Fix input overflow handling during negation

kripod · kripod · commit 28cb4ba27920 · 2018-01-18T17:37:16.000+01:00
diff --git a/lib/elliptic/index.js b/lib/elliptic/index.js
@@ -74,7 +74,7 @@ exports.privateKeyExport = function (privateKey, compressed) {
 
 exports.privateKeyNegate = function (privateKey) {
   var bn = new BN(privateKey)
-  return bn.isZero() ? Buffer.alloc(32) : ecparams.n.sub(bn).toArrayLike(Buffer, 'be', 32)
+  return bn.isZero() ? Buffer.alloc(32) : ecparams.n.sub(bn).umod(ecparams.n).toArrayLike(Buffer, 'be', 32)
 }
 
 exports.privateKeyModInverse = function (privateKey) {
diff --git a/lib/js/index.js b/lib/js/index.js
@@ -21,7 +21,18 @@ exports.privateKeyExport = function (privateKey, compressed) {
 
 exports.privateKeyNegate = function (privateKey) {
   var bn = BN.fromBuffer(privateKey)
-  return bn.isZero() ? Buffer.alloc(32) : BN.n.sub(bn).toBuffer()
+
+  if (bn.isZero()) {
+    return Buffer.alloc(32)
+  }
+
+  if (bn.ucmp(BN.n) !== 0) {
+    while (bn.isOverflow()) {
+      bn.isub(BN.n)
+    }
+  }
+
+  return BN.n.sub(bn).toBuffer()
 }
 
 exports.privateKeyModInverse = function (privateKey) {
diff --git a/test/privatekey.js b/test/privatekey.js
@@ -149,6 +149,16 @@ module.exports = function (t, secp256k1) {
       t.end()
     })
 
+    t.test('private key overflow', function (t) {
+      var privateKey = util.ec.curve.n.addn(10).toArrayLike(Buffer, 'be', 32)
+
+      var expected = util.ec.curve.n.subn(10).toArrayLike(Buffer, 'be', 32)
+      var result = secp256k1.privateKeyNegate(privateKey)
+      t.same(result, expected)
+
+      t.end()
+    })
+
     util.repeat(t, 'random tests', util.env.repeat, function (t) {
       var privateKey = util.getPrivateKey()
 

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ exports.privateKeyExport = function (privateKey, compressed) {`
`74`	`74`
`75`	`75`	`exports.privateKeyNegate = function (privateKey) {`
`76`	`76`	`var bn = new BN(privateKey)`
`77`		`- return bn.isZero() ? Buffer.alloc(32) : ecparams.n.sub(bn).toArrayLike(Buffer, 'be', 32)`
	`77`	`+ return bn.isZero() ? Buffer.alloc(32) : ecparams.n.sub(bn).umod(ecparams.n).toArrayLike(Buffer, 'be', 32)`
`78`	`78`	`}`
`79`	`79`
`80`	`80`	`exports.privateKeyModInverse = function (privateKey) {`