rbnacl-libsodium 1.0.15.1 → 1.0.16

data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.h

@@ -5,6 +5,6 @@
 #include "../scalarmult_curve25519.h"
 
 extern struct crypto_scalarmult_curve25519_implementation
-        crypto_scalarmult_curve25519_ref10_implementation;
+    crypto_scalarmult_curve25519_ref10_implementation;
 
 #endif

data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/curve25519_sandy2x.c

@@ -25,22 +25,22 @@ static int
 crypto_scalarmult_curve25519_sandy2x(unsigned char *q, const unsigned char *n,
                                      const unsigned char *p)
 {
-  unsigned char e[32];
-  unsigned int i;
-
-  fe var[3];
-
-  fe51 x_51;
-  fe51 z_51;
-
-  for (i = 0;i < 32;++i) e[i] = n[i];
-  e[0] &= 248;
-  e[31] &= 127;
-  e[31] |= 64;
+  unsigned char *t = q;
+  fe             var[3];
+  fe51           x_51;
+  fe51           z_51;
+  unsigned int   i;
+
+  for (i = 0; i < 32; i++) {
+      t[i] = n[i];
+  }
+  t[0] &= 248;
+  t[31] &= 127;
+  t[31] |= 64;
 
   fe_frombytes(x1, p);
 
-  ladder(var, e);
+  ladder(var, t);
 
   z_51.v[0] = (z2[1] << 26) + z2[0];
   z_51.v[1] = (z2[3] << 26) + z2[2];
@@ -71,20 +71,20 @@ static int
 crypto_scalarmult_curve25519_sandy2x_base(unsigned char *q,
                                           const unsigned char *n)
 {
-  unsigned char e[32];
-  unsigned int i;
-
-  fe var[3];
-
-  fe51 x_51;
-  fe51 z_51;
-
-  for (i = 0;i < 32;++i) e[i] = n[i];
-  e[0] &= 248;
-  e[31] &= 127;
-  e[31] |= 64;
-
-  ladder_base(var, e);
+  unsigned char *t = q;
+  fe             var[3];
+  fe51           x_51;
+  fe51           z_51;
+  unsigned int   i;
+
+  for (i = 0;i < 32; i++) {
+      t[i] = n[i];
+  }
+  t[0] &= 248;
+  t[31] &= 127;
+  t[31] |= 64;
+
+  ladder_base(var, t);
 
   z_51.v[0] = (z2[1] << 26) + z2[0];
   z_51.v[1] = (z2[3] << 26) + z2[2];

data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_invert.c

@@ -9,7 +9,8 @@
 
 #define fe51_square(x, y) fe51_nsquare(x, y, 1)
 
-void fe51_invert(fe51 *r, const fe51 *x)
+void
+fe51_invert(fe51 *r, const fe51 *x)
 {
     fe51 z2;
     fe51 z9;

data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe_frombytes_sandy2x.c

@@ -6,7 +6,8 @@
 
 #ifdef HAVE_AVX_ASM
 
-static uint64_t load_3(const unsigned char *in)
+static uint64_t
+load_3(const unsigned char *in)
 {
   uint64_t result;
   result = (uint64_t) in[0];
@@ -15,7 +16,8 @@ static uint64_t load_3(const unsigned char *in)
   return result;
 }
 
-static uint64_t load_4(const unsigned char *in)
+static uint64_t
+load_4(const unsigned char *in)
 {
   uint64_t result;
   result = (uint64_t) in[0];
@@ -25,7 +27,8 @@ static uint64_t load_4(const unsigned char *in)
   return result;
 }
 
-void fe_frombytes(fe h,const unsigned char *s)
+void
+fe_frombytes(fe h, const unsigned char *s)
 {
   uint64_t h0 = load_4(s);
   uint64_t h1 = load_3(s + 4) << 6;

data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/scalarmult_curve25519.c

@@ -1,20 +1,15 @@
 
 #include "crypto_scalarmult_curve25519.h"
+#include "private/implementations.h"
 #include "scalarmult_curve25519.h"
 #include "runtime.h"
 
 #ifdef HAVE_AVX_ASM
 # include "sandy2x/curve25519_sandy2x.h"
 #endif
-#ifdef HAVE_TI_MODE
-# include "donna_c64/curve25519_donna_c64.h"
-static const crypto_scalarmult_curve25519_implementation *implementation =
-    &crypto_scalarmult_curve25519_donna_c64_implementation;
-#else
-# include "ref10/x25519_ref10.h"
+#include "ref10/x25519_ref10.h"
 static const crypto_scalarmult_curve25519_implementation *implementation =
     &crypto_scalarmult_curve25519_ref10_implementation;
-#endif
 
 int
 crypto_scalarmult_curve25519(unsigned char *q, const unsigned char *n,
@@ -53,11 +48,8 @@ crypto_scalarmult_curve25519_scalarbytes(void)
 int
 _crypto_scalarmult_curve25519_pick_best_implementation(void)
 {
-#ifdef HAVE_TI_MODE
-    implementation = &crypto_scalarmult_curve25519_donna_c64_implementation;
-#else
     implementation = &crypto_scalarmult_curve25519_ref10_implementation;
-#endif
+
 #ifdef HAVE_AVX_ASM
     if (sodium_runtime_has_avx()) {
         implementation = &crypto_scalarmult_curve25519_sandy2x_implementation;

data/vendor/libsodium/src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c

@@ -0,0 +1,86 @@
+
+#include <string.h>
+
+#include "crypto_scalarmult_ed25519.h"
+#include "private/ed25519_ref10.h"
+#include "utils.h"
+
+static int
+_crypto_scalarmult_ed25519_is_inf(const unsigned char s[32])
+{
+    unsigned char c;
+    unsigned int  i;
+
+    c = s[0] ^ 0x01;
+    for (i = 1; i < 31; i++) {
+        c |= s[i];
+    }
+    c |= s[31] & 0x7f;
+
+    return ((((unsigned int) c) - 1U) >> 8) & 1;
+}
+
+static inline void
+_crypto_scalarmult_ed25519_clamp(unsigned char k[32])
+{
+    k[0] &= 248;
+    k[31] &= 127;
+    k[31] |= 64;
+}
+
+int
+crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
+                          const unsigned char *p)
+{
+    unsigned char *t = q;
+    ge25519_p3     Q;
+    ge25519_p3     P;
+    unsigned int   i;
+
+    if (ge25519_is_canonical(p) == 0 || ge25519_has_small_order(p) != 0 ||
+        ge25519_frombytes(&P, p) != 0 || ge25519_is_on_main_subgroup(&P) == 0) {
+        return -1;
+    }
+    for (i = 0; i < 32; ++i) {
+        t[i] = n[i];
+    }
+    _crypto_scalarmult_ed25519_clamp(t);
+    ge25519_scalarmult(&Q, t, &P);
+    ge25519_p3_tobytes(q, &Q);
+    if (_crypto_scalarmult_ed25519_is_inf(q) != 0 || sodium_is_zero(n, 32)) {
+        return -1;
+    }
+    return 0;
+}
+
+int
+crypto_scalarmult_ed25519_base(unsigned char *q,
+                               const unsigned char *n)
+{
+    unsigned char *t = q;
+    ge25519_p3     Q;
+    unsigned int   i;
+
+    for (i = 0; i < 32; ++i) {
+        t[i] = n[i];
+    }
+    _crypto_scalarmult_ed25519_clamp(t);
+    ge25519_scalarmult_base(&Q, t);
+    ge25519_p3_tobytes(q, &Q);
+    if (sodium_is_zero(n, 32) != 0) {
+        return -1;
+    }
+    return 0;
+}
+
+size_t
+crypto_scalarmult_ed25519_bytes(void)
+{
+    return crypto_scalarmult_ed25519_BYTES;
+}
+
+size_t
+crypto_scalarmult_ed25519_scalarbytes(void)
+{
+    return crypto_scalarmult_ed25519_SCALARBYTES;
+}

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/keypair.c

@@ -4,8 +4,8 @@
 #include "crypto_hash_sha512.h"
 #include "crypto_scalarmult_curve25519.h"
 #include "crypto_sign_ed25519.h"
-#include "ed25519_ref10.h"
-#include "private/curve25519_ref10.h"
+#include "sign_ed25519_ref10.h"
+#include "private/ed25519_ref10.h"
 #include "randombytes.h"
 #include "utils.h"
 
@@ -13,15 +13,19 @@ int
 crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk,
                                  const unsigned char *seed)
 {
-    ge_p3 A;
+    ge25519_p3 A;
 
+#ifdef ED25519_NONDETERMINISTIC
+    memmove(sk, seed, 32);
+#else
     crypto_hash_sha512(sk, seed, 32);
+#endif
     sk[0] &= 248;
-    sk[31] &= 63;
+    sk[31] &= 127;
     sk[31] |= 64;
 
-    ge_scalarmult_base(&A, sk);
-    ge_p3_tobytes(pk, &A);
+    ge25519_scalarmult_base(&A, sk);
+    ge25519_p3_tobytes(pk, &A);
 
     memmove(sk, seed, 32);
     memmove(sk + 32, pk, 32);
@@ -46,26 +50,22 @@ int
 crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk,
                                      const unsigned char *ed25519_pk)
 {
-    ge_p3 A;
-    ge_p3 pl;
-    fe    x;
-    fe    one_minus_y;
+    ge25519_p3 A;
+    fe25519    x;
+    fe25519    one_minus_y;
 
-    if (_crypto_sign_ed25519_small_order(ed25519_pk) ||
-        ge_frombytes_negate_vartime(&A, ed25519_pk) != 0) {
-        return -1;
-    }
-    ge_mul_l(&pl, &A);
-    if (fe_isnonzero(pl.X)) {
+    if (ge25519_has_small_order(ed25519_pk) != 0 ||
+        ge25519_frombytes_negate_vartime(&A, ed25519_pk) != 0 ||
+        ge25519_is_on_main_subgroup(&A) == 0) {
         return -1;
     }
-    fe_1(one_minus_y);
-    fe_sub(one_minus_y, one_minus_y, A.Y);
-    fe_invert(one_minus_y, one_minus_y);
-    fe_1(x);
-    fe_add(x, x, A.Y);
-    fe_mul(x, x, one_minus_y);
-    fe_tobytes(curve25519_pk, x);
+    fe25519_1(one_minus_y);
+    fe25519_sub(one_minus_y, one_minus_y, A.Y);
+    fe25519_invert(one_minus_y, one_minus_y);
+    fe25519_1(x);
+    fe25519_add(x, x, A.Y);
+    fe25519_mul(x, x, one_minus_y);
+    fe25519_tobytes(curve25519_pk, x);
 
     return 0;
 }
@@ -76,9 +76,11 @@ crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk,
 {
     unsigned char h[crypto_hash_sha512_BYTES];
 
-    crypto_hash_sha512(h, ed25519_sk,
-                       crypto_sign_ed25519_SECRETKEYBYTES -
-                       crypto_sign_ed25519_PUBLICKEYBYTES);
+#ifdef ED25519_NONDETERMINISTIC
+    memcpy(h, ed25519_sk, 32);
+#else
+    crypto_hash_sha512(h, ed25519_sk, 32);
+#endif
     h[0] &= 248;
     h[31] &= 127;
     h[31] |= 64;

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c

@@ -6,7 +6,7 @@
 #include "crypto_hash_sha512.h"
 #include "crypto_sign_edwards25519sha512batch.h"
 #include "crypto_verify_32.h"
-#include "private/curve25519_ref10.h"
+#include "private/ed25519_ref10.h"
 #include "randombytes.h"
 #include "utils.h"
 
@@ -14,15 +14,15 @@ int
 crypto_sign_edwards25519sha512batch_keypair(unsigned char *pk,
                                             unsigned char *sk)
 {
-    ge_p3 A;
+    ge25519_p3 A;
 
     randombytes_buf(sk, 32);
     crypto_hash_sha512(sk, sk, 32);
     sk[0] &= 248;
-    sk[31] &= 63;
+    sk[31] &= 127;
     sk[31] |= 64;
-    ge_scalarmult_base(&A, sk);
-    ge_p3_tobytes(pk, &A);
+    ge25519_scalarmult_base(&A, sk);
+    ge25519_p3_tobytes(pk, &A);
 
     return 0;
 }
@@ -38,24 +38,24 @@ crypto_sign_edwards25519sha512batch(unsigned char       *sm,
     unsigned char            nonce[64];
     unsigned char            hram[64];
     unsigned char            sig[64];
-    ge_p3                    A;
-    ge_p3                    R;
+    ge25519_p3               A;
+    ge25519_p3               R;
 
     crypto_hash_sha512_init(&hs);
     crypto_hash_sha512_update(&hs, sk + 32, 32);
     crypto_hash_sha512_update(&hs, m, mlen);
     crypto_hash_sha512_final(&hs, nonce);
-    ge_scalarmult_base(&A, sk);
-    ge_p3_tobytes(sig + 32, &A);
-    sc_reduce(nonce);
-    ge_scalarmult_base(&R, nonce);
-    ge_p3_tobytes(sig, &R);
+    ge25519_scalarmult_base(&A, sk);
+    ge25519_p3_tobytes(sig + 32, &A);
+    sc25519_reduce(nonce);
+    ge25519_scalarmult_base(&R, nonce);
+    ge25519_p3_tobytes(sig, &R);
     crypto_hash_sha512_init(&hs);
     crypto_hash_sha512_update(&hs, sig, 32);
     crypto_hash_sha512_update(&hs, m, mlen);
     crypto_hash_sha512_final(&hs, hram);
-    sc_reduce(hram);
-    sc_muladd(sig + 32, hram, nonce, sk);
+    sc25519_reduce(hram);
+    sc25519_muladd(sig + 32, hram, nonce, sk);
     sodium_memzero(hram, sizeof hram);
     memmove(sm + 32, m, (size_t) mlen);
     memcpy(sm, sig, 32);
@@ -75,12 +75,12 @@ crypto_sign_edwards25519sha512batch_open(unsigned char       *m,
     unsigned char      h[64];
     unsigned char      t1[32], t2[32];
     unsigned long long mlen;
-    ge_cached          Ai;
-    ge_p1p1            csa;
-    ge_p2              cs;
-    ge_p3              A;
-    ge_p3              R;
-    ge_p3              cs3;
+    ge25519_cached     Ai;
+    ge25519_p1p1       csa;
+    ge25519_p2         cs;
+    ge25519_p3         A;
+    ge25519_p3         R;
+    ge25519_p3         cs3;
 
     *mlen_p = 0;
     if (smlen < 64 || smlen - 64 > crypto_sign_edwards25519sha512batch_MESSAGEBYTES_MAX) {
@@ -90,20 +90,22 @@ crypto_sign_edwards25519sha512batch_open(unsigned char       *m,
     if (sm[smlen - 1] & 224) {
         return -1;
     }
-    if (ge_frombytes_negate_vartime(&A, pk) != 0 ||
-        ge_frombytes_negate_vartime(&R, sm) != 0) {
+    if (ge25519_has_small_order(pk) != 0 ||
+        ge25519_frombytes_negate_vartime(&A, pk) != 0 ||
+        ge25519_has_small_order(sm) != 0 ||
+        ge25519_frombytes_negate_vartime(&R, sm) != 0) {
         return -1;
     }
-    ge_p3_to_cached(&Ai, &A);
+    ge25519_p3_to_cached(&Ai, &A);
     crypto_hash_sha512(h, sm, mlen + 32);
-    sc_reduce(h);
-    ge_scalarmult_vartime(&cs3, h, &R);
-    ge_add(&csa, &cs3, &Ai);
-    ge_p1p1_to_p2(&cs, &csa);
-    ge_tobytes(t1, &cs);
+    sc25519_reduce(h);
+    ge25519_scalarmult(&cs3, h, &R);
+    ge25519_add(&csa, &cs3, &Ai);
+    ge25519_p1p1_to_p2(&cs, &csa);
+    ge25519_tobytes(t1, &cs);
     t1[31] ^= 1 << 7;
-    ge_scalarmult_base(&R, sm + 32 + mlen);
-    ge_p3_tobytes(t2, &R);
+    ge25519_scalarmult_base(&R, sm + 32 + mlen);
+    ge25519_p3_tobytes(t2, &R);
     if (crypto_verify_32(t1, t2) != 0) {
         return -1;
     }

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/open.c

@@ -6,107 +6,10 @@
 #include "crypto_hash_sha512.h"
 #include "crypto_sign_ed25519.h"
 #include "crypto_verify_32.h"
-#include "ed25519_ref10.h"
-#include "private/curve25519_ref10.h"
+#include "sign_ed25519_ref10.h"
+#include "private/ed25519_ref10.h"
 #include "utils.h"
 
-#ifndef ED25519_COMPAT
-static int
-crypto_sign_check_S_lt_L(const unsigned char *S)
-{
-    /* 2^252+27742317777372353535851937790883648493 */
-    static const unsigned char L[32] = {
-        0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7,
-        0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
-    };
-    unsigned char c = 0;
-    unsigned char n = 1;
-    unsigned int  i = 32;
-
-    do {
-        i--;
-        c |= ((S[i] - L[i]) >> 8) & n;
-        n &= ((S[i] ^ L[i]) - 1) >> 8;
-    } while (i != 0);
-
-    return -(c == 0);
-}
-
-int
-_crypto_sign_ed25519_small_order(const unsigned char p[32])
-{
-    CRYPTO_ALIGN(16)
-    static const unsigned char blacklist[][32] = {
-        /* 0 (order 4) */
-        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-        /* 1 (order 1) */
-        { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-        /* 2707385501144840649318225287225658788936804267575313519463743609750303402022
-           (order 8) */
-        { 0x26, 0xe8, 0x95, 0x8f, 0xc2, 0xb2, 0x27, 0xb0, 0x45, 0xc3, 0xf4,
-          0x89, 0xf2, 0xef, 0x98, 0xf0, 0xd5, 0xdf, 0xac, 0x05, 0xd3, 0xc6,
-          0x33, 0x39, 0xb1, 0x38, 0x02, 0x88, 0x6d, 0x53, 0xfc, 0x05 },
-        /* 55188659117513257062467267217118295137698188065244968500265048394206261417927
-           (order 8) */
-        { 0xc7, 0x17, 0x6a, 0x70, 0x3d, 0x4d, 0xd8, 0x4f, 0xba, 0x3c, 0x0b,
-          0x76, 0x0d, 0x10, 0x67, 0x0f, 0x2a, 0x20, 0x53, 0xfa, 0x2c, 0x39,
-          0xcc, 0xc6, 0x4e, 0xc7, 0xfd, 0x77, 0x92, 0xac, 0x03, 0x7a },
-        /* p-1 (order 2) */
-        { 0x13, 0xe8, 0x95, 0x8f, 0xc2, 0xb2, 0x27, 0xb0, 0x45, 0xc3, 0xf4,
-          0x89, 0xf2, 0xef, 0x98, 0xf0, 0xd5, 0xdf, 0xac, 0x05, 0xd3, 0xc6,
-          0x33, 0x39, 0xb1, 0x38, 0x02, 0x88, 0x6d, 0x53, 0xfc, 0x85 },
-        /* p (order 4) */
-        { 0xb4, 0x17, 0x6a, 0x70, 0x3d, 0x4d, 0xd8, 0x4f, 0xba, 0x3c, 0x0b,
-          0x76, 0x0d, 0x10, 0x67, 0x0f, 0x2a, 0x20, 0x53, 0xfa, 0x2c, 0x39,
-          0xcc, 0xc6, 0x4e, 0xc7, 0xfd, 0x77, 0x92, 0xac, 0x03, 0xfa },
-        /* p+1 (order 1) */
-        { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
-        /* p+2707385501144840649318225287225658788936804267575313519463743609750303402022
-           (order 8) */
-        { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
-        /* p+55188659117513257062467267217118295137698188065244968500265048394206261417927
-           (order 8) */
-        { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
-        /* 2p-1 (order 2) */
-        { 0xd9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
-        /* 2p (order 4) */
-        { 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
-        /* 2p+1 (order 1) */
-        { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-          0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }
-    };
-    size_t        i, j;
-    unsigned char c;
-
-    for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
-        c = 0;
-        for (j = 0; j < 32; j++) {
-            c |= p[j] ^ blacklist[i][j];
-        }
-        if (c == 0) {
-            return 1;
-        }
-    }
-    return 0;
-}
-#endif
-
 int
 _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
                                      const unsigned char *m,
@@ -117,14 +20,15 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
     crypto_hash_sha512_state hs;
     unsigned char            h[64];
     unsigned char            rcheck[32];
-    unsigned int             i;
-    unsigned char            d = 0;
-    ge_p3                    A;
-    ge_p2                    R;
+    ge25519_p3               A;
+    ge25519_p2               R;
 
 #ifndef ED25519_COMPAT
-    if (crypto_sign_check_S_lt_L(sig + 32) != 0 ||
-        _crypto_sign_ed25519_small_order(sig) != 0) {
+    if (sc25519_is_canonical(sig + 32) == 0 ||
+        ge25519_has_small_order(sig) != 0) {
+        return -1;
+    }
+    if (ge25519_is_canonical(pk) == 0) {
         return -1;
     }
 #else
@@ -132,13 +36,8 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
         return -1;
     }
 #endif
-    if (ge_frombytes_negate_vartime(&A, pk) != 0) {
-        return -1;
-    }
-    for (i = 0; i < 32; ++i) {
-        d |= pk[i];
-    }
-    if (d == 0) {
+    if (ge25519_has_small_order(pk) != 0 ||
+        ge25519_frombytes_negate_vartime(&A, pk) != 0) {
         return -1;
     }
     _crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
@@ -146,10 +45,10 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
     crypto_hash_sha512_update(&hs, pk, 32);
     crypto_hash_sha512_update(&hs, m, mlen);
     crypto_hash_sha512_final(&hs, h);
-    sc_reduce(h);
+    sc25519_reduce(h);
 
-    ge_double_scalarmult_vartime(&R, h, &A, sig + 32);
-    ge_tobytes(rcheck, &R);
+    ge25519_double_scalarmult_vartime(&R, h, &A, sig + 32);
+    ge25519_tobytes(rcheck, &R);
 
     return crypto_verify_32(rcheck, sig) | (-(rcheck == sig)) |
            sodium_memcmp(sig, rcheck, 32);