From: Niels Möller <nisse@lysator.liu.se>
Date: Mon, 2 May 2016 19:44:27 +0000 (+0200)
Subject: Add tests for ignored curve25519 input bits.
X-Git-Tag: nettle_3.3_release_20161001~53^2~1
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=2bc389e8de5e5ce6f5f941eee1c3a9b5e6c25857;p=thirdparty%2Fnettle.git

Add tests for ignored curve25519 input bits.
---

diff --git a/ChangeLog b/ChangeLog
index a3adb58d..a8d98e50 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,12 @@
+2016-05-02  Niels Möller  <nisse@lysator.liu.se>
+
+	* testsuite/curve25519-dh-test.c: Test that inputs bits which must
+	be ignored really are ignored.
+
 2016-04-25  Niels Möller  <nisse@lysator.liu.se>
 
 	* curve25519-mul.c (curve25519_mul): Ignore top bit of the input x
-	coordinate, as erquired by RFC 7748.
+	coordinate, as required by RFC 7748.
 
 2016-03-15  Niels Möller  <nisse@lysator.liu.se>
 
diff --git a/testsuite/curve25519-dh-test.c b/testsuite/curve25519-dh-test.c
index 11b42632..e9037523 100644
--- a/testsuite/curve25519-dh-test.c
+++ b/testsuite/curve25519-dh-test.c
@@ -75,9 +75,7 @@ test_a (const uint8_t *s, const uint8_t *b, const uint8_t *r)
 void
 test_main (void)
 {
-  /* From draft-turner-thecurve25519function-00 (same also in
-     draft-josefsson-tls-curve25519-05, but the latter uses different
-     endianness). */
+  /* From RFC 7748. */
   test_g (H("77076d0a7318a57d3c16c17251b26645"
 	    "df4c2f87ebc0992ab177fba51db92c2a"),
 	  H("8520f0098930a754748b7ddcb43ef75a"
@@ -100,4 +98,44 @@ test_main (void)
 	    "0dbf3a0d26381af4eba4a98eaa9b4e6a"),
 	  H("4a5d9d5ba4ce2de1728e3bf480350f25"
 	    "e07e21c947d19e3376f09b3c1e161742"));
+
+  /* Check that the least significant three bits (first octet) of the
+     scalar are ignored by mul_g. */
+  test_g (H("70076d0a7318a57d3c16c17251b26645"
+	    "df4c2f87ebc0992ab177fba51db92c2a"),
+	  H("8520f0098930a754748b7ddcb43ef75a"
+	    "0dbf3a0d26381af4eba4a98eaa9b4e6a"));
+  /* Check that the most significant two bits (last octet) of the
+     scalar are ignored by mul_g. */
+  test_g (H("5dab087e624a8a4b79e17f8b83800ee6"
+	    "6f3bb1292618b6fd1c2f8b27ff88e02b"),
+	  H("de9edb7d7b7dc1b4d35b61c2ece43537"
+	    "3f8343c85b78674dadfc7e146f882b4f"));
+
+  /* Check that the least significant three bits (first octet) of the
+     scalar are ignored by mul_a. */
+  test_a (H("5aab087e624a8a4b79e17f8b83800ee6"
+	    "6f3bb1292618b6fd1c2f8b27ff88e0eb"),
+	  H("8520f0098930a754748b7ddcb43ef75a"
+	    "0dbf3a0d26381af4eba4a98eaa9b4e6a"),
+	  H("4a5d9d5ba4ce2de1728e3bf480350f25"
+	    "e07e21c947d19e3376f09b3c1e161742"));
+
+  /* Check that the most significant two bits (last octet) of the
+     scalar are ignored by mul_g. */
+  test_a (H("77076d0a7318a57d3c16c17251b26645"
+	    "df4c2f87ebc0992ab177fba51db92cea"),
+	  H("de9edb7d7b7dc1b4d35b61c2ece43537"
+	    "3f8343c85b78674dadfc7e146f882b4f"),
+	  H("4a5d9d5ba4ce2de1728e3bf480350f25"
+	    "e07e21c947d19e3376f09b3c1e161742"));
+
+  /* Check that the most significant bit (last octet) of the x
+     coordinate is ignored. */
+  test_a (H("77076d0a7318a57d3c16c17251b26645"
+	    "df4c2f87ebc0992ab177fba51db92c2a"),
+	  H("de9edb7d7b7dc1b4d35b61c2ece43537"
+	    "3f8343c85b78674dadfc7e146f882bcf"),
+	  H("4a5d9d5ba4ce2de1728e3bf480350f25"
+	    "e07e21c947d19e3376f09b3c1e161742"));
 }