Sync from SUSE:SLFO:Main ed25519-java revision 93e6c9c4ade63997cafb95738b3c0d6f

ed25519-java-CVE-2020-36843.patch

@@ -0,0 +1,39 @@
+--- ed25519-java-0.3.0/src/net/i2p/crypto/eddsa/EdDSAEngine.java	2025-03-14 14:47:43.404137953 +0100
++++ ed25519-java-0.3.0/src/net/i2p/crypto/eddsa/EdDSAEngine.java	2025-03-14 14:50:31.859888550 +0100
+@@ -12,6 +12,7 @@
+ package net.i2p.crypto.eddsa;
+ 
+ import java.io.ByteArrayOutputStream;
++import java.math.BigInteger;
+ import java.nio.ByteBuffer;
+ import java.security.InvalidAlgorithmParameterException;
+ import java.security.InvalidKeyException;
+@@ -29,6 +30,7 @@
+ import net.i2p.crypto.eddsa.math.Curve;
+ import net.i2p.crypto.eddsa.math.GroupElement;
+ import net.i2p.crypto.eddsa.math.ScalarOps;
++import net.i2p.crypto.eddsa.math.bigint.BigIntegerLittleEndianEncoding;
+ 
+ /**
+  * Signing and verification for EdDSA.
+@@ -69,6 +71,8 @@
+ public final class EdDSAEngine extends Signature {
+     public static final String SIGNATURE_ALGORITHM = "NONEwithEdDSA";
+ 
++    private static final BigInteger ORDER = new BigInteger("2").pow(252).add(new BigInteger("27742317777372353535851937790883648493"));
++
+     private MessageDigest digest;
+     private ByteArrayOutputStream baos;
+     private EdDSAKey key;
+@@ -306,6 +310,11 @@
+         h = key.getParams().getScalarOps().reduce(h);
+ 
+         byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
++        // RFC 8032
++        BigInteger Sbigint = (new BigIntegerLittleEndianEncoding()).toBigInteger(Sbyte);
++        if (Sbigint.compareTo(ORDER) >= 0)
++            return false;
++ 
+         // R = SB - H(Rbar,Abar,M)A
+         GroupElement R = key.getParams().getB().doubleScalarMultiplyVariableTime(
+                 ((EdDSAPublicKey) key).getNegativeA(), h, Sbyte);