From 59f55cd4209c60e86f750946eea2cebbda0b3091 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Mon, 14 Jan 2019 04:02:48 +0100
Subject: [PATCH] Force clear the high bit in _noclamp variants

_noclamp variants should always be used with a scalar < L, but
if this is not the case, at least explicitly ignore the high bit.
---
 .../ed25519/ref10/scalarmult_ed25519_ref10.c                 | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c b/src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c
index 800ff00e..7c980893 100644
--- a/src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c
+++ b/src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c
@@ -24,7 +24,6 @@ static inline void
 _crypto_scalarmult_ed25519_clamp(unsigned char k[32])
 {
     k[0] &= 248;
-    k[31] &= 127;
     k[31] |= 64;
 }
 
@@ -47,6 +46,8 @@ _crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
     if (clamp != 0) {
         _crypto_scalarmult_ed25519_clamp(t);
     }
+    t[31] &= 127;
+
     ge25519_scalarmult(&Q, t, &P);
     ge25519_p3_tobytes(q, &Q);
     if (_crypto_scalarmult_ed25519_is_inf(q) != 0 || sodium_is_zero(n, 32)) {
@@ -83,6 +84,8 @@ _crypto_scalarmult_ed25519_base(unsigned char *q,
     if (clamp != 0) {
         _crypto_scalarmult_ed25519_clamp(t);
     }
+    t[31] &= 127;
+
     ge25519_scalarmult_base(&Q, t);
     ge25519_p3_tobytes(q, &Q);
     if (_crypto_scalarmult_ed25519_is_inf(q) != 0 || sodium_is_zero(n, 32)) {