commit 6acfc9cb4ccd7c68087b6c76e808d95593aad021
author Gilles Peskine <Gilles.Peskine@arm.com> Wed Mar 24 12:04:43 2021 +0100
committer Gilles Peskine <Gilles.Peskine@arm.com> Wed Jun 02 21:31:24 2021 +0200
tree 3fde8619ddb558abc45934fce429ae5de81cf31d
parent 188828525d32b627e3016be2f0dfea410e13165f

mbedtls_ecp_gen_privkey_mx: remove the exception for all-zero

The library rejected an RNG input of all-bits-zero, which led to the
key 2^{254} (for Curve25519) having a 31/32 chance of being generated
compared to other keys. This had no practical impact because the
probability of non-compliance was 2^{-256}, but needlessly
complicated the code.

The exception was added in 98e28a74e33f32bcb855e16f8d5d2016b2102129 to
avoid the case where b - 1 wraps because b is 0. Instead, change the
comparison code to avoid calculating b - 1.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

tests/suites/test_suite_ecp.data

diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data
index f66522a..21a7192 100644
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@@ -289,10 +289,8 @@
 ECP generate Montgomery key: Curve25519, clear low bits
 genkey_mx_known_answer:254:"4f0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1eff":"4f0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1ef8"
 
-# ECP generate Montgomery key: Curve25519, random = all-bits-zero
-## Currently explicitly rejected in the library, but the specification
-## says it shouldn't be.
-# genkey_mx_known_answer:254:"0000000000000000000000000000000000000000000000000000000000000000":"4000000000000000000000000000000000000000000000000000000000000000"
+ECP generate Montgomery key: Curve25519, random = all-bits-zero
+genkey_mx_known_answer:254:"0000000000000000000000000000000000000000000000000000000000000000":"4000000000000000000000000000000000000000000000000000000000000000"
 
 ECP generate Montgomery key: Curve25519, random = all-bits-one
 genkey_mx_known_answer:254:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":"7ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8"
@@ -309,8 +307,8 @@
 ECP generate Montgomery key: Curve448, clear low bits
 genkey_mx_known_answer:447:"cf0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f30313233343536ff":"cf0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f30313233343536fc"
 
-# ECP generate Montgomery key: Curve448, random = all-bits-zero
-# genkey_mx_known_answer:447:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":"8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
+ECP generate Montgomery key: Curve448, random = all-bits-zero
+genkey_mx_known_answer:447:"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000":"8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
 
 ECP generate Montgomery key: Curve448, random = all-bits-one
 genkey_mx_known_answer:447:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":"fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc"