consensus seems to be back to ignoring 256th bit

curve25519-donna-32bit.h

@@ -359,7 +359,7 @@ curve25519_expand(bignum25519 out, const unsigned char in[32]) {
 	out[6] = ((((uint64_t)x5 << 32) | x4) >> 25) & reduce_mask_26;
 	out[7] = ((((uint64_t)x6 << 32) | x5) >> 19) & reduce_mask_25;
 	out[8] = ((((uint64_t)x7 << 32) | x6) >> 12) & reduce_mask_26;
-	out[9] = ((                       x7) >>  6) & reduce_mask_26; /* ref impl accepts the 256th bit */
+	out[9] = ((                       x7) >>  6) & reduce_mask_25; /* ignore the top bit */
 }
 
 /* Take a fully reduced polynomial form number and contract it into a little-endian, 32-byte array */

curve25519-donna-64bit.h

@@ -263,7 +263,7 @@ curve25519_expand(bignum25519 out, const unsigned char *in) {
 	out[1] = x0 & reduce_mask_51; x1 = (x1 >> 38) | (x2 << 26);
 	out[2] = x1 & reduce_mask_51; x2 = (x2 >> 25) | (x3 << 39);
 	out[3] = x2 & reduce_mask_51; x3 = (x3 >> 12);
-	out[4] = x3 & reduce_mask_52; /* ref impl accepts the 256th bit */
+	out[4] = x3 & reduce_mask_51; /* ignore the top bit */
 }
 
 /* Take a fully reduced polynomial form number and contract it into a

curve25519-donna-sse2.h

@@ -89,12 +89,7 @@ curve25519_expand(bignum25519 out, const unsigned char in[32]) {
 	out[6] = ((((uint64_t)x5 << 32) | x4) >> 25) & reduce_mask_26;
 	out[7] = ((((uint64_t)x6 << 32) | x5) >> 19) & reduce_mask_25;
 	out[8] = ((((uint64_t)x7 << 32) | x6) >> 12) & reduce_mask_26;
-	out[9] = ((                       x7) >>  6)                 ;
-
-	/* ref impl allows the 256th bit to be set, but sub can cause overflows in laters squares due to 
-	   out[9] not being reduced, so carry over to out[0] */
-	out[0] += (out[9] >> 25) * 19;
-	out[9] &= reduce_mask_25;
+	out[9] = ((                       x7) >>  6) & reduce_mask_25; /* ignore the top bit */
 
 	out[10] = 0;
 	out[11] = 0;