From d3e716aa491f4d27b30e6e1ff57dcb85fbf4fa10 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Thu, 20 Nov 2014 11:22:24 -0800
Subject: [PATCH] curve25519-donna-c64: don't read an extra byte when expanding
 a 32-byte number into polynomial form Reported by Michael Holmwood.

---
 .../donna_c64/smult_curve25519_donna_c64.c    |  2 +-
 test/default/scalarmult6.c                    | 22 ++++++++++++++++---
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/libsodium/crypto_scalarmult/curve25519/donna_c64/smult_curve25519_donna_c64.c b/src/libsodium/crypto_scalarmult/curve25519/donna_c64/smult_curve25519_donna_c64.c
index c26ea731..5c4e08a4 100644
--- a/src/libsodium/crypto_scalarmult/curve25519/donna_c64/smult_curve25519_donna_c64.c
+++ b/src/libsodium/crypto_scalarmult/curve25519/donna_c64/smult_curve25519_donna_c64.c
@@ -226,7 +226,7 @@ fexpand(limb *output, const u8 *in) {
   output[1] = (U8TO64(in+6) >> 3) & 0x7ffffffffffff;
   output[2] = (U8TO64(in+12) >> 6) & 0x7ffffffffffff;
   output[3] = (U8TO64(in+19) >> 1) & 0x7ffffffffffff;
-  output[4] = (U8TO64(in+25) >> 4) & 0x7ffffffffffff;
+  output[4] = (U8TO64(in+24) >> 12) & 0x7ffffffffffff;
 }
 
 /* Take a fully reduced polynomial form number and contract it into a
diff --git a/test/default/scalarmult6.c b/test/default/scalarmult6.c
index 6b4e5760..f5510b86 100644
--- a/test/default/scalarmult6.c
+++ b/test/default/scalarmult6.c
@@ -2,12 +2,12 @@
 #define TEST_NAME "scalarmult6"
 #include "cmptest.h"
 
-unsigned char bobsk[32]
+unsigned char bobsk_[crypto_scalarmult_SCALARBYTES]
     = { 0x5d, 0xab, 0x08, 0x7e, 0x62, 0x4a, 0x8a, 0x4b, 0x79, 0xe1, 0x7f,
         0x8b, 0x83, 0x80, 0x0e, 0xe6, 0x6f, 0x3b, 0xb1, 0x29, 0x26, 0x18,
         0xb6, 0xfd, 0x1c, 0x2f, 0x8b, 0x27, 0xff, 0x88, 0xe0, 0xeb };
 
-unsigned char alicepk[32]
+unsigned char alicepk_[crypto_scalarmult_SCALARBYTES]
     = { 0x85, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54, 0x74, 0x8b, 0x7d,
         0xdc, 0xb4, 0x3e, 0xf7, 0x5a, 0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38,
         0x1a, 0xf4, 0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0x6a };
@@ -16,10 +16,24 @@ unsigned char k[32];
 
 int main(void)
 {
-    int i;
+    unsigned char *k;
+    unsigned char *bobsk;
+    unsigned char *alicepk;
+    int            i;
+
+    k = sodium_malloc(crypto_scalarmult_BYTES);
+    bobsk = sodium_malloc(crypto_scalarmult_SCALARBYTES);
+    alicepk = sodium_malloc(crypto_scalarmult_SCALARBYTES);
+    assert(k != NULL && bobsk != NULL && alicepk != NULL);
+
+    memcpy(bobsk, bobsk_, crypto_scalarmult_SCALARBYTES);
+    memcpy(alicepk, alicepk_, crypto_scalarmult_SCALARBYTES);
 
     crypto_scalarmult(k, bobsk, alicepk);
 
+    sodium_free(alicepk);
+    sodium_free(bobsk);
+
     for (i = 0; i < 32; ++i) {
         if (i > 0) {
             printf(",");
@@ -31,5 +45,7 @@ int main(void)
             printf("\n");
         }
     }
+    sodium_free(k);
+
     return 0;
 }