From 7340ebcae3d1dee31b43bdd74d74492d0436d508 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov.ru@gmail.com>
Date: Tue, 30 Dec 2025 22:55:37 +0000
Subject: [PATCH] Upgrade/Install: Update sodium_compat to v1.24.0.

The latest version includes a security fix to ensure that the public key is on the prime order subgroup.

References:
* [https://github.com/paragonie/sodium_compat/releases/tag/v1.24.0 sodium_compat 1.24.0 release notes]
* [https://github.com/paragonie/sodium_compat/compare/v1.23.0...v1.24.0 Full list of changes in sodium_compat 1.24.0]

Follow-up to [55699], [58752], [58753], [60787], [60905].

Props paragoninitiativeenterprises, johnbillion, SergeyBiryukov.
Fixes #64462.
Built from https://develop.svn.wordpress.org/trunk@61419


git-svn-id: http://core.svn.wordpress.org/trunk@60731 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 .../sodium_compat/src/Core/Ed25519.php        | 26 ++++++++++++++++---
 wp-includes/sodium_compat/src/File.php        |  6 +++++
 wp-includes/version.php                       |  2 +-
 3 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/wp-includes/sodium_compat/src/Core/Ed25519.php b/wp-includes/sodium_compat/src/Core/Ed25519.php
index 01457bad46..bf6b5cfbd7 100644
--- a/wp-includes/sodium_compat/src/Core/Ed25519.php
+++ b/wp-includes/sodium_compat/src/Core/Ed25519.php
@@ -106,6 +106,22 @@ abstract class ParagonIE_Sodium_Core_Ed25519 extends ParagonIE_Sodium_Core_Curve
         return self::sk_to_pk($sk);
     }
 
+    /**
+     * Returns TRUE if $A represents a point on the order of the Edwards25519 prime order subgroup.
+     * Returns FALSE if $A is on a different subgroup.
+     *
+     * @param ParagonIE_Sodium_Core_Curve25519_Ge_P3 $A
+     * @return bool
+     *
+     * @throws SodiumException
+     */
+    public static function is_on_main_subgroup(ParagonIE_Sodium_Core_Curve25519_Ge_P3 $A)
+    {
+        $p1 = self::ge_mul_l($A);
+        $t = self::fe_sub($p1->Y, $p1->Z);
+        return self::fe_isnonzero($p1->X) && self::fe_isnonzero($t);
+    }
+
     /**
      * @param string $pk
      * @return string
@@ -118,9 +134,8 @@ abstract class ParagonIE_Sodium_Core_Ed25519 extends ParagonIE_Sodium_Core_Curve
             throw new SodiumException('Public key is on a small order');
         }
         $A = self::ge_frombytes_negate_vartime(self::substr($pk, 0, 32));
-        $p1 = self::ge_mul_l($A);
-        if (!self::fe_isnonzero($p1->X)) {
-            throw new SodiumException('Unexpected zero result');
+        if (!self::is_on_main_subgroup($A)) {
+            throw new SodiumException('Public key is not on a member of the main subgroup');
         }
 
         # fe_1(one_minus_y);
@@ -287,7 +302,7 @@ abstract class ParagonIE_Sodium_Core_Ed25519 extends ParagonIE_Sodium_Core_Curve
             throw new SodiumException('Argument 3 must be CRYPTO_SIGN_PUBLICKEYBYTES long');
         }
         if ((self::chrToInt($sig[63]) & 240) && self::check_S_lt_L(self::substr($sig, 32, 32))) {
-            throw new SodiumException('S < L - Invalid signature');
+            throw new SodiumException('S >= L - Invalid signature');
         }
         if (self::small_order($sig)) {
             throw new SodiumException('Signature is on too small of an order');
@@ -311,6 +326,9 @@ abstract class ParagonIE_Sodium_Core_Ed25519 extends ParagonIE_Sodium_Core_Curve
 
         /** @var ParagonIE_Sodium_Core_Curve25519_Ge_P3 $A */
         $A = self::ge_frombytes_negate_vartime($pk);
+        if (!self::is_on_main_subgroup($A)) {
+            throw new SodiumException('Public key is not on a member of the main subgroup');
+        }
 
         /** @var string $hDigest */
         $hDigest = hash(
diff --git a/wp-includes/sodium_compat/src/File.php b/wp-includes/sodium_compat/src/File.php
index 80d625fa29..c132a92e25 100644
--- a/wp-includes/sodium_compat/src/File.php
+++ b/wp-includes/sodium_compat/src/File.php
@@ -786,8 +786,14 @@ class ParagonIE_Sodium_File extends ParagonIE_Sodium_Core_Util
         // Set ParagonIE_Sodium_Compat::$fastMult to true to speed up verification.
         ParagonIE_Sodium_Compat::$fastMult = true;
 
+        if (ParagonIE_Sodium_Core_Ed25519::small_order($publicKey)) {
+            throw new SodiumException('Public key has small order');
+        }
         /** @var ParagonIE_Sodium_Core_Curve25519_Ge_P3 $A */
         $A = ParagonIE_Sodium_Core_Ed25519::ge_frombytes_negate_vartime($publicKey);
+        if (!ParagonIE_Sodium_Core_Ed25519::is_on_main_subgroup($A)) {
+            throw new SodiumException('Public key is not on a member of the main subgroup');
+        }
 
         $hs = hash_init('sha512');
         self::hash_update($hs, self::substr($sig, 0, 32));
diff --git a/wp-includes/version.php b/wp-includes/version.php
index ac2047f6ae..c6c5a0e35e 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '7.0-alpha-61418';
+$wp_version = '7.0-alpha-61419';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.