Potential consensus divergence from Ed25519 edge cases

Ed25519 poses risks in consensus-critical applications, because (a) the spec does not require that implementations agree on whether signatures are valid and (b) in practice, implementations differ from the spec and from each other.

In the context of working to address this issue in Zcash (resulting in ZIP215), I created a set of 196 test vectors, consisting of hex-encoded (public key, signature) pairs on the message b"Zcash". Running these test vectors across various other Ed25519 implementations reveals a wide divergence in behaviour (see 1 2 for additional context).

From a quick look at the Tor source and some tips from Teor, it looks like Tor has four different verification codepaths: ref10 open, ref10 open_batch, donna open, and donna open_batch. But I'm not entirely sure whether these are all used, because that requires a deeper knowledge of the codebase than I have.

The test vectors can be found in C-friendly format (thanks to Patrick Steuer) here: https://github.com/p-steuer/ossl-eddsa-tests