File libsodium-CVE-2025-15444.patch of Package libsodium.42177

From ad3004ec8731730e93fcfbbc824e67eadc1c1bae Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Mon, 29 Dec 2025 23:22:15 +0100
Subject: [PATCH] core_ed25519_is_valid_point: check Y==Z in addition to X==0

---
 src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c | 5 ++++-
 test/default/core_ed25519.c                             | 7 ++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

Index: libsodium-1.0.16/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
===================================================================
--- libsodium-1.0.16.orig/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
+++ libsodium-1.0.16/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c
@@ -976,10 +976,13 @@ int
 ge25519_is_on_main_subgroup(const ge25519_p3 *p)
 {
     ge25519_p3 pl;
+    fe25519    t;
 
     ge25519_mul_l(&pl, p);
 
-    return fe25519_iszero(pl.X);
+    fe25519_sub(t, pl.Y, pl.Z);
+
+    return fe25519_iszero(pl.X) & fe25519_iszero(t);
 }
 
 int
Index: libsodium-1.0.16/test/default/core_ed25519.c
===================================================================
--- libsodium-1.0.16.orig/test/default/core_ed25519.c
+++ libsodium-1.0.16/test/default/core_ed25519.c
@@ -13,6 +13,10 @@ static const unsigned char max_canonical
     0xe4, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
 };
+static const unsigned char not_main_subgroup_p[32] = {
+    0x95, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99,
+    0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99
+};
 
 static void
 add_P(unsigned char * const S)
@@ -107,11 +111,12 @@ main(void)
     assert(crypto_core_ed25519_is_valid_point(p) == 0);
 
     p[0] = 9;
-    assert(crypto_core_ed25519_is_valid_point(p) == 1);
+    assert(crypto_core_ed25519_is_valid_point(p) == 0);
 
     assert(crypto_core_ed25519_is_valid_point(max_canonical_p) == 1);
     assert(crypto_core_ed25519_is_valid_point(non_canonical_invalid_p) == 0);
     assert(crypto_core_ed25519_is_valid_point(non_canonical_p) == 0);
+    assert(crypto_core_ed25519_is_valid_point(not_main_subgroup_p) == 0);
 
     memcpy(p2, p, crypto_core_ed25519_BYTES);
     add_P(p2);