X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=test%2Ftest_crypto.c;h=ddba9ac87d784f55e6087e4c3b051985b3d98d65;hp=b62ed3f3b7d72d836f4fabf3a144ca4f8331dc7b;hb=2f9c953af45299f8546df8984d5262e767a7d943;hpb=7fc1ef315f807170f63b0ad8255cf77314b50ca5

diff --git a/test/test_crypto.c b/test/test_crypto.c
index b62ed3f..ddba9ac 100644
--- a/test/test_crypto.c
+++ b/test/test_crypto.c
@@ -4790,6 +4790,20 @@ test_EC_inner(const char *sk, const char *sU,
 			exit(EXIT_FAILURE);
 		}
 
+		/*
+		 * Also recomputed D = z*G with mulgen(). This must
+		 * again match.
+		 */
+		memset(eD, 0, ulen);
+		if (impl->mulgen(eD, bz, nlen, cd->curve) != ulen) {
+			fprintf(stderr, "mulgen() failed: wrong length\n");
+			exit(EXIT_FAILURE);
+		}
+		if (memcmp(eC, eD, nlen) != 0) {
+			fprintf(stderr, "mulgen() / muladd() mismatch\n");
+			exit(EXIT_FAILURE);
+		}
+
 		/*
 		 * Check with x*A = y*B. We do so by setting b = x and y = a.
 		 */
@@ -4898,12 +4912,60 @@ test_EC_prime_i31(void)
 }
 
 static void
-test_EC_p256_i15(void)
+test_EC_p256_m15(void)
 {
-	test_EC_KAT("EC_p256_i15", &br_ec_p256_i15,
+	test_EC_KAT("EC_p256_m15", &br_ec_p256_m15,
 		(uint32_t)1 << BR_EC_secp256r1);
 }
 
+const struct {
+	const char *scalar;
+	const char *u_in;
+	const char *u_out;
+} C25519_KAT[] = {
+	{ "A546E36BF0527C9D3B16154B82465EDD62144C0AC1FC5A18506A2244BA449AC4",
+	  "E6DB6867583030DB3594C1A424B15F7C726624EC26B3353B10A903A6D0AB1C4C",
+	  "C3DA55379DE9C6908E94EA4DF28D084F32ECCF03491C71F754B4075577A28552" },
+	{ "4B66E9D4D1B4673C5AD22691957D6AF5C11B6421E0EA01D42CA4169E7918BA0D",
+	  "E5210F12786811D3F4B7959D0538AE2C31DBE7106FC03C3EFC4CD549C715A493",
+	  "95CBDE9476E8907D7AADE45CB4B873F88B595A68799FA152E6F8F7647AAC7957" },
+	{ 0, 0, 0 }
+};
+
+static void
+test_EC_c25519(const char *name, const br_ec_impl *iec)
+{
+	size_t v;
+
+	printf("Test %s: ", name);
+	fflush(stdout);
+	for (v = 0; C25519_KAT[v].scalar; v ++) {
+		unsigned char bu[32], bk[32], br[32];
+
+		hextobin(bk, C25519_KAT[v].scalar);
+		hextobin(bu, C25519_KAT[v].u_in);
+		hextobin(br, C25519_KAT[v].u_out);
+		if (!iec->mul(bu, sizeof bu, bk, sizeof bk, BR_EC_curve25519)) {
+			fprintf(stderr, "Curve25519 multiplication failed\n");
+			exit(EXIT_FAILURE);
+		}
+		if (memcmp(bu, br, sizeof bu) != 0) {
+			fprintf(stderr, "Curve25519 failed KAT\n");
+			exit(EXIT_FAILURE);
+		}
+		printf(".");
+		fflush(stdout);
+	}
+	printf(" done.\n");
+	fflush(stdout);
+}
+
+static void
+test_EC_c25519_i15(void)
+{
+	test_EC_c25519("EC_c25519_i15", &br_ec_c25519_i15);
+}
+
 static const unsigned char EC_P256_PUB_POINT[] = {
 	0x04, 0x60, 0xFE, 0xD4, 0xBA, 0x25, 0x5A, 0x9D,
 	0x31, 0xC9, 0x61, 0xEB, 0x74, 0xC6, 0x35, 0x6D,
@@ -5448,8 +5510,9 @@ static const struct {
 	STU(GHASH_ctmul64),
 	STU(EC_prime_i15),
 	STU(EC_prime_i31),
-	STU(EC_p256_i15),
+	STU(EC_p256_m15),
 	/* STU(EC_prime_i32), */
+	STU(EC_c25519_i15),
 	STU(ECDSA_i15),
 	STU(ECDSA_i31),
 	{ 0, 0 }