From 6de26b59d796bb20391a7aafac354437cc731acb Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Sun, 23 Jul 2017 13:17:51 +0200
Subject: [PATCH] ed25519_pk_to_curve25519: check that the input is in the
 right subgroup

---
 .../crypto_sign/ed25519/ref10/keypair.c          | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c
index b7a0f71f..131a36a5 100644
--- a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c
+++ b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c
@@ -4,6 +4,7 @@
 #include "crypto_hash_sha512.h"
 #include "crypto_scalarmult_curve25519.h"
 #include "crypto_sign_ed25519.h"
+#include "ed25519_ref10.h"
 #include "private/curve25519_ref10.h"
 #include "randombytes.h"
 #include "utils.h"
@@ -41,15 +42,28 @@ crypto_sign_ed25519_keypair(unsigned char *pk, unsigned char *sk)
     return ret;
 }
 
+/* 2^252+27742317777372353535851937790883648493 */
+static const unsigned char L[32] = {
+    0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7,
+    0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
+};
+
 int
 crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk,
                                      const unsigned char *ed25519_pk)
 {
     ge_p3 A;
+    ge_p3 pl;
     fe    x;
     fe    one_minus_y;
 
-    if (ge_frombytes_negate_vartime(&A, ed25519_pk) != 0) {
+    if (_crypto_sign_ed25519_small_order(ed25519_pk) ||
+        ge_frombytes_negate_vartime(&A, ed25519_pk) != 0) {
+        return -1;
+    }
+    ge_scalarmult_vartime(&pl, L, &A);
+    if (fe_isnonzero(pl.X)) {
         return -1;
     }
     fe_1(one_minus_y);