|
@@ -5,6 +5,8 @@
|
|
|
package curve25519
|
|
package curve25519
|
|
|
|
|
|
|
|
import (
|
|
import (
|
|
|
|
|
+ "bytes"
|
|
|
|
|
+ "crypto/rand"
|
|
|
"fmt"
|
|
"fmt"
|
|
|
"testing"
|
|
"testing"
|
|
|
)
|
|
)
|
|
@@ -28,6 +30,30 @@ func TestBaseScalarMult(t *testing.T) {
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
+// TestHighBitIgnored tests the following requirement in RFC 7748:
|
|
|
|
|
+//
|
|
|
|
|
+// When receiving such an array, implementations of X25519 (but not X448) MUST
|
|
|
|
|
+// mask the most significant bit in the final byte.
|
|
|
|
|
+//
|
|
|
|
|
+// Regression test for issue #30095.
|
|
|
|
|
+func TestHighBitIgnored(t *testing.T) {
|
|
|
|
|
+ var s, u [32]byte
|
|
|
|
|
+ rand.Read(s[:])
|
|
|
|
|
+ rand.Read(u[:])
|
|
|
|
|
+
|
|
|
|
|
+ var hi0, hi1 [32]byte
|
|
|
|
|
+
|
|
|
|
|
+ u[31] &= 0x7f
|
|
|
|
|
+ ScalarMult(&hi0, &s, &u)
|
|
|
|
|
+
|
|
|
|
|
+ u[31] |= 0x80
|
|
|
|
|
+ ScalarMult(&hi1, &s, &u)
|
|
|
|
|
+
|
|
|
|
|
+ if !bytes.Equal(hi0[:], hi1[:]) {
|
|
|
|
|
+ t.Errorf("high bit of group point should not affect result")
|
|
|
|
|
+ }
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
func BenchmarkScalarBaseMult(b *testing.B) {
|
|
func BenchmarkScalarBaseMult(b *testing.B) {
|
|
|
var in, out [32]byte
|
|
var in, out [32]byte
|
|
|
in[0] = 1
|
|
in[0] = 1
|
Michael McLoughlin