return back normalization of signatures

ecdsa.c

@@ -734,6 +734,13 @@ int ecdsa_sign_digest(const ecdsa_curve *curve, const uint8_t *priv_key, const u
 	}
 
 	if (result == 0) {
+		// if S > order/2 => S = -S
+		if (bn_is_less(&curve->order_half, &k)) {
+			bn_subtract(&curve->order, &k, &k);
+			if (pby) {
+				*pby = !*pby;
+			}
+		}
 		// we are done, R.x and k is the result signature
 		bn_write_be(&R.x, sig);
 		bn_write_be(&k, sig + 32);

ecdsa.h

@@ -35,10 +35,11 @@ typedef struct {
 
 typedef struct {
 
-	bignum256 prime;  // prime order of the finite field
-	curve_point G;    // initial curve point
-	bignum256 order;  // order of G
-	bignum256 a;      // coefficient 'a' of the elliptic curve
+	bignum256 prime;       // prime order of the finite field
+	curve_point G;         // initial curve point
+	bignum256 order;       // order of G
+	bignum256 order_half;  // order of G divided by 2
+	bignum256 a;           // coefficient 'a' of the elliptic curve
 
 #if USE_PRECOMPUTED_CP
 	const curve_point cp[64][8];

nist256p1.c

@@ -37,6 +37,10 @@ const ecdsa_curve nist256p1 = {
 		/*.val =*/{0x3c632551, 0xee72b0b, 0x3179e84f, 0x39beab69, 0x3fffffbc, 0x3fffffff, 0xfff, 0x3fffc000, 0xffff}
 	},
 
+	/* order_half */ {
+		/*.val =*/{0x3e3192a8, 0x27739585, 0x38bcf427, 0x1cdf55b4, 0x3fffffde, 0x3fffffff, 0x7ff, 0x3fffe000, 0x7fff}
+	},
+
 	/* a */ {
 		/*.val =*/{0x3ffffffc, 0x3fffffff, 0x3fffffff, 0x3f, 0x0, 0x0, 0x1000, 0x3fffc000, 0xffff}
 	}

secp256k1.c

@@ -37,6 +37,10 @@ const ecdsa_curve secp256k1 = {
 		/*.val =*/{0x10364141, 0x3f497a33, 0x348a03bb, 0x2bb739ab, 0x3ffffeba, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0xffff}
 	},
 
+	/* order_half */ {
+		/*.val =*/{0x281b20a0, 0x3fa4bd19, 0x3a4501dd, 0x15db9cd5, 0x3fffff5d, 0x3fffffff, 0x3fffffff, 0x3fffffff, 0x7fff}
+	},
+
 	/* a */ {
 		/*.val =*/{0}
 	}