafbb40a6dbae5b4269385bed558c9fb4 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2021-03-13  Niels Möller  <nisse@lysator.liu.se>
 
+       * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
+       to compute the scalars used for ecc multiplication.
+
        * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
        canonical range.
 

diff --git a/ecc-gostdsa-verify.c b/ecc-gostdsa-verify.c
index c0613f4f02c12c966c7a9ddf007a3cb477015027..fcdd46442553c25cb21070e3d286ad9907cc6791 100644 (file)
--- a/ecc-gostdsa-verify.c
+++ b/ecc-gostdsa-verify.c
@@ -102,11 +102,11 @@ ecc_gostdsa_verify (const struct ecc_curve *ecc,
   ecc->q.invert (&ecc->q, vp, hp, vp + ecc->p.size);
 
   /* z1 = s / h, P1 = z1 * G */
-  ecc_mod_mul (&ecc->q, z1, sp, vp, z1);
+  ecc_mod_mul_canonical (&ecc->q, z1, sp, vp, z1);
 
   /* z2 = - r / h, P2 = z2 * Y */
-  ecc_mod_mul (&ecc->q, z2, rp, vp, z2);
-  mpn_sub_n (z2, ecc->q.m, z2, ecc->p.size);
+  mpn_sub_n (hp, ecc->q.m, rp, ecc->p.size);
+  ecc_mod_mul_canonical (&ecc->q, z2, hp, vp, z2);
 
    /* Total storage: 5*ecc->p.size + ecc->mul_itch */
   ecc->mul (ecc, P2, z2, pp, z2 + ecc->p.size);