From ee8af8cffb42603ead90db6a3d7b7df9f2b2a683 Mon Sep 17 00:00:00 2001
From: Frank Denis <124872+jedisct1@users.noreply.github.com>
Date: Thu, 24 Nov 2022 12:13:37 +0100
Subject: [PATCH] std.crypto.ed25519 incremental signatures: hash the fallback
 noise (#13643)

If the noise parameter was null, we didn't use any noise at all.

We unconditionally generated random noise (`noise2`) but didn't use it.

Spotted by @cryptocode, thanks!
---
 lib/std/crypto/25519/ed25519.zig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/std/crypto/25519/ed25519.zig b/lib/std/crypto/25519/ed25519.zig
index 552bd114a1..149191040a 100644
--- a/lib/std/crypto/25519/ed25519.zig
+++ b/lib/std/crypto/25519/ed25519.zig
@@ -318,6 +318,7 @@ pub const Ed25519 = struct {
             h.update(&scalar_and_prefix.prefix);
             var noise2: [noise_length]u8 = undefined;
             crypto.random.bytes(&noise2);
+            h.update(&noise2);
             if (noise) |*z| {
                 h.update(z);
             }