From 680fa880d63daa6058a084f1c107162e40e18aa8 Mon Sep 17 00:00:00 2001
From: Frank Denis <124872+jedisct1@users.noreply.github.com>
Date: Thu, 22 Jul 2021 01:27:42 +0200
Subject: [PATCH] std.crypto: handle the top bit in 25519.field.fromBytes64()
 (#9435)

The only known use case for this is the hash-to-curve operation where the top bit is always cleared.

But the function is public, so let's make it work as one would expect in the general case.

Also fix the comment by the way.
---
 lib/std/crypto/25519/field.zig | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/std/crypto/25519/field.zig b/lib/std/crypto/25519/field.zig
index 33ee36b816..1d67f0a902 100644
--- a/lib/std/crypto/25519/field.zig
+++ b/lib/std/crypto/25519/field.zig
@@ -93,7 +93,7 @@ pub const Fe = struct {
         return s;
     }
 
-    /// Map a 64-bit big endian string into a field element
+    /// Map a 64 bytes big endian string into a field element
     pub fn fromBytes64(s: [64]u8) Fe {
         var fl: [32]u8 = undefined;
         var gl: [32]u8 = undefined;
@@ -106,7 +106,7 @@ pub const Fe = struct {
         gl[31] &= 0x7f;
         var fe_f = fromBytes(fl);
         const fe_g = fromBytes(gl);
-        fe_f.limbs[0] += (s[32] >> 7) * 19;
+        fe_f.limbs[0] += (s[32] >> 7) * 19 + @as(u10, s[0] >> 7) * 722;
         i = 0;
         while (i < 5) : (i += 1) {
             fe_f.limbs[i] += 38 * fe_g.limbs[i];