From ce56bb596fa328ea88d143a2f13a94b7ef85e561 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Tue, 31 Oct 2017 15:56:31 +0100
Subject: [PATCH] edwards25519sha512batch: reuse ge_scalarmult()

Check public key and R order by the way.
---
 src/libsodium/crypto_sign/ed25519/ref10/obsolete.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c b/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c
index 21edc280..c77c6500 100644
--- a/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c
+++ b/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c
@@ -90,14 +90,14 @@ crypto_sign_edwards25519sha512batch_open(unsigned char       *m,
     if (sm[smlen - 1] & 224) {
         return -1;
     }
-    if (ge_frombytes_negate_vartime(&A, pk) != 0 ||
-        ge_frombytes_negate_vartime(&R, sm) != 0) {
+    if (ge_frombytes_negate_vartime(&A, pk) != 0 || ge_has_small_order(pk) != 0 ||
+        ge_frombytes_negate_vartime(&R, sm) != 0 || ge_has_small_order(sm) != 0) {
         return -1;
     }
     ge_p3_to_cached(&Ai, &A);
     crypto_hash_sha512(h, sm, mlen + 32);
     sc_reduce(h);
-    ge_scalarmult_vartime(&cs3, h, &R);
+    ge_scalarmult(&cs3, h, &R);
     ge_add(&csa, &cs3, &Ai);
     ge_p1p1_to_p2(&cs, &csa);
     ge_tobytes(t1, &cs);