Origin: https://github.com/i2p/i2p.i2p/commit/d7d1dcb5399c61cf2916ccc45aa25b0209c88712
From: zzz <zzz@mail.i2p>
Date: Tue, 12 Mar 2019 12:55:58 +0000
Subject: Crypto: Ed25519 check for S < L as in RFC 8032
Forwarded: not-needed

Backport to https://github.com/str4d/ed25519-java
---
diff --git a/src/net/i2p/crypto/eddsa/EdDSAEngine.java b/src/net/i2p/crypto/eddsa/EdDSAEngine.java
index 1f0ba6d..9a1dbf0 100644
--- a/src/net/i2p/crypto/eddsa/EdDSAEngine.java
+++ b/src/net/i2p/crypto/eddsa/EdDSAEngine.java
@@ -12,6 +12,7 @@
 package net.i2p.crypto.eddsa;
 
 import java.io.ByteArrayOutputStream;
+import java.math.BigInteger;
 import java.nio.ByteBuffer;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
@@ -29,6 +30,7 @@ import java.util.Arrays;
 import net.i2p.crypto.eddsa.math.Curve;
 import net.i2p.crypto.eddsa.math.GroupElement;
 import net.i2p.crypto.eddsa.math.ScalarOps;
+import net.i2p.crypto.eddsa.math.bigint.BigIntegerLittleEndianEncoding;
 import sun.security.x509.X509Key;
 
 /**
@@ -68,6 +70,7 @@ import sun.security.x509.X509Key;
  */
 public final class EdDSAEngine extends Signature {
     public static final String SIGNATURE_ALGORITHM = "NONEwithEdDSA";
+    private static final BigInteger ORDER = new BigInteger("2").pow(252).add(new BigInteger("27742317777372353535851937790883648493"));
 
     private MessageDigest digest;
     private ByteArrayOutputStream baos;
@@ -306,6 +309,11 @@ public final class EdDSAEngine extends Signature {
         h = key.getParams().getScalarOps().reduce(h);
 
         byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
+        // RFC 8032
+        BigInteger Sbigint = (new BigIntegerLittleEndianEncoding()).toBigInteger(Sbyte);
+        if (Sbigint.compareTo(ORDER) >= 0)
+            return false;
+
         // R = SB - H(Rbar,Abar,M)A
         GroupElement R = key.getParams().getB().doubleScalarMultiplyVariableTime(
                 ((EdDSAPublicKey) key).getNegativeA(), h, Sbyte);