fe25519_reduce64: handle the top bit

This is only for code clarity and for people copy/pasting that private code to use it in a different context. The top 128 bits are always zero.
jedisct1 · Jul 21, 2021 · 038e411 · 038e411
1 parent 78c9d1e
commit 038e411
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
@@ -2720,7 +2720,7 @@ fe25519_reduce64(fe25519 fe_f, const unsigned char h[64])
     gl[31] &= 0x7f;
     fe25519_frombytes(fe_f, fl);
     fe25519_frombytes(fe_g, gl);
-    fe_f[0] += (h[31] >> 7) * 19;
+    fe_f[0] += (h[31] >> 7) * 19 + (h[63] >> 7) * 722;
     for (i = 0; i < sizeof (fe25519) / sizeof fe_f[0]; i++) {
         fe_f[i] += 38 * fe_g[i];
     }