Merged support for Curve25519

48d78a5e · Paul Bakker · 498fd354 · 93f41dbd · 48d78a5e · 48d78a5e
Commit 48d78a5e authored Dec 05, 2013 by Paul Bakker
12 changed files
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,7 @@ Features
   * EC key generation support in gen_key app
   * Support for adhering to client ciphersuite order preference
     (POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+   * Support for Curve25519

 Changes
   * gen_prime() speedup
@@ -15,6 +16,7 @@ Changes
   * Split off curves from ecp.c into ecp_curves.c

 Bugfix
+   * Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
   * Fixed X.509 hostname comparison (with non-regular characters)
   * SSL now gracefully handles missing RNG
   * Missing defines / cases for RSA_PSK key exchange

--- a/include/polarssl/bignum.h
+++ b/include/polarssl/bignum.h
@@ -236,11 +236,10 @@ void mpi_swap( mpi *X, mpi *Y );
 *
 * \param X        MPI to conditionally assign to
 * \param Y        Value to be assigned
- * \param assign   1: perform the assignment, 0: leave X untouched
+ * \param assign   1: perform the assignment, 0: keep X's original value
 *
 * \return         0 if successful,
 *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed,
- *                 POLARSSL_ERR_MPI_BAD_INPUT_DATA if assing is not 0 or 1
 *
 * \note           This function is equivalent to
 *                      if( assign ) mpi_copy( X, Y );
@@ -251,6 +250,25 @@ void mpi_swap( mpi *X, mpi *Y );
 */
 int mpi_safe_cond_assign( mpi *X, const mpi *Y, unsigned char assign );

+/**
+ * \brief          Safe conditional swap X <-> Y if swap is 1
+ *
+ * \param X        First mpi value
+ * \param Y        Second mpi value
+ * \param assign   1: perform the swap, 0: keep X and Y's original values
+ *
+ * \return         0 if successful,
+ *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed,
+ *
+ * \note           This function is equivalent to
+ *                      if( assign ) mpi_swap( X, Y );
+ *                 except that it avoids leaking any information about whether
+ *                 the assignment was done or not (the above code may leak
+ *                 information through branch prediction and/or memory access
+ *                 patterns analysis).
+ */
+int mpi_safe_cond_swap( mpi *X, mpi *Y, unsigned char assign );
+
 /**
 * \brief          Set value from integer
 *

--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -248,6 +248,10 @@
 #define POLARSSL_ECP_DP_BP256R1_ENABLED
 #define POLARSSL_ECP_DP_BP384R1_ENABLED
 #define POLARSSL_ECP_DP_BP512R1_ENABLED
+//#define POLARSSL_ECP_DP_M221_ENABLED  // Not implemented yet!
+#define POLARSSL_ECP_DP_M255_ENABLED
+//#define POLARSSL_ECP_DP_M383_ENABLED  // Not implemented yet!
+//#define POLARSSL_ECP_DP_M511_ENABLED  // Not implemented yet!

 /**
 * \def POLARSSL_ECP_NIST_OPTIM

--- a/include/polarssl/ecp.h
+++ b/include/polarssl/ecp.h
@@ -64,10 +64,16 @@ typedef enum
    POLARSSL_ECP_DP_BP256R1,        /*!< 256-bits Brainpool curve */
    POLARSSL_ECP_DP_BP384R1,        /*!< 384-bits Brainpool curve */
    POLARSSL_ECP_DP_BP512R1,        /*!< 512-bits Brainpool curve */
+    POLARSSL_ECP_DP_M221,           /*!< (not implemented yet)    */
+    POLARSSL_ECP_DP_M255,           /*!< Curve25519               */
+    POLARSSL_ECP_DP_M383,           /*!< (not implemented yet)    */
+    POLARSSL_ECP_DP_M511,           /*!< (not implemented yet)    */
 } ecp_group_id;

 /**
- * Number of supported curves (plus one for NONE)
+ * Number of supported curves (plus one for NONE).
+ *
+ * (Montgomery curves excluded for now.)
 */
 #define POLARSSL_ECP_DP_MAX     9

@@ -102,10 +108,16 @@ ecp_point;
 /**
 * \brief           ECP group structure
 *
- * The curves we consider are defined by y^2 = x^3 + A x + B mod P,
- * and a generator for a large subgroup of order N is fixed.
+ * We consider two types of curves equations:
+ * 1. Short Weierstrass y^2 = x^3 + A x + B     mod P   (SEC1 + RFC 4492)
+ * 2. Montgomery,       y^2 = x^3 + A x^2 + x   mod P   (M255 + draft)
+ * In both cases, a generator G for a prime-order subgroup is fixed. In the
+ * short weierstrass, this subgroup is actually the whole curve, and its
+ * cardinal is denoted by N.
 *
- * pbits and nbits must be the size of P and N in bits.
+ * In the case of Montgomery curves, we don't store A but (A + 2) / 4 which is
+ * the quantity actualy used in the formulas. Also, nbits is not the size of N
+ * but the required size for private keys.
 *
 * If modp is NULL, reduction modulo P is done using a generic algorithm.
 * Otherwise, it must point to a function that takes an mpi in the range
@@ -118,18 +130,18 @@ typedef struct
 {
    ecp_group_id id;    /*!<  internal group identifier                     */
    mpi P;              /*!<  prime modulus of the base field               */
-    mpi A;              /*!<  linear term in the equation                   */
-    mpi B;              /*!<  constant term in the equation                 */
-    ecp_point G;        /*!<  generator of the subgroup used                */
-    mpi N;              /*!<  the order of G                                */
+    mpi A;              /*!<  1. A in the equation, or 2. (A + 2) / 4       */
+    mpi B;              /*!<  1. B in the equation, or 2. unused            */
+    ecp_point G;        /*!<  generator of the (sub)group used              */
+    mpi N;              /*!<  1. the order of G, or 2. unused               */
    size_t pbits;       /*!<  number of bits in P                           */
-    size_t nbits;       /*!<  number of bits in N                           */
-    unsigned int h;     /*!<  cofactor (unused now: assume 1)               */
+    size_t nbits;       /*!<  number of bits in 1. P, or 2. private keys    */
+    unsigned int h;     /*!<  unused                                        */
    int (*modp)(mpi *); /*!<  function for fast reduction mod P             */
-    int (*t_pre)(ecp_point *, void *);  /*!< currently unused               */
-    int (*t_post)(ecp_point *, void *); /*!< currently unused               */
-    void *t_data;                       /*!< currently unused               */
-    ecp_point *T;       /*!<  pre-computed points for ecp_mul()             */
+    int (*t_pre)(ecp_point *, void *);  /*!< unused                         */
+    int (*t_post)(ecp_point *, void *); /*!< unused                         */
+    void *t_data;                       /*!< unused                         */
+    ecp_point *T;       /*!<  pre-computed points for ecp_mul_comb()        */
    size_t T_size;      /*!<  number for pre-computed points                */
 }
 ecp_group;
@@ -438,6 +450,9 @@ int ecp_tls_write_group( const ecp_group *grp, size_t *olen,
 *
 * \return          0 if successful,
 *                  POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
+ *
+ * \note            This function does not support Montgomery curves, such as
+ *                  Curve25519.
 */
 int ecp_add( const ecp_group *grp, ecp_point *R,
             const ecp_point *P, const ecp_point *Q );
@@ -452,6 +467,9 @@ int ecp_add( const ecp_group *grp, ecp_point *R,
 *
 * \return          0 if successful,
 *                  POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
+ *
+ * \note            This function does not support Montgomery curves, such as
+ *                  Curve25519.
 */
 int ecp_sub( const ecp_group *grp, ecp_point *R,
             const ecp_point *P, const ecp_point *Q );

--- a/library/bignum.c
+++ b/library/bignum.c
@@ -214,16 +214,16 @@ int mpi_safe_cond_assign( mpi *X, const mpi *Y, unsigned char assign )
    int ret = 0;
    size_t i;

-    if( assign * ( 1 - assign ) != 0 )
-        return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
+    /* make sure assign is 0 or 1 */
+    assign = ( assign != 0 );

-    if( Y->n > X->n )
-        MPI_CHK( mpi_grow( X, Y->n ) );
+    MPI_CHK( mpi_grow( X, Y->n ) );

-    /* Do the conditional assign safely */
    X->s = X->s * (1 - assign) + Y->s * assign;
+
    for( i = 0; i < Y->n; i++ )
        X->p[i] = X->p[i] * (1 - assign) + Y->p[i] * assign;
+
    for( ; i < X->n; i++ )
        X->p[i] *= (1 - assign);

@@ -231,6 +231,43 @@ cleanup:
    return( ret );
 }

+/*
+ * Conditionally swap X and Y, without leaking information
+ * about whether the swap was made or not.
+ * Here it is not ok to simply swap the pointers, which whould lead to
+ * different memory access patterns when X and Y are used afterwards.
+ */
+int mpi_safe_cond_swap( mpi *X, mpi *Y, unsigned char swap )
+{
+    int ret, s;
+    size_t i;
+    t_uint tmp;
+
+    if( X == Y )
+        return( 0 );
+
+    /* make sure swap is 0 or 1 */
+    swap = ( swap != 0 );
+
+    MPI_CHK( mpi_grow( X, Y->n ) );
+    MPI_CHK( mpi_grow( Y, X->n ) );
+
+    s = X->s;
+    X->s = X->s * (1 - swap) + Y->s * swap;
+    Y->s = Y->s * (1 - swap) +    s * swap;
+
+
+    for( i = 0; i < X->n; i++ )
+    {
+        tmp = X->p[i];
+        X->p[i] = X->p[i] * (1 - swap) + Y->p[i] * swap;
+        Y->p[i] = Y->p[i] * (1 - swap) +     tmp * swap;
+    }
+
+cleanup:
+    return( ret );
+}
+
 /*
 * Set value from integer
 */
@@ -280,7 +317,8 @@ int mpi_set_bit( mpi *X, size_t pos, unsigned char val )
        MPI_CHK( mpi_grow( X, off + 1 ) );
    }

-    X->p[off] = ( X->p[off] & ~( 0x01 << idx ) ) | ( val << idx );
+    X->p[off] &= ~( (t_uint) 0x01 << idx );
+    X->p[off] |= (t_uint) val << idx;

 cleanup:
    

--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -59,6 +59,10 @@ int ecdsa_sign( ecp_group *grp, mpi *r, mpi *s,
    ecp_point R;
    mpi k, e;

+    /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
+    if( grp->N.p == NULL )
+        return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
+
    ecp_point_init( &R );
    mpi_init( &k );
    mpi_init( &e );
@@ -129,6 +133,10 @@ int ecdsa_verify( ecp_group *grp,
    ecp_point_init( &R ); ecp_point_init( &P );
    mpi_init( &e ); mpi_init( &s_inv ); mpi_init( &u1 ); mpi_init( &u2 );

+    /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
+    if( grp->N.p == NULL )
+        return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
+
    /*
     * Step 1: make sure r and s are in range 1..n-1
     */

--- a/library/ecp.c
+++ b/library/ecp.c
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@@ -322,16 +322,29 @@ cleanup:

 #if defined(POLARSSL_ECP_NIST_OPTIM)
 /* Forward declarations */
+#if defined(POLARSSL_ECP_DP_SECP192R1_ENABLED)
 static int ecp_mod_p192( mpi * );
+#endif
+#if defined(POLARSSL_ECP_DP_SECP224R1_ENABLED)
 static int ecp_mod_p224( mpi * );
+#endif
+#if defined(POLARSSL_ECP_DP_SECP256R1_ENABLED)
 static int ecp_mod_p256( mpi * );
+#endif
+#if defined(POLARSSL_ECP_DP_SECP384R1_ENABLED)
 static int ecp_mod_p384( mpi * );
+#endif
+#if defined(POLARSSL_ECP_DP_SECP521R1_ENABLED)
 static int ecp_mod_p521( mpi * );
+#endif
+#if defined(POLARSSL_ECP_DP_M255_ENABLED)
+static int ecp_mod_p255( mpi * );
+#endif

 #define NIST_MODP( P )      grp->modp = ecp_mod_ ## P;
 #else
 #define NIST_MODP( P )
-#endif
+#endif /* POLARSSL_ECP_NIST_OPTIM */

 #define LOAD_GROUP( G )     ecp_group_read_binary( grp,     \
                            G ## _p,  sizeof( G ## _p  ),   \
@@ -341,11 +354,45 @@ static int ecp_mod_p521( mpi * );
                            G ## _gy, sizeof( G ## _gy ),   \
                            G ## _n,  sizeof( G ## _n  ) )

+/*
+ * Specialized function for creating the Curve25519 group
+ */
+static int ecp_use_curve25519( ecp_group *grp )
+{
+    int ret;
+
+    /* Actually ( A + 2 ) / 4 */
+    MPI_CHK( mpi_read_string( &grp->A, 16, "01DB42" ) );
+
+    /* P = 2^255 - 19 */
+    MPI_CHK( mpi_lset( &grp->P, 1 ) );
+    MPI_CHK( mpi_shift_l( &grp->P, 255 ) );
+    MPI_CHK( mpi_sub_int( &grp->P, &grp->P, 19 ) );
+    grp->pbits = mpi_msb( &grp->P );
+
+    /* Y intentionaly not set, since we use x/z coordinates.
+     * This is used as a marker to identify Montgomery curves! */
+    MPI_CHK( mpi_lset( &grp->G.X, 9 ) );
+    MPI_CHK( mpi_lset( &grp->G.Z, 1 ) );
+    mpi_free( &grp->G.Y );
+
+    /* Actually, the required msb for private keys */
+    grp->nbits = 254;
+
+cleanup:
+    if( ret != 0 )
+        ecp_group_free( grp );
+
+    return( ret );
+}
+
 /*
 * Set a group using well-known domain parameters
 */
 int ecp_use_known_dp( ecp_group *grp, ecp_group_id id )
 {
+    ecp_group_free( grp );
+
    grp->id = id;

    switch( id )
@@ -395,6 +442,12 @@ int ecp_use_known_dp( ecp_group *grp, ecp_group_id id )
            return( LOAD_GROUP( brainpoolP512r1 ) );
 #endif /* POLARSSL_ECP_DP_BP512R1_ENABLED */

+#if defined(POLARSSL_ECP_DP_M255_ENABLED)
+        case POLARSSL_ECP_DP_M255:
+            grp->modp = ecp_mod_p255;
+            return( ecp_use_curve25519( grp ) );
+#endif /* POLARSSL_ECP_DP_M255_ENABLED */
+
        default:
            ecp_group_free( grp );
            return( POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE );
@@ -804,4 +857,48 @@ cleanup:

 #endif /* POLARSSL_ECP_NIST_OPTIM */

+#if defined(POLARSSL_ECP_DP_M255_ENABLED)
+
+/* Size of p255 in terms of t_uint */
+#define P255_WIDTH      ( 255 / 8 / sizeof( t_uint ) + 1 )
+
+/*
+ * Fast quasi-reduction modulo p255 = 2^255 - 19
+ * Write N as A1 + 2^255 A1, return A0 + 19 * A1
+ */
+static int ecp_mod_p255( mpi *N )
+{
+    int ret;
+    size_t i;
+    mpi M;
+    t_uint Mp[P255_WIDTH + 2];
+
+    if( N->n < P255_WIDTH )
+        return( 0 );
+
+    /* M = A1 */
+    M.s = 1;
+    M.n = N->n - ( P255_WIDTH - 1 );
+    if( M.n > P255_WIDTH + 1 )
+        M.n = P255_WIDTH + 1;
+    M.p = Mp;
+    memset( Mp, 0, sizeof Mp );
+    memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( t_uint ) );
+    MPI_CHK( mpi_shift_r( &M, 255 % ( 8 * sizeof( t_uint ) ) ) );
+    M.n++; /* Make room for multiplication by 19 */
+
+    /* N = A0 */
+    mpi_set_bit( N, 255, 0 );
+    for( i = P255_WIDTH; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N = A0 + 19 * A1 */
+    MPI_CHK( mpi_mul_int( &M, &M, 19 ) );
+    MPI_CHK( mpi_add_abs( N, N, &M ) );
+
+cleanup:
+    return( ret );
+}
+#endif /* POLARSSL_ECP_DP_M255_ENABLED */
+
 #endif
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@@ -159,6 +159,12 @@ ecp_small_check_pub:0:2:1:0
 ECP small check pubkey #10
 ecp_small_check_pub:10:25:1:POLARSSL_ERR_ECP_INVALID_KEY

+ECP check pubkey Montgomery #1 (too big)
+ecp_check_pub_mx:POLARSSL_ECP_DP_M255:"010000000000000000000000000000000000000000000000000000000000000000":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECP check pubkey Montgomery #2 (biggest)
+ecp_check_pub_mx:POLARSSL_ECP_DP_M255:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":0
+
 ECP write binary #0 (zero, bad format)
 depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
 ecp_write_binary:POLARSSL_ECP_DP_SECP192R1:"01":"01":"00":POLARSSL_ECP_PF_UNKNOWN:"00":1:POLARSSL_ERR_ECP_BAD_INPUT_DATA
@@ -271,14 +277,58 @@ ECP tls write-read group #2
 depends_on:POLARSSL_ECP_DP_SECP521R1_ENABLED
 ecp_tls_write_read_group:POLARSSL_ECP_DP_SECP521R1

-ECP check privkey
+ECP check privkey #1 (short weierstrass, too small)
 depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
-ecp_check_privkey:POLARSSL_ECP_DP_SECP192R1
+ecp_check_privkey:POLARSSL_ECP_DP_SECP192R1:"00":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECP check privkey #2 (short weierstrass, smallest)
+depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
+ecp_check_privkey:POLARSSL_ECP_DP_SECP192R1:"01":0
+
+ECP check privkey #3 (short weierstrass, biggest)
+depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
+ecp_check_privkey:POLARSSL_ECP_DP_SECP192R1:"FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830":0
+
+ECP check privkey #4 (short weierstrass, too big)
+depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
+ecp_check_privkey:POLARSSL_ECP_DP_SECP192R1:"FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECP check privkey #5 (montgomery, too big)
+depends_on:POLARSSL_ECP_DP_M255_ENABLED
+ecp_check_privkey:POLARSSL_ECP_DP_M255:"C000000000000000000000000000000000000000000000000000000000000000":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECP check privkey #6 (montgomery, not big enough)
+depends_on:POLARSSL_ECP_DP_M255_ENABLED
+ecp_check_privkey:POLARSSL_ECP_DP_M255:"3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECP check privkey #7 (montgomery, msb OK)
+depends_on:POLARSSL_ECP_DP_M255_ENABLED
+ecp_check_privkey:POLARSSL_ECP_DP_M255:"4000000000000000000000000000000000000000000000000000000000000000":0
+
+ECP check privkey #8 (montgomery, bit 0 set)
+depends_on:POLARSSL_ECP_DP_M255_ENABLED
+ecp_check_privkey:POLARSSL_ECP_DP_M255:"4000000000000000000000000000000000000000000000000000000000000001":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECP check privkey #9 (montgomery, bit 1 set)
+depends_on:POLARSSL_ECP_DP_M255_ENABLED
+ecp_check_privkey:POLARSSL_ECP_DP_M255:"4000000000000000000000000000000000000000000000000000000000000002":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECP check privkey #10 (montgomery, bit 2 set)
+depends_on:POLARSSL_ECP_DP_M255_ENABLED
+ecp_check_privkey:POLARSSL_ECP_DP_M255:"4000000000000000000000000000000000000000000000000000000000000004":POLARSSL_ERR_ECP_INVALID_KEY
+
+ECP check privkey #11 (montgomery, OK)
+depends_on:POLARSSL_ECP_DP_M255_ENABLED
+ecp_check_privkey:POLARSSL_ECP_DP_M255:"7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8":0

 ECP gen keypair
 depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
 ecp_gen_keypair:POLARSSL_ECP_DP_SECP192R1

+ECP gen keypair
+depends_on:POLARSSL_ECP_DP_M255_ENABLED
+ecp_gen_keypair:POLARSSL_ECP_DP_M255
+
 ECP gen keypair wrapper
 depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
 ecp_gen_key:POLARSSL_ECP_DP_SECP192R1
@@ -367,5 +417,9 @@ ECP test vectors brainpoolP512r1 rfc 7027
 depends_on:POLARSSL_ECP_DP_BP512R1_ENABLED
 ecp_test_vect:POLARSSL_ECP_DP_BP512R1:"16302FF0DBBB5A8D733DAB7141C1B45ACBC8715939677F6A56850A38BD87BD59B09E80279609FF333EB9D4C061231FB26F92EEB04982A5F1D1764CAD57665422":"0A420517E406AAC0ACDCE90FCD71487718D3B953EFD7FBEC5F7F27E28C6149999397E91E029E06457DB2D3E640668B392C2A7E737A7F0BF04436D11640FD09FD":"72E6882E8DB28AAD36237CD25D580DB23783961C8DC52DFA2EC138AD472A0FCEF3887CF62B623B2A87DE5C588301EA3E5FC269B373B60724F5E82A6AD147FDE7":"230E18E1BCC88A362FA54E4EA3902009292F7F8033624FD471B5D8ACE49D12CFABBC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B25429":"9D45F66DE5D67E2E6DB6E93A59CE0BB48106097FF78A081DE781CDB31FCE8CCBAAEA8DD4320C4119F1E9CD437A2EAB3731FA9668AB268D871DEDA55A5473199F":"2FDC313095BCDD5FB3A91636F07A959C8E86B5636A1E930E8396049CB481961D365CC11453A06C719835475B12CB52FC3C383BCE35E27EF194512B71876285FA":"A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF3226244B76D36403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD1F":"7DB71C3DEF63212841C463E881BDCF055523BD368240E6C3143BD8DEF8B3B3223B95E0F53082FF5E412F4222537A43DF1C6D25729DDB51620A832BE6A26680A2"

+ECP test vectors M255 aka Curve25519
+depends_on:POLARSSL_ECP_DP_M255_ENABLED
+ecp_test_vec_x:POLARSSL_ECP_DP_M255:"5AC99F33632E5A768DE7E81BF854C27C46E3FBF2ABBACD29EC4AFF517369C660":"057E23EA9F1CBE8A27168F6E696A791DE61DD3AF7ACD4EEACC6E7BA514FDA863":"47DC3D214174820E1154B49BC6CDB2ABD45EE95817055D255AA35831B70D3260":"6EB89DA91989AE37C7EAC7618D9E5C4951DBA1D73C285AE1CD26A855020EEF04":"61450CD98E36016B58776A897A9F0AEF738B99F09468B8D6B8511184D53494AB"
+
 ECP selftest
 ecp_selftest:
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -188,6 +188,27 @@ void ecp_small_check_pub( int x, int y, int z, int ret )
 }
 /* END_CASE */

+/* BEGIN_CASE */
+void ecp_check_pub_mx( int grp_id, char *key_hex, int ret )
+{
+    ecp_group grp;
+    ecp_point P;
+
+    ecp_group_init( &grp );
+    ecp_point_init( &P );
+
+    TEST_ASSERT( ecp_use_known_dp( &grp, grp_id ) == 0 );
+
+    TEST_ASSERT( mpi_read_string( &P.X, 16, key_hex ) == 0 );
+    TEST_ASSERT( mpi_lset( &P.Z, 1 ) == 0 );
+
+    TEST_ASSERT( ecp_check_pubkey( &grp, &P ) == ret );
+
+    ecp_group_free( &grp );
+    ecp_point_free( &P );
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
 void ecp_test_vect( int id, char *dA_str, char *xA_str, char *yA_str,
                    char *dB_str, char *xB_str, char *yB_str, char *xZ_str,
@@ -242,6 +263,56 @@ void ecp_test_vect( int id, char *dA_str, char *xA_str, char *yA_str,
 }
 /* END_CASE */

+/* BEGIN_CASE */
+void ecp_test_vec_x( int id, char *dA_hex, char *xA_hex,
+                     char *dB_hex, char *xB_hex, char *xS_hex )
+{
+    ecp_group grp;
+    ecp_point R;
+    mpi dA, xA, dB, xB, xS;
+    rnd_pseudo_info rnd_info;
+
+    ecp_group_init( &grp ); ecp_point_init( &R );
+    mpi_init( &dA ); mpi_init( &xA );
+    mpi_init( &dB ); mpi_init( &xB );
+    mpi_init( &xS );
+    memset( &rnd_info, 0x00, sizeof( rnd_pseudo_info ) );
+
+    TEST_ASSERT( ecp_use_known_dp( &grp, id ) == 0 );
+
+    TEST_ASSERT( ecp_check_pubkey( &grp, &grp.G ) == 0 );
+
+    TEST_ASSERT( mpi_read_string( &dA, 16, dA_hex ) == 0 );
+    TEST_ASSERT( mpi_read_string( &dB, 16, dB_hex ) == 0 );
+    TEST_ASSERT( mpi_read_string( &xA, 16, xA_hex ) == 0 );
+    TEST_ASSERT( mpi_read_string( &xB, 16, xB_hex ) == 0 );
+    TEST_ASSERT( mpi_read_string( &xS, 16, xS_hex ) == 0 );
+
+    TEST_ASSERT( ecp_mul( &grp, &R, &dA, &grp.G,
+                          &rnd_pseudo_rand, &rnd_info ) == 0 );
+    TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );
+    TEST_ASSERT( mpi_cmp_mpi( &R.X, &xA ) == 0 );
+
+    TEST_ASSERT( ecp_mul( &grp, &R, &dB, &R,
+                          &rnd_pseudo_rand, &rnd_info ) == 0 );
+    TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );
+    TEST_ASSERT( mpi_cmp_mpi( &R.X, &xS ) == 0 );
+
+    TEST_ASSERT( ecp_mul( &grp, &R, &dB, &grp.G, NULL, NULL ) == 0 );
+    TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );
+    TEST_ASSERT( mpi_cmp_mpi( &R.X, &xB ) == 0 );
+
+    TEST_ASSERT( ecp_mul( &grp, &R, &dA, &R, NULL, NULL ) == 0 );
+    TEST_ASSERT( ecp_check_pubkey( &grp, &R ) == 0 );
+    TEST_ASSERT( mpi_cmp_mpi( &R.X, &xS ) == 0 );
+
+    ecp_group_free( &grp ); ecp_point_free( &R );
+    mpi_free( &dA ); mpi_free( &xA );
+    mpi_free( &dB ); mpi_free( &xB );
+    mpi_free( &xS );
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
 void ecp_fast_mod( int id, char *N_str )
 {
@@ -490,7 +561,7 @@ void ecp_tls_write_read_group( int id )
 /* END_CASE */

 /* BEGIN_CASE */
-void ecp_check_privkey( int id )
+void ecp_check_privkey( int id, char *key_hex, int ret )
 {
    ecp_group grp;
    mpi d;
@@ -499,12 +570,9 @@ void ecp_check_privkey( int id )
    mpi_init( &d );

    TEST_ASSERT( ecp_use_known_dp( &grp, id ) == 0 );
+    TEST_ASSERT( mpi_read_string( &d, 16, key_hex ) == 0 );

-    TEST_ASSERT( mpi_lset( &d, 0 ) == 0 );
-    TEST_ASSERT( ecp_check_privkey( &grp, &d ) == POLARSSL_ERR_ECP_INVALID_KEY );
-
-    TEST_ASSERT( mpi_copy( &d, &grp.N ) == 0 );
-    TEST_ASSERT( ecp_check_privkey( &grp, &d ) == POLARSSL_ERR_ECP_INVALID_KEY );
+    TEST_ASSERT( ecp_check_privkey( &grp, &d ) == ret );

    ecp_group_free( &grp );
    mpi_free( &d );

--- a/tests/suites/test_suite_mpi.data
+++ b/tests/suites/test_suite_mpi.data
@@ -223,6 +223,24 @@ mpi_safe_cond_assign:-1:"01":+1:"02"
 Test mpi_safe_cond_assign #6
 mpi_safe_cond_assign:-1:"01":-1:"02"

+Test mpi_safe_cond_swap #1
+mpi_safe_cond_swap:+1:"01":+1:"02"
+
+Test mpi_safe_cond_swap #2
+mpi_safe_cond_swap:+1:"FF000000000000000001":+1:"02"
+
+Test mpi_safe_cond_swap #3
+mpi_safe_cond_swap:+1:"01":+1:"FF000000000000000002"
+
+Test mpi_safe_cond_swap #4
+mpi_safe_cond_swap:+1:"01":-1:"02"
+
+Test mpi_safe_cond_swap #5
+mpi_safe_cond_swap:-1:"01":+1:"02"
+
+Test mpi_safe_cond_swap #6
+mpi_safe_cond_swap:-1:"01":-1:"02"
+
 Base test mpi_add_abs #1
 mpi_add_abs:10:"12345678":10:"642531":10:"12988209"

@@ -665,6 +683,12 @@ mpi_set_bit:10:"49979687":80:0:10:"49979687"
 Test bit set (Add above existing limbs with a 1)
 mpi_set_bit:10:"49979687":80:1:10:"1208925819614629224685863"

+Test bit set (Bit index larger than 31 with a 0)
+mpi_set_bit:16:"FFFFFFFFFFFFFFFF":32:0:16:"FFFFFFFEFFFFFFFF"
+
+Test bit set (Bit index larger than 31 with a 1)
+mpi_set_bit:16:"00":32:1:16:"0100000000"
+
 MPI Selftest
 depends_on:POLARSSL_SELF_TEST
 mpi_selftest:
--- a/tests/suites/test_suite_mpi.function
+++ b/tests/suites/test_suite_mpi.function