From d659fd49a56992c8e903f7957bd3b221e3bc0f12 Mon Sep 17 00:00:00 2001
From: Pavol Rusnak <stick@gk2.sk>
Date: Mon, 3 Aug 2015 21:31:15 +0200
Subject: [PATCH] return back normalization of signatures

---
 ecdsa.c     | 7 +++++++
 ecdsa.h     | 9 +++++----
 nist256p1.c | 4 ++++
 secp256k1.c | 4 ++++
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/ecdsa.c b/ecdsa.c
index ac5aa3d8cc..380ddaabf2 100644
--- a/ecdsa.c
+++ b/ecdsa.c
@@ -734,6 +734,13 @@ int ecdsa_sign_digest(const ecdsa_curve *curve, const uint8_t *priv_key, const u
 	}
 
 	if (result == 0) {
+		// if S > order/2 => S = -S
+		if (bn_is_less(&curve->order_half, &k)) {
+			bn_subtract(&curve->order, &k, &k);
+			if (pby) {
+				*pby = !*pby;
+			}
+		}
 		// we are done, R.x and k is the result signature
 		bn_write_be(&R.x, sig);
 		bn_write_be(&k, sig + 32);
diff --git a/ecdsa.h b/ecdsa.h
index 85fe434b70..cb78206fd8 100644
--- a/ecdsa.h
+++ b/ecdsa.h
@@ -35,10 +35,11 @@ typedef struct {
 
 typedef struct {
 
-	bignum256 prime;  // prime order of the finite field
-	curve_point G;    // initial curve point
-	bignum256 order;  // order of G
-	bignum256 a;      // coefficient 'a' of the elliptic curve
+	bignum256 prime;       // prime order of the finite field
+	curve_point G;         // initial curve point
+	bignum256 order;       // order of G
+	bignum256 order_half;  // order of G divided by 2
+	bignum256 a;           // coefficient 'a' of the elliptic curve
 
 #if USE_PRECOMPUTED_CP
 	const curve_point cp[64][8];
diff --git a/nist256p1.c b/nist256p1.c
index f6468b9bfd..8aedb2c13b 100644
--- a/nist256p1.c
+++ b/nist256p1.c
@@ -37,6 +37,10 @@ const ecdsa_curve nist256p1 = {
 		/*.val =*/{0x3c632551, 0xee72b0b, 0x3179e84f, 0x39beab69, 0x3fffffbc, 0x3fffffff, 0xfff, 0x3fffc000, 0xffff}
 	},
 
+	/* order_half */ {
+		/*.val =*/{0x3e3192a8, 0x27739585, 0x38bcf427, 0x1cdf55b4, 0x3fffffde, 0x3fffffff, 0x7ff, 0x3fffe000, 0x7fff}
+	},
+
 	/* a */ {
 		/*.val =*/{0x3ffffffc, 0x3fffffff, 0x3fffffff, 0x3f, 0x0, 0x0, 0x1000, 0x3fffc000, 0xffff}
 	}
diff --git a/secp256k1.c b/secp256k1.c
index cbd21fbd4c..72a9fe3f06 100644
--- a/secp256k1.c
+++ b/secp256k1.c
@@ -37,6 +37,10 @@ const ecdsa_curve secp256k1 = {
 		/*.val =*/{0x10364141, 0x3f497a33, 0x348a03bb, 0x2bb739ab, 0x3ffffeba, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0xffff}
 	},
 
+	/* order_half */ {
+		/*.val =*/{0x281b20a0, 0x3fa4bd19, 0x3a4501dd, 0x15db9cd5, 0x3fffff5d, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x7fff}
+	},
+
 	/* a */ {
 		/*.val =*/{0}
 	}