Added anti-forgery tests for EdDSA

Note how EdDSA fails miserably to reject all-zero signatures.  This is
the first critical vulnerability since 1.0.

diff --git a/tests/test.c b/tests/test.c
index 302783b4f72bcdb246c9059d2e5ce7c5f88e36d4..0f50d1376f3d98fd042cb2165592da1d9ffc931b 100644 (file)
--- a/tests/test.c
+++ b/tests/test.c
@@ -596,6 +596,12 @@ static int p_eddsa_roundtrip()
         u8 pk       [32]; crypto_sign_public_key(pk, sk);
         u8 signature[64]; crypto_sign(signature, sk, pk, message, i);
         status |= crypto_check(signature, pk, message, i);
+
+        // reject forgeries
+        u8 zero   [64] = {0};
+        u8 forgery[64]; FOR (i, 0, 64) { forgery[i] = signature[i] + 1; }
+        status |= !crypto_check(zero   , pk, message, i);
+        status |= !crypto_check(forgery, pk, message, i);
     }
     printf("%s: EdDSA (roundtrip)\n", status != 0 ? "FAILED" : "OK");
     return status;