]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c6cdfda)
crypto/ed25519: improve Ed25519ctx error for oversized contexts
authorTom Thorogood <me+google@tomthorogood.co.uk>
Mon, 6 Mar 2023 07:43:45 +0000 (18:13 +1030)
committerGopher Robot <gobot@golang.org>
Mon, 6 Mar 2023 23:46:08 +0000 (23:46 +0000)
Previously if PrivateKey.Sign was called for Ed25519ctx with a context
longer than 255 bytes, the error message would mention Ed25519ph.

For Ed25519ph, the order of message length vs context length errors now
matches VerifyWithOptions. A message length error will be surfaced in
preference to a context length error. It also preferences hash errors
ahead of context length errors which also matches the behaviour of
VerifyWithOptions.

Change-Id: Iae380b3d879e0a9877ea057806fcd1e0ef7f7376
Reviewed-on: https://go-review.googlesource.com/c/go/+/473595
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
src/crypto/ed25519/ed25519.go patch | blob | history

diff --git a/src/crypto/ed25519/ed25519.go b/src/crypto/ed25519/ed25519.go
index a45d056851257cacd5c43bdcbc7754c5b38fdc41..a043eaf80770e86238223e9363922b0876a2e6d5 100644 (file)
--- a/src/crypto/ed25519/ed25519.go
+++ b/src/crypto/ed25519/ed25519.go
@@ -90,18 +90,21 @@ func (priv PrivateKey) Sign(rand io.Reader, message []byte, opts crypto.SignerOp
        if opts, ok := opts.(*Options); ok {
                context = opts.Context
        }
-       if l := len(context); l > 255 {
-               return nil, errors.New("ed25519: bad Ed25519ph context length: " + strconv.Itoa(l))
-       }
        switch {
        case hash == crypto.SHA512: // Ed25519ph
                if l := len(message); l != sha512.Size {
                        return nil, errors.New("ed25519: bad Ed25519ph message hash length: " + strconv.Itoa(l))
                }
+               if l := len(context); l > 255 {
+                       return nil, errors.New("ed25519: bad Ed25519ph context length: " + strconv.Itoa(l))
+               }
                signature := make([]byte, SignatureSize)
                sign(signature, priv, message, domPrefixPh, context)
                return signature, nil
        case hash == crypto.Hash(0) && context != "": // Ed25519ctx
+               if l := len(context); l > 255 {
+                       return nil, errors.New("ed25519: bad Ed25519ctx context length: " + strconv.Itoa(l))
+               }
                signature := make([]byte, SignatureSize)
                sign(signature, priv, message, domPrefixCtx, context)
                return signature, nil
Go GOST TLS 1.3