nisse@lysator.liu.se (Niels Möller) writes:
So I'm considering this change,
diff --git a/curve25519-mul.c b/curve25519-mul.c index adb20cb..f5127d7 100644 --- a/curve25519-mul.c +++ b/curve25519-mul.c @@ -72,7 +72,11 @@ curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p) itch = ecc->p.size * 12; scratch = gmp_alloc_limbs (itch);
/* Note that 255 % GMP_NUMB_BITS == 0 isn't supported, so x1 always
holds at least 256 bits. */mpn_set_base256_le (x1, ecc->p.size, p, CURVE25519_SIZE);
/* Clear bit 255, as required by RFC 7748. */
x1[255/GMP_NUMB_BITS] &= ~((mp_limb_t) 1 << (255 % GMP_NUMB_BITS));
/* Initialize, x2 = x1, z2 = 1 */ mpn_copyi (x2, x1, ecc->p.size);
Checked in now, together with updates of tests and docs.
Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
It would make sense to document the version of nettle after which this behavior is followed, and probably add some ifdef similarly to FIPS202 for sha3.
Not done yet.
Regards, /Niels