From 89bc2d69762d841463133f62dbfa5d58cba17f12 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Mon, 23 Oct 2017 01:08:46 +0200
Subject: [PATCH] *_is_less_than_*() -> *_is_canonical()

and reject non-canonical public keys in ed25519_scalarmult()
---
 .../crypto_core/curve25519/ref10/curve25519_ref10.c       | 4 ++--
 src/libsodium/crypto_sign/ed25519/ref10/keypair.c         | 2 +-
 src/libsodium/crypto_sign/ed25519/ref10/open.c            | 3 +--
 src/libsodium/include/sodium/private/curve25519_ref10.h   | 8 ++++----
 4 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c b/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c
index a7c174f3..cb793e14 100644
--- a/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c
+++ b/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c
@@ -2127,7 +2127,7 @@ ge_is_on_main_subgroup(const ge_p3 *p)
 }
 
 int
-ge_is_less_than_p(const unsigned char *s)
+ge_is_canonical(const unsigned char *s)
 {
     unsigned char c;
     unsigned char d;
@@ -3018,7 +3018,7 @@ sc_reduce(unsigned char *s)
 }
 
 int
-sc_is_less_than_L(const unsigned char *s)
+sc_is_canonical(const unsigned char *s)
 {
     /* 2^252+27742317777372353535851937790883648493 */
     static const unsigned char L[32] = {
diff --git a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c
index 4a789402..395fa9bb 100644
--- a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c
+++ b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c
@@ -17,7 +17,7 @@ crypto_sign_ed25519_scalarmult(unsigned char *q, const unsigned char *n,
     ge_p3          Q;
     ge_p3          P;
 
-    if (ge_has_small_order(p) != 0 ||
+    if (ge_is_canonical(p) != 0 || ge_has_small_order(p) != 0 ||
         ge_frombytes_negate_vartime(&P, p) != 0 ||
         ge_is_on_main_subgroup(&P) == 0) {
         return -1;
diff --git a/src/libsodium/crypto_sign/ed25519/ref10/open.c b/src/libsodium/crypto_sign/ed25519/ref10/open.c
index 790d525f..0e9543f6 100644
--- a/src/libsodium/crypto_sign/ed25519/ref10/open.c
+++ b/src/libsodium/crypto_sign/ed25519/ref10/open.c
@@ -26,8 +26,7 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
     ge_p2                    R;
 
 #ifndef ED25519_COMPAT
-    if (sc_is_less_than_L(sig + 32) == 0 ||
-        ge_has_small_order(sig) != 0) {
+    if (sc_is_canonical(sig + 32) == 0 || ge_has_small_order(sig) != 0) {
         return -1;
     }
 #else
diff --git a/src/libsodium/include/sodium/private/curve25519_ref10.h b/src/libsodium/include/sodium/private/curve25519_ref10.h
index 3533957b..35011d25 100644
--- a/src/libsodium/include/sodium/private/curve25519_ref10.h
+++ b/src/libsodium/include/sodium/private/curve25519_ref10.h
@@ -104,7 +104,7 @@ typedef struct {
 #define ge_scalarmult_base crypto_core_curve25519_ref10_ge_scalarmult_base
 #define ge_double_scalarmult_vartime crypto_core_curve25519_ref10_ge_double_scalarmult_vartime
 #define ge_scalarmult_vartime crypto_core_curve25519_ref10_ge_scalarmult_vartime
-#define ge_is_less_than_p crypto_core_curve25519_ref10_ge_is_less_than_p
+#define ge_is_canonical crypto_core_curve25519_ref10_ge_is_canonical
 #define ge_is_on_curve crypto_core_curve25519_ref10_ge_is_on_curve
 #define ge_is_on_main_subgroup crypto_core_curve25519_ref10_ge_is_on_main_subgroup
 #define ge_has_small_order crypto_core_curve25519_ref10_ge_has_small_order
@@ -121,7 +121,7 @@ extern void ge_scalarmult_base(ge_p3 *,const unsigned char *);
 extern void ge_double_scalarmult_vartime(ge_p2 *,const unsigned char *,const ge_p3 *,const unsigned char *);
 extern void ge_scalarmult(ge_p3 *,const unsigned char *,const ge_p3 *);
 extern void ge_scalarmult_vartime(ge_p3 *,const unsigned char *,const ge_p3 *);
-extern int ge_is_less_than_p(const unsigned char *s);
+extern int ge_is_canonical(const unsigned char *s);
 extern int ge_is_on_curve(const ge_p3 *p);
 extern int ge_is_on_main_subgroup(const ge_p3 *p);
 extern int ge_has_small_order(const unsigned char s[32]);
@@ -133,10 +133,10 @@ extern int ge_has_small_order(const unsigned char s[32]);
 
 #define sc_reduce crypto_core_curve25519_ref10_sc_reduce
 #define sc_muladd crypto_core_curve25519_ref10_sc_muladd
-#define sc_is_less_than_L crypto_core_curve25519_ref10_sc_is_less_than_L
+#define sc_is_canonical crypto_core_curve25519_ref10_sc_is_canonical
 
 extern void sc_reduce(unsigned char *);
 extern void sc_muladd(unsigned char *,const unsigned char *,const unsigned char *,const unsigned char *);
-extern int sc_is_less_than_L(const unsigned char *s);
+extern int sc_is_canonical(const unsigned char *s);
 
 #endif