From 84609d874e19e9d2419e07b72e8c8e2d24dcfc3a Mon Sep 17 00:00:00 2001
From: Tom Thorogood <me+google@tomthorogood.co.uk>
Date: Mon, 6 Mar 2023 18:13:45 +1030
Subject: [PATCH] crypto/ed25519: improve Ed25519ctx error for oversized
 contexts

Previously if PrivateKey.Sign was called for Ed25519ctx with a context
longer than 255 bytes, the error message would mention Ed25519ph.

For Ed25519ph, the order of message length vs context length errors now
matches VerifyWithOptions. A message length error will be surfaced in
preference to a context length error. It also preferences hash errors
ahead of context length errors which also matches the behaviour of
VerifyWithOptions.

Change-Id: Iae380b3d879e0a9877ea057806fcd1e0ef7f7376
Reviewed-on: https://go-review.googlesource.com/c/go/+/473595
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
---
 src/crypto/ed25519/ed25519.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/crypto/ed25519/ed25519.go b/src/crypto/ed25519/ed25519.go
index a45d056851..a043eaf807 100644
--- a/src/crypto/ed25519/ed25519.go
+++ b/src/crypto/ed25519/ed25519.go
@@ -90,18 +90,21 @@ func (priv PrivateKey) Sign(rand io.Reader, message []byte, opts crypto.SignerOp
 	if opts, ok := opts.(*Options); ok {
 		context = opts.Context
 	}
-	if l := len(context); l > 255 {
-		return nil, errors.New("ed25519: bad Ed25519ph context length: " + strconv.Itoa(l))
-	}
 	switch {
 	case hash == crypto.SHA512: // Ed25519ph
 		if l := len(message); l != sha512.Size {
 			return nil, errors.New("ed25519: bad Ed25519ph message hash length: " + strconv.Itoa(l))
 		}
+		if l := len(context); l > 255 {
+			return nil, errors.New("ed25519: bad Ed25519ph context length: " + strconv.Itoa(l))
+		}
 		signature := make([]byte, SignatureSize)
 		sign(signature, priv, message, domPrefixPh, context)
 		return signature, nil
 	case hash == crypto.Hash(0) && context != "": // Ed25519ctx
+		if l := len(context); l > 255 {
+			return nil, errors.New("ed25519: bad Ed25519ctx context length: " + strconv.Itoa(l))
+		}
 		signature := make([]byte, SignatureSize)
 		sign(signature, priv, message, domPrefixCtx, context)
 		return signature, nil
-- 
2.50.0