curve25519: mask high bit when loading group point

Comparison against BoringSSL-generated test vectors showed mismatches
with the pure Go implementation of curve25519. The problem was narrowed
down to a missing mask in feFromBytes(). This diff adds the mask,
bringing this back in line with the reference implementation and
RFC 7748:

    When receiving such an array, implementations of X25519 (but not
    X448) MUST mask the most significant bit in the final byte.  This is
    done to preserve compatibility with point formats that reserve the
    sign bit for use in other protocols and to increase resistance to
    implementation fingerprinting.

Fixes golang/go#30095

Change-Id: If7efc0e2acd6efb761d6e3cb89cec359d7d81cb1
Run-TryBot: Filippo Valsorda <>
TryBot-Result: Gobot Gobot <>
Reviewed-by: Filippo Valsorda <>
2 files changed
tree: d8e07f12ab7fced7a3853674aa0236be0c9c5fd2
  1. .gitattributes
  2. .gitignore
  9. acme/
  10. argon2/
  11. bcrypt/
  12. blake2b/
  13. blake2s/
  14. blowfish/
  15. bn256/
  16. cast5/
  17. chacha20poly1305/
  18. codereview.cfg
  19. cryptobyte/
  20. curve25519/
  21. ed25519/
  22. hkdf/
  23. internal/
  24. md4/
  25. nacl/
  26. ocsp/
  27. openpgp/
  28. otr/
  29. pbkdf2/
  30. pkcs12/
  31. poly1305/
  32. ripemd160/
  33. salsa20/
  34. scrypt/
  35. sha3/
  36. ssh/
  37. tea/
  38. twofish/
  39. xtea/
  40. xts/

Go Cryptography

This repository holds supplementary Go cryptography libraries.


The easiest way to install is to run go get -u You can also manually git clone the repository to $GOPATH/src/

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see

The main issue tracker for the crypto repository is located at Prefix your issue with “x/crypto:” in the subject line, so it is easy to find.

Note that contributions to the cryptography package receive additional scrutiny due to their sensitive nature. Patches may take longer than normal to receive feedback.