From: Niels Möller <nisse@lysator.liu.se>
Origin: upstream, https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
Subject: CVE-2015-8803 and CVE-2015-8805: Miscomputation bugs in secp-256r1 modulo functions.

--- a/ecc-256.c
+++ b/ecc-256.c
@@ -108,7 +119,10 @@ ecc_256_modp (const struct ecc_curve *ec
       u0 -= t;
       t = (u1 < cy);
       u1 -= cy;
-      u1 += cnd_add_n (t, rp + n - 4, ecc->p, 3);
+
+      cy = cnd_add_n (t, rp + n - 4, ecc->p, 2);
+      u0 += cy;
+      u1 += (u0 < cy);
       u1 -= (-t) & 0xffffffff;
     }
   rp[2] = u0;
@@ -195,7 +209,7 @@ ecc_256_modq (const struct ecc_curve *ec
 
       /* Conditional add of p */
       u1 += t;
-      u2 += (t<<32) + (u0 < t);
+      u2 += (t<<32) + (u1 < t);
 
       t = cnd_add_n (t, rp + n - 4, ecc->q, 2);
       u1 += t;