From ac78283e72209a04a73545e007e579fd3765f736 Mon Sep 17 00:00:00 2001
From: Loup Vaillant <loup@loup-vaillant.fr>
Date: Wed, 18 Aug 2021 20:54:01 +0200
Subject: [PATCH] ge_frombytes_vartime() does not parse (0, 1)

But that's okay, because that point has low order.
---
 src/monocypher.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/monocypher.c b/src/monocypher.c
index 4205814..79f7e85 100644
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -1758,6 +1758,12 @@ static void ge_tobytes(u8 s[32], const ge *h)
 //   isr = invsqrt(num * den)  // abort if not square
 //   x   = num * isr
 // Finally, negate x if its sign is not as specified.
+//
+// Note that using invsqrt causes this function to fail when y = 1.
+// The point (0, 1) *is* on the curve, so in principle we should not
+// reject it.  However, we are only using it to read EdDSA public keys,
+// And the legitimate ones never have low order. Indeed, some libraries
+// reject *all* low order points, on purpose.
 static int ge_frombytes_vartime(ge *h, const u8 s[32])
 {
     fe_frombytes(h->Y, s, 1);
-- 
2.47.3