--- ed25519-java-0.3.0/src/net/i2p/crypto/eddsa/EdDSAEngine.java	2025-03-14 14:47:43.404137953 +0100
+++ ed25519-java-0.3.0/src/net/i2p/crypto/eddsa/EdDSAEngine.java	2025-03-14 14:50:31.859888550 +0100
@@ -12,6 +12,7 @@
 package net.i2p.crypto.eddsa;
 
 import java.io.ByteArrayOutputStream;
+import java.math.BigInteger;
 import java.nio.ByteBuffer;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
@@ -29,6 +30,7 @@
 import net.i2p.crypto.eddsa.math.Curve;
 import net.i2p.crypto.eddsa.math.GroupElement;
 import net.i2p.crypto.eddsa.math.ScalarOps;
+import net.i2p.crypto.eddsa.math.bigint.BigIntegerLittleEndianEncoding;
 
 /**
  * Signing and verification for EdDSA.
@@ -69,6 +71,8 @@
 public final class EdDSAEngine extends Signature {
     public static final String SIGNATURE_ALGORITHM = "NONEwithEdDSA";
 
+    private static final BigInteger ORDER = new BigInteger("2").pow(252).add(new BigInteger("27742317777372353535851937790883648493"));
+
     private MessageDigest digest;
     private ByteArrayOutputStream baos;
     private EdDSAKey key;
@@ -306,6 +310,11 @@
         h = key.getParams().getScalarOps().reduce(h);
 
         byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
+        // RFC 8032
+        BigInteger Sbigint = (new BigIntegerLittleEndianEncoding()).toBigInteger(Sbyte);
+        if (Sbigint.compareTo(ORDER) >= 0)
+            return false;
+ 
         // R = SB - H(Rbar,Abar,M)A
         GroupElement R = key.getParams().getB().doubleScalarMultiplyVariableTime(
                 ((EdDSAPublicKey) key).getNegativeA(), h, Sbyte);