From 36541838f94924283bef25edf610aa899e8bbc14 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 23 Jan 2014 14:57:09 +0900
Subject: [PATCH] bug fix

---
 ChangeLog     | 4 ++++
 src/ec_p256.c | 6 +++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 7dc565c..1b9e4be 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2014-01-23  Niibe Yutaka  <gniibe@fsij.org>
+
+	* src/ec_p256.c (ecdsa): Bug fix for k selection.
+
 2014-01-22  Niibe Yutaka  <gniibe@fsij.org>
 
 	* src/modp256.c (modp256_inv): Fix for constant time.
diff --git a/src/ec_p256.c b/src/ec_p256.c
index 25f3a74..bb434e2 100644
--- a/src/ec_p256.c
+++ b/src/ec_p256.c
@@ -514,11 +514,11 @@ ecdsa (bn256 *r, bn256 *s, const bn256 *z, const bn256 *d)
       do
 	{
 	  bn256_random (k);
-	  if (bn256_sub (tmp_k, k, N) == 0)	/* > N, it's too big.  */
+	  if (bn256_add_uint (k, k, 1))
 	    continue;
-	  if (bn256_add_uint (tmp_k, tmp_k, 2)) /* > N - 2, still big.  */
+	  if (bn256_sub (tmp_k, k, N) == 0)	/* >= N, it's too big.  */
 	    continue;
-	  bn256_add_uint (k, k, 1);
+	  /* 1 <= k <= N - 1 */
 	  compute_kG (KG, k);
 	  borrow = bn256_sub (r, KG->x, N);
 	  if (borrow)