From 4642a7ca28e3e3172a5a6027d653e1f64efbeb7b Mon Sep 17 00:00:00 2001
From: Henry de Valence <hdevalence@hdevalence.ca>
Date: Fri, 10 May 2019 16:46:03 -0700
Subject: [PATCH] internal/scalar: fix high bit check

This should check that s[31] > 127 to determine whether the high bit is set
(instead of s[31] >= 127)
---
 internal/scalar/scalar.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/scalar/scalar.go b/internal/scalar/scalar.go
index 7859c0b..7b75593 100644
--- a/internal/scalar/scalar.go
+++ b/internal/scalar/scalar.go
@@ -898,7 +898,7 @@ func (s *Scalar) NonAdjacentForm(w uint) [256]int8 {
 	// This implementation is adapted from the one
 	// in curve25519-dalek and is documented there:
 	// https://github.com/dalek-cryptography/curve25519-dalek/blob/f630041af28e9a405255f98a8a93adca18e4315b/src/scalar.rs#L800-L871
-	if s[31] >= 127 {
+	if s[31] > 127 {
 		panic("scalar has high bit set illegally")
 	}
 	if w < 2 {
@@ -959,7 +959,7 @@ func (s *Scalar) NonAdjacentForm(w uint) [256]int8 {
 }
 
 func (s *Scalar) SignedRadix16() [64]int8 {
-	if s[31] >= 127 {
+	if s[31] > 127 {
 		panic("scalar has high bit set illegally")
 	}