4 files changed, 80 insertions, 17 deletions

diff --git a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c
index 7955647..2268cd6 100644
--- a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c
+++ b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c
@@ -2,8 +2,11 @@
 #include <string.h>
 
 #include "api.h"
-#include "randombytes.h"
 #include "crypto_hash_sha512.h"
+#include "crypto_scalarmult_curve25519.h"
+#include "randombytes.h"
+#include "utils.h"
+#include "fe.h"
 #include "ge.h"
 
 int crypto_sign_seed_keypair(unsigned char *pk, unsigned char *sk,
@@ -27,7 +30,47 @@ int crypto_sign_seed_keypair(unsigned char *pk, unsigned char *sk,
 int crypto_sign_keypair(unsigned char *pk, unsigned char *sk)
 {
     unsigned char seed[32];
+    int           ret;
+
+    randombytes_buf(seed, sizeof seed);
+    ret = crypto_sign_seed_keypair(pk, sk, seed);
+    sodium_memzero(seed, sizeof seed);
+
+    return ret;
+}
+
+int crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk,
+                                         const unsigned char *ed25519_pk)
+{
+    ge_p3 A;
+    fe    x;
+    fe    one_minus_y;
 
-    randombytes(seed,32);
-    return crypto_sign_seed_keypair(pk,sk,seed);
+    ge_frombytes_negate_vartime(&A, ed25519_pk);
+    fe_1(one_minus_y);
+    fe_sub(one_minus_y, one_minus_y, A.Y);
+    fe_invert(one_minus_y, one_minus_y);
+    fe_1(x);
+    fe_add(x, x, A.Y);
+    fe_mul(x, x, one_minus_y);
+    fe_tobytes(curve25519_pk, x);
+
+    return 0;
+}
+
+int crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk,
+                                         const unsigned char *ed25519_sk)
+{
+    unsigned char h[crypto_hash_sha512_BYTES];
+
+    crypto_hash_sha512(h, ed25519_sk,
+                       crypto_sign_ed25519_SECRETKEYBYTES -
+                       crypto_sign_ed25519_PUBLICKEYBYTES);
+    h[0] &= 248;
+    h[31] &= 127;
+    h[31] |= 64;
+    memcpy(curve25519_sk, h, crypto_scalarmult_curve25519_BYTES);
+    sodium_memzero(h, sizeof h);
+
+    return 0;
 }
diff --git a/src/libsodium/crypto_sign/ed25519/ref10/open.c b/src/libsodium/crypto_sign/ed25519/ref10/open.c
index 36eb084..488333e 100644
--- a/src/libsodium/crypto_sign/ed25519/ref10/open.c
+++ b/src/libsodium/crypto_sign/ed25519/ref10/open.c
@@ -43,16 +43,8 @@ crypto_sign_verify_detached(const unsigned char *sig, const unsigned char *m,
     ge_double_scalarmult_vartime(&R, h, &A, sig + 32);
     ge_tobytes(rcheck, &R);
 
-    if (crypto_verify_32(rcheck, sig) != 0) {
-        return -1;
-    }
-    if (sig == rcheck) {
-        return -1;
-    }
-    if (sodium_memcmp(sig, rcheck, 32) != 0) {
-        return -1;
-    }
-    return 0;
+    return crypto_verify_32(rcheck, sig) | (-(rcheck - sig == 0)) |
+           sodium_memcmp(sig, rcheck, 32);
 }
 
 int
diff --git a/src/libsodium/crypto_sign/ed25519/ref10/sign.c b/src/libsodium/crypto_sign/ed25519/ref10/sign.c
index 88f4710..1ee5d6c 100644
--- a/src/libsodium/crypto_sign/ed25519/ref10/sign.c
+++ b/src/libsodium/crypto_sign/ed25519/ref10/sign.c
@@ -5,6 +5,7 @@
 #include "crypto_hash_sha512.h"
 #include "ge.h"
 #include "sc.h"
+#include "utils.h"
 
 int
 crypto_sign_detached(unsigned char *sig, unsigned long long *siglen,
@@ -44,6 +45,9 @@ crypto_sign_detached(unsigned char *sig, unsigned long long *siglen,
     sc_reduce(hram);
     sc_muladd(sig + 32, hram, az, nonce);
 
+    sodium_memzero(az, sizeof az);
+    sodium_memzero(nonce, sizeof nonce);
+
     if (siglen != NULL) {
         *siglen = 64U;
     }
@@ -57,13 +61,19 @@ crypto_sign(unsigned char *sm, unsigned long long *smlen,
 {
     unsigned long long siglen;
 
-    if (crypto_sign_detached(sm, &siglen, m, mlen, sk) != 0 ||
-        siglen > crypto_sign_ed25519_BYTES) {
-        *smlen = 0;
+    memmove(sm + crypto_sign_ed25519_BYTES, m, mlen);
+/* LCOV_EXCL_START */
+    if (crypto_sign_detached(sm, &siglen, sm + crypto_sign_ed25519_BYTES,
+                             mlen, sk) != 0 ||
+        siglen != crypto_sign_ed25519_BYTES) {
+        if (smlen != NULL) {
+            *smlen = 0;
+        }
         memset(sm, 0, mlen + crypto_sign_ed25519_BYTES);
         return -1;
     }
-    memmove(sm + siglen, m, mlen);
+/* LCOV_EXCL_STOP */
+
     if (smlen != NULL) {
         *smlen = mlen + siglen;
     }
diff --git a/src/libsodium/crypto_sign/ed25519/sign_ed25519_api.c b/src/libsodium/crypto_sign/ed25519/sign_ed25519_api.c
index 9f999d2..7ba6b4c 100644
--- a/src/libsodium/crypto_sign/ed25519/sign_ed25519_api.c
+++ b/src/libsodium/crypto_sign/ed25519/sign_ed25519_api.c
@@ -1,3 +1,6 @@
+
+#include <string.h>
+
 #include "crypto_sign_ed25519.h"
 
 size_t
@@ -19,3 +22,18 @@ size_t
 crypto_sign_ed25519_secretkeybytes(void) {
     return crypto_sign_ed25519_SECRETKEYBYTES;
 }
+
+int
+crypto_sign_ed25519_sk_to_seed(unsigned char *seed, const unsigned char *sk)
+{
+    memmove(seed, sk, crypto_sign_ed25519_SEEDBYTES);
+    return 0;
+}
+
+int
+crypto_sign_ed25519_sk_to_pk(unsigned char *pk, const unsigned char *sk)
+{
+    memmove(pk, sk + crypto_sign_ed25519_SEEDBYTES,
+            crypto_sign_ed25519_PUBLICKEYBYTES);
+    return 0;
+}