From 3b8891540bc9546af731c94133c2f631664d811b Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Sun, 23 Aug 2020 18:27:36 +0200
Subject: [PATCH 1/3] Constify

---
 src/libsodium/crypto_core/ed25519/core_ed25519.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libsodium/crypto_core/ed25519/core_ed25519.c b/src/libsodium/crypto_core/ed25519/core_ed25519.c
index beb1a6ad..02a3e098 100644
--- a/src/libsodium/crypto_core/ed25519/core_ed25519.c
+++ b/src/libsodium/crypto_core/ed25519/core_ed25519.c
@@ -82,7 +82,7 @@ _string_to_points(unsigned char * const px, size_t n,
                   const char *ctx, const unsigned char *msg, size_t msg_len)
 {
     crypto_hash_sha512_state st;
-    unsigned char            empty_block[128] = { 0 };
+    const unsigned char      empty_block[128] = { 0 };
     unsigned char            u0[HASH_BYTES], u[2 * HASH_BYTES];
     unsigned char            t[3] = { 0U, n * HASH_L, 0U};
     unsigned char            ctx_len_u8;

From ee962b33ae11fc36cb5bb89c8c65cbb82a7890e6 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Sun, 23 Aug 2020 18:28:17 +0200
Subject: [PATCH 2/3] Move 2^511 -> 2^255-19 reduction to its own function

---
 .../crypto_core/ed25519/ref10/ed25519_ref10.c | 20 ++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
index 4d7fbd0a..c4092b1f 100644
--- a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
+++ b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
@@ -2702,18 +2702,13 @@ ge25519_from_uniform(unsigned char s[32], const unsigned char r[32])
     ge25519_p3_tobytes(s, &p3);
 }
 
-void
-ge25519_from_hash(unsigned char s[32], const unsigned char h[64])
+static void
+fe25519_reduce64(fe25519 fe_f, const unsigned char h[64])
 {
     unsigned char fl[32];
     unsigned char gl[32];
-    ge25519_p3    p3;
-    fe25519       x, y, negy;
-    fe25519       fe_f;
     fe25519       fe_g;
     size_t        i;
-    int           notsquare;
-    unsigned char y_sign;
 
     for (i = 0; i < 32; i++) {
         fl[i] = h[63 - i];
@@ -2728,7 +2723,18 @@ ge25519_from_hash(unsigned char s[32], const unsigned char h[64])
         fe_f[i] += 38 * fe_g[i];
     }
     fe25519_reduce(fe_f, fe_f);
+}
 
+void
+ge25519_from_hash(unsigned char s[32], const unsigned char h[64])
+{
+    ge25519_p3    p3;
+    fe25519       fe_f;
+    fe25519       x, y, negy;
+    int           notsquare;
+    unsigned char y_sign;
+
+    fe25519_reduce64(fe_f, h);
     ge25519_elligator2(x, y, fe_f, &notsquare);
 
     y_sign = notsquare;

From 33b935921c91eb7832296a6387d3f8dfbfa7e385 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Sun, 23 Aug 2020 18:28:58 +0200
Subject: [PATCH 3/3] Add hash_to_ristretto255

Identifier should be ristretto255_XMD:SHA-512_R255MAP_RO_
---
 .../crypto_core/ed25519/core_ristretto255.c   | 67 +++++++++++++++++++
 .../include/sodium/crypto_core_ristretto255.h | 14 ++++
 2 files changed, 81 insertions(+)

diff --git a/src/libsodium/crypto_core/ed25519/core_ristretto255.c b/src/libsodium/crypto_core/ed25519/core_ristretto255.c
index ab3f7757..6cb1b0b9 100644
--- a/src/libsodium/crypto_core/ed25519/core_ristretto255.c
+++ b/src/libsodium/crypto_core/ed25519/core_ristretto255.c
@@ -3,6 +3,7 @@
 
 #include "crypto_core_ed25519.h"
 #include "crypto_core_ristretto255.h"
+#include "crypto_hash_sha512.h"
 #include "private/common.h"
 #include "private/ed25519_ref10.h"
 #include "randombytes.h"
@@ -67,6 +68,72 @@ crypto_core_ristretto255_from_hash(unsigned char *p, const unsigned char *r)
     return 0;
 }
 
+#define HASH_BYTES      crypto_hash_sha512_BYTES
+#define HASH_BLOCKBYTES 128U
+#define HASH_L          crypto_core_ristretto255_HASHBYTES
+
+static int
+_string_to_element(unsigned char *p,
+                   const char *ctx, const unsigned char *msg, size_t msg_len)
+{
+    crypto_hash_sha512_state st;
+    const unsigned char      empty_block[128] = { 0 };
+    unsigned char            u0[HASH_BYTES];
+    unsigned char            t[3] = { 0U, HASH_L, 0U};
+    unsigned char            ctx_len_u8;
+    size_t                   ctx_len = ctx != NULL ? strlen(ctx) : 0U;
+
+    COMPILER_ASSERT(HASH_L <= 0xff);
+    if (ctx_len > (size_t) 0xff) {
+        crypto_hash_sha512_init(&st);
+        crypto_hash_sha512_update(&st,
+                                  (const unsigned char *) "H2C-OVERSIZE-DST-",
+                                  sizeof "H2C-OVERSIZE-DST-" - 1U);
+        crypto_hash_sha512_update(&st, (const unsigned char *) ctx, ctx_len);
+        crypto_hash_sha512_final(&st, u0);
+        ctx = (const char *) u0;
+        ctx_len = HASH_BYTES;
+        COMPILER_ASSERT(HASH_BYTES <= (size_t) 0xff);
+    }
+    ctx_len_u8 = (unsigned char) ctx_len;
+    crypto_hash_sha512_init(&st);
+    crypto_hash_sha512_update(&st, empty_block, sizeof empty_block);
+    crypto_hash_sha512_update(&st, msg, msg_len);
+    crypto_hash_sha512_update(&st, t, 3U);
+    crypto_hash_sha512_update(&st, (const unsigned char *) ctx, ctx_len);
+    crypto_hash_sha512_update(&st, &ctx_len_u8, 1U);
+    crypto_hash_sha512_final(&st, u0);
+
+    t[2]++;
+    crypto_hash_sha512_init(&st);
+    crypto_hash_sha512_update(&st, u0, HASH_BYTES);
+    crypto_hash_sha512_update(&st, &t[2], 1U);
+    crypto_hash_sha512_update(&st, (const unsigned char *) ctx, ctx_len);
+    crypto_hash_sha512_update(&st, &ctx_len_u8, 1U);
+    crypto_hash_sha512_final(&st, u0);
+
+    COMPILER_ASSERT(crypto_core_ristretto255_HASHBYTES == HASH_L);
+    ristretto255_from_hash(p, u0);
+
+    return 0;
+}
+
+int
+crypto_core_risretto255_from_string(unsigned char p[crypto_core_ristretto255_BYTES],
+                                    const char *ctx, const unsigned char *msg,
+                                    size_t msg_len)
+{
+    return _string_to_element(p, ctx, msg, msg_len);
+}
+
+int
+crypto_core_ristretto255_from_string_ro(unsigned char p[crypto_core_ristretto255_BYTES],
+                                        const char *ctx, const unsigned char *msg,
+                                        size_t msg_len)
+{
+    return crypto_core_risretto255_from_string(p, ctx, msg, msg_len);
+}
+
 void
 crypto_core_ristretto255_random(unsigned char *p)
 {
diff --git a/src/libsodium/include/sodium/crypto_core_ristretto255.h b/src/libsodium/include/sodium/crypto_core_ristretto255.h
index d2485adc..c22dfdd4 100644
--- a/src/libsodium/include/sodium/crypto_core_ristretto255.h
+++ b/src/libsodium/include/sodium/crypto_core_ristretto255.h
@@ -43,6 +43,20 @@ int crypto_core_ristretto255_from_hash(unsigned char *p,
                                        const unsigned char *r)
             __attribute__ ((nonnull));
 
+SODIUM_EXPORT
+int crypto_core_ristretto255_from_string(unsigned char p[crypto_core_ristretto255_BYTES],
+                                         const char *ctx,
+                                         const unsigned char *msg,
+                                         size_t msg_len)
+            __attribute__ ((nonnull(1)));
+
+SODIUM_EXPORT
+int crypto_core_ristretto255_from_string_ro(unsigned char p[crypto_core_ristretto255_BYTES],
+                                            const char *ctx,
+                                            const unsigned char *msg,
+                                            size_t msg_len)
+            __attribute__ ((nonnull(1)));
+
 SODIUM_EXPORT
 void crypto_core_ristretto255_random(unsigned char *p)
             __attribute__ ((nonnull));