Generated curve25519 private keys don't follow clamping ritual
mcginty opened this issue · comments
I noticed during testing that the curve25519 GenerateKeypair method uses direct data from the RNG without clamping as instructed in https://cr.yp.to/ecdh.html:
secret[0] &= 248;
secret[31] &= 127;
secret[31] |= 64;
Correct, the clamping happens in the scalarMult
implementation: https://github.com/golang/crypto/blob/7e9105388ebff089b3f99f0ef676ea55a6da3a7e/curve25519/curve25519.go#L789-L791