From 03bcec583728b0a3c515f3d6ca194aa56284456f Mon Sep 17 00:00:00 2001 From: radik878 Date: Tue, 2 Sep 2025 17:44:21 +0300 Subject: [PATCH 1/4] Enforce RFC 8032 context length in Ed448 verification --- ed448-goldilocks/src/sign/verifying_key.rs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ed448-goldilocks/src/sign/verifying_key.rs b/ed448-goldilocks/src/sign/verifying_key.rs index 97933309f..ca7c0e271 100644 --- a/ed448-goldilocks/src/sign/verifying_key.rs +++ b/ed448-goldilocks/src/sign/verifying_key.rs @@ -279,6 +279,11 @@ impl VerifyingKey { return Err(SigningError::InvalidSignatureSComponent.into()); } + // RFC 8032 mandates context length <= 255 bytes. Enforce consistently with signing path. + if ctx.len() > 255 { + return Err(SigningError::PrehashedContextLength.into()); + } + // SHAKE256(dom4(F, C) || R || A || PH(M), 114) -> scalar k let mut bytes = WideEdwardsScalarBytes::default(); let ctx_len = ctx.len() as u8; From c75ad7607115f12cd55732d2c7a62a842fa8c4f4 Mon Sep 17 00:00:00 2001 From: radik878 Date: Sun, 14 Sep 2025 10:32:33 +0300 Subject: [PATCH 2/4] Update ed448-goldilocks/src/sign/verifying_key.rs Co-authored-by: Tony Arcieri --- ed448-goldilocks/src/sign/verifying_key.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ed448-goldilocks/src/sign/verifying_key.rs b/ed448-goldilocks/src/sign/verifying_key.rs index ca7c0e271..e9895509d 100644 --- a/ed448-goldilocks/src/sign/verifying_key.rs +++ b/ed448-goldilocks/src/sign/verifying_key.rs @@ -286,7 +286,7 @@ impl VerifyingKey { // SHAKE256(dom4(F, C) || R || A || PH(M), 114) -> scalar k let mut bytes = WideEdwardsScalarBytes::default(); - let ctx_len = ctx.len() as u8; + let ctx_len = u8::try_from(ctx.len()).map_err(|_| SigningError::PrehashedContextLength.into())?; let mut reader = Shake256::default() .chain(HASH_HEAD) .chain([phflag]) From 444ac9754553e15f694c37bc4a78a13689a3c6a1 Mon Sep 17 00:00:00 2001 From: radik878 Date: Sun, 14 Sep 2025 22:27:13 +0300 Subject: [PATCH 3/4] Update ed448-goldilocks/src/sign/verifying_key.rs Co-authored-by: Tony Arcieri --- ed448-goldilocks/src/sign/verifying_key.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ed448-goldilocks/src/sign/verifying_key.rs b/ed448-goldilocks/src/sign/verifying_key.rs index e9895509d..5e53b854f 100644 --- a/ed448-goldilocks/src/sign/verifying_key.rs +++ b/ed448-goldilocks/src/sign/verifying_key.rs @@ -286,7 +286,7 @@ impl VerifyingKey { // SHAKE256(dom4(F, C) || R || A || PH(M), 114) -> scalar k let mut bytes = WideEdwardsScalarBytes::default(); - let ctx_len = u8::try_from(ctx.len()).map_err(|_| SigningError::PrehashedContextLength.into())?; + let ctx_len = u8::try_from(ctx.len()).map_err(|_| SigningError::PrehashedContextLength)?; let mut reader = Shake256::default() .chain(HASH_HEAD) .chain([phflag]) From 187f08d3c0a9ca54a4a17900e2d56a6d339aeb97 Mon Sep 17 00:00:00 2001 From: radik878 Date: Sun, 14 Sep 2025 22:27:49 +0300 Subject: [PATCH 4/4] Update verifying_key.rs --- ed448-goldilocks/src/sign/verifying_key.rs | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/ed448-goldilocks/src/sign/verifying_key.rs b/ed448-goldilocks/src/sign/verifying_key.rs index 5e53b854f..d92343685 100644 --- a/ed448-goldilocks/src/sign/verifying_key.rs +++ b/ed448-goldilocks/src/sign/verifying_key.rs @@ -279,13 +279,9 @@ impl VerifyingKey { return Err(SigningError::InvalidSignatureSComponent.into()); } - // RFC 8032 mandates context length <= 255 bytes. Enforce consistently with signing path. - if ctx.len() > 255 { - return Err(SigningError::PrehashedContextLength.into()); - } - // SHAKE256(dom4(F, C) || R || A || PH(M), 114) -> scalar k let mut bytes = WideEdwardsScalarBytes::default(); + // RFC 8032 mandates context length <= 255 bytes. Enforce consistently with signing path. let ctx_len = u8::try_from(ctx.len()).map_err(|_| SigningError::PrehashedContextLength)?; let mut reader = Shake256::default() .chain(HASH_HEAD)