From fac18421f5b3c215e04a32240e04ac6235d17a0f Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Mon, 22 Dec 2014 20:32:58 +0000
Subject: [PATCH] math/f-{prime,niceprime}.c: Fix reduction for `add', `sub'
 and `neg'.

None of these worked properly at the modulus itself.  This causes the
`neg' method of prime curves to fail at 2-torsion points.
---
 math/f-niceprime.c | 7 ++++---
 math/f-prime.c     | 7 ++++---
 math/t/ec          | 7 +++++++
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/math/f-niceprime.c b/math/f-niceprime.c
index 342cb862..f31752d1 100644
--- a/math/f-niceprime.c
+++ b/math/f-niceprime.c
@@ -52,20 +52,21 @@ static int fzerop(field *ff, mp *x) { return (MP_ZEROP(x)); }
 
 static mp *fneg(field *ff, mp *d, mp *x) {
   fctx_niceprime *f = (fctx_niceprime *)ff;
-  return (mp_sub(d, f->r.p, x));
+  if (MP_ZEROP(x)) { if (d != x) mp_drop(d); return (MP_COPY(x)); }
+  else return (mp_sub(d, f->r.p, x));
 }
 
 static mp *fadd(field *ff, mp *d, mp *x, mp *y) {
   fctx_niceprime *f = (fctx_niceprime *)ff; d = mp_add(d, x, y);
   if (MP_NEGP(d)) d = mp_add(d, d, f->r.p);
-  else if (MP_CMP(d, >, f->r.p)) d = mp_sub(d, d, f->r.p);
+  else if (MP_CMP(d, >=, f->r.p)) d = mp_sub(d, d, f->r.p);
   return (d);
 }
 
 static mp *fsub(field *ff, mp *d, mp *x, mp *y) {
   fctx_niceprime *f = (fctx_niceprime *)ff; d = mp_sub(d, x, y);
   if (MP_NEGP(d)) d = mp_add(d, d, f->r.p);
-  else if (MP_CMP(d, >, f->r.p)) d = mp_sub(d, d, f->r.p);
+  else if (MP_CMP(d, >=, f->r.p)) d = mp_sub(d, d, f->r.p);
   return (d);
 }
 
diff --git a/math/f-prime.c b/math/f-prime.c
index d9c5c179..b21ca2a6 100644
--- a/math/f-prime.c
+++ b/math/f-prime.c
@@ -63,20 +63,21 @@ static int fzerop(field *ff, mp *x) { return (MP_ZEROP(x)); }
 
 static mp *fneg(field *ff, mp *d, mp *x) {
   fctx_prime *f = (fctx_prime *)ff;
-  return (mp_sub(d, f->mm.m, x));
+  if (MP_ZEROP(x)) { if (d != x) mp_drop(d); return (MP_COPY(x)); }
+  else return (mp_sub(d, f->mm.m, x));
 }
 
 static mp *fadd(field *ff, mp *d, mp *x, mp *y) {
   fctx_prime *f = (fctx_prime *)ff; d = mp_add(d, x, y);
   if (MP_NEGP(d)) d = mp_add(d, d, f->mm.m);
-  else if (MP_CMP(d, >, f->mm.m)) d = mp_sub(d, d, f->mm.m);
+  else if (MP_CMP(d, >=, f->mm.m)) d = mp_sub(d, d, f->mm.m);
   return (d);
 }
 
 static mp *fsub(field *ff, mp *d, mp *x, mp *y) {
   fctx_prime *f = (fctx_prime *)ff; d = mp_sub(d, x, y);
   if (MP_NEGP(d)) d = mp_add(d, d, f->mm.m);
-  else if (MP_CMP(d, >, f->mm.m)) d = mp_sub(d, d, f->mm.m);
+  else if (MP_CMP(d, >=, f->mm.m)) d = mp_sub(d, d, f->mm.m);
   return (d);
 }
 
diff --git a/math/t/ec b/math/t/ec
index acd16d6e..1dc56abf 100644
--- a/math/t/ec
+++ b/math/t/ec
@@ -172,6 +172,13 @@ neg {
     "0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012,
        0xf8e6d46a003725879cefee1294db32298c06885ee186b7ee";
 
+  "prime: 6277101735386680763835789423207666416102355444464034512659; prime: -3, 6"
+    "0xcdf65dc6c906c5c240dba0d156b911614abe806fa2b8dc0a, 0"
+    "0xcdf65dc6c906c5c240dba0d156b911614abe806fa2b8dc0a, 0";
+  "niceprime: 6277101735386680763835789423207666416102355444464034512659; prime: -3, 6"
+    "0xcdf65dc6c906c5c240dba0d156b911614abe806fa2b8dc0a, 0"
+    "0xcdf65dc6c906c5c240dba0d156b911614abe806fa2b8dc0a, 0";
+
   "niceprime: 6277101735386680763835789423207666416083908700390324961279
      prime: -3, 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1"
     "0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012,
-- 
2.11.0