From 252dba914912e694d0e69754f0167060fc4d2ba6 Mon Sep 17 00:00:00 2001
From: Thomas Pornin <pornin@bolet.org>
Date: Sat, 14 Dec 2019 16:53:30 +0100
Subject: [PATCH] Fixed carry propagation bug in P-256 'm62' implementation
 (found by Auke Zeilstra; consequences unclear, possibly some invalid curve
 attacks in static ECDH contexts).

---
 src/ec/ec_p256_m62.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ec/ec_p256_m62.c b/src/ec/ec_p256_m62.c
index 3bcb95b..a431790 100644
--- a/src/ec/ec_p256_m62.c
+++ b/src/ec/ec_p256_m62.c
@@ -580,7 +580,7 @@ f256_final_reduce(uint64_t *a)
 	w = t[2] - cc;
 	t[2] = w & MASK52;
 	cc = w >> 63;
-	w = t[3] - BIT(36);
+	w = t[3] - BIT(36) - cc;
 	t[3] = w & MASK52;
 	cc = w >> 63;
 	t[4] -= cc;
-- 
2.17.1