botovq
commented
1 year ago This typo confused me for a while. I checked this with Go, LibreSSL 3.7 as well as OpenSSL 1.1, 3.0, and 3.1.The same should hold true for BoringSSL.
Closed botovq closed 1 year ago
botovq
commented
1 year ago This typo confused me for a while. I checked this with Go, LibreSSL 3.7 as well as OpenSSL 1.1, 3.0, and 3.1.The same should hold true for BoringSSL.
FiloSottile
commented
1 year ago Ah! Good catch and apologies for the confusion.
Indeed, the tests check for the correct flag.
The behavior exhibited by the ref10 implementation, in particular the code used by Go and various OpenSSL variants is to reject test vectors that have at least one of
non_canonical_Randlow_order_residueset.