From 60e36dac3b9df54dd51f2a08d6a1b8121dd2c32b Mon Sep 17 00:00:00 2001
From: Jochen Hoenicke <hoenicke@gmail.com>
Date: Thu, 23 Jul 2015 16:04:14 -0700
Subject: [PATCH] Fixed conditional_negate for larger numbers

Without the bn_mod the numbers get larger (but still < 2*prime), so
conditional_negate should handle this.
---
 ecdsa.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ecdsa.c b/ecdsa.c
index 3f2e4d429..f18a13397 100644
--- a/ecdsa.c
+++ b/ecdsa.c
@@ -177,13 +177,15 @@ void conditional_negate(uint32_t cond, bignum256 *a, const bignum256 *prime)
 {
 	int j;
 	uint32_t tmp = 1;
+	assert(a->val[8] < 0x20000);
 	for (j = 0; j < 8; j++) {
-		tmp += 0x3fffffff + prime->val[j] - a->val[j];
+		tmp += 0x3fffffff + 2*prime->val[j] - a->val[j];
 		a->val[j] = ((tmp & 0x3fffffff) & cond) | (a->val[j] & ~cond);
 		tmp >>= 30;
 	}
-	tmp += 0x3fffffff + prime->val[j] - a->val[j];
+	tmp += 0x3fffffff + 2*prime->val[j] - a->val[j];
 	a->val[j] = ((tmp & 0x3fffffff) & cond) | (a->val[j] & ~cond);
+	assert(a->val[8] < 0x20000);
 }
 
 typedef struct jacobian_curve_point {