From 1139fd2e6acb1ed61a12f4e2481c8c11bc3e373a Mon Sep 17 00:00:00 2001
From: Loup Vaillant <loup@loup-vaillant.fr>
Date: Sat, 23 Jun 2018 19:30:01 +0200
Subject: [PATCH] Added anti-forgery tests for EdDSA

Note how EdDSA fails miserably to reject all-zero signatures.  This is
the first critical vulnerability since 1.0.
---
 tests/test.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tests/test.c b/tests/test.c
index 302783b..0f50d13 100644
--- a/tests/test.c
+++ b/tests/test.c
@@ -596,6 +596,12 @@ static int p_eddsa_roundtrip()
         u8 pk       [32]; crypto_sign_public_key(pk, sk);
         u8 signature[64]; crypto_sign(signature, sk, pk, message, i);
         status |= crypto_check(signature, pk, message, i);
+
+        // reject forgeries
+        u8 zero   [64] = {0};
+        u8 forgery[64]; FOR (i, 0, 64) { forgery[i] = signature[i] + 1; }
+        status |= !crypto_check(zero   , pk, message, i);
+        status |= !crypto_check(forgery, pk, message, i);
     }
     printf("%s: EdDSA (roundtrip)\n", status != 0 ? "FAILED" : "OK");
     return status;
-- 
2.47.3