Fix field reduction for custom secp128r1 curve

- see https://github.com/bcgit/bc-java/issues/566

4 files changed, 57 insertions, 0 deletions

diff --git a/crypto/crypto.csproj b/crypto/crypto.csproj

index 55fcf1704..1b4cccd52 100644
--- a/crypto/crypto.csproj
+++ b/crypto/crypto.csproj
@@ -12933,6 +12933,11 @@
                     BuildAction = "Compile"
                 />
                 <File
+                    RelPath = "test\src\math\ec\custom\sec\test\SecP128R1FieldTest.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
+                <File
                     RelPath = "test\src\math\ec\custom\sec\test\SecP256R1FieldTest.cs"
                     SubType = "Code"
                     BuildAction = "Compile"
diff --git a/crypto/src/math/ec/custom/sec/SecP128R1Field.cs b/crypto/src/math/ec/custom/sec/SecP128R1Field.cs

index d1ac009b3..cf91c7e5d 100644
--- a/crypto/src/math/ec/custom/sec/SecP128R1Field.cs
+++ b/crypto/src/math/ec/custom/sec/SecP128R1Field.cs
@@ -134,6 +134,11 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec
 
                 x = (uint)c;
             }
+
+            if (z[3] >= P3 && Nat128.Gte(z, P))
+            {
+                AddPInvTo(z);
+            }
         }
 
         public static void Square(uint[] x, uint[] z)
diff --git a/crypto/test/UnitTests.csproj b/crypto/test/UnitTests.csproj

index 1378034a6..0ab02f02e 100644
--- a/crypto/test/UnitTests.csproj
+++ b/crypto/test/UnitTests.csproj
@@ -337,6 +337,7 @@
     <Compile Include="src\crypto\tls\test\TlsTestSuite.cs" />
     <Compile Include="src\crypto\tls\test\TlsTestUtilities.cs" />
     <Compile Include="src\crypto\tls\test\UnreliableDatagramTransport.cs" />
+    <Compile Include="src\math\ec\custom\sec\test\SecP128R1FieldTest.cs" />
     <Compile Include="src\math\ec\custom\sec\test\SecP256R1FieldTest.cs" />
     <Compile Include="src\math\ec\custom\sec\test\SecP384R1FieldTest.cs" />
     <Compile Include="src\math\ec\rfc7748\test\X25519Test.cs" />
diff --git a/crypto/test/src/math/ec/custom/sec/test/SecP128R1FieldTest.cs b/crypto/test/src/math/ec/custom/sec/test/SecP128R1FieldTest.cs
new file mode 100644

index 000000000..211d95c9c
--- /dev/null
+++ b/crypto/test/src/math/ec/custom/sec/test/SecP128R1FieldTest.cs
@@ -0,0 +1,46 @@
+using System;
+
+using NUnit.Framework;
+
+using Org.BouncyCastle.Asn1.Sec;
+using Org.BouncyCastle.Asn1.X9;
+using Org.BouncyCastle.Crypto.EC;
+using Org.BouncyCastle.Math.Raw;
+using Org.BouncyCastle.Security;
+using Org.BouncyCastle.Utilities;
+
+namespace Org.BouncyCastle.Math.EC.Custom.Sec.Tests
+{
+    [TestFixture]
+    public class SecP128R1FieldTest
+    {
+        [Test]
+        public void Test_GitHub566()
+        {
+            uint[] x = new uint[]{ 0x4B1E2F5E, 0x09E29D21, 0xA58407ED, 0x6FC3C7CF };
+            uint[] y = new uint[]{ 0x2FFE8892, 0x55CA61CA, 0x0AF780B5, 0x4BD7B797 };
+            uint[] z = Nat128.Create();
+
+            SecP128R1Field.Multiply(x, y, z);
+
+            uint[] expected = new uint[]{ 0x01FFFF01, 0, 0, 0 };
+            Assert.IsTrue(Arrays.AreEqual(expected, z));
+        }
+
+        [Test]
+        public void TestReduce32()
+        {
+            uint[] z = Nat128.Create();
+            //Arrays.Fill(z, 0xFFFFFFFF);
+            for (int i = 0; i < z.Length; ++i)
+            {
+                z[i] = 0xFFFFFFFF;
+            }
+
+            SecP128R1Field.Reduce32(0xFFFFFFFF, z);
+
+            uint[] expected = new uint[]{ 1, 1, 0, 4 };
+            Assert.IsTrue(Arrays.AreEqual(expected, z));
+        }
+    }
+}