RustCrypto · radik878 · Sep 2, 2025 · Sep 14, 2025 · Sep 14, 2025 · Sep 14, 2025
diff --git a/ed448-goldilocks/src/sign/verifying_key.rs b/ed448-goldilocks/src/sign/verifying_key.rs
@@ -279,9 +279,14 @@ impl VerifyingKey {
             return Err(SigningError::InvalidSignatureSComponent.into());
         }
 
+        // RFC 8032 mandates context length <= 255 bytes. Enforce consistently with signing path.
+        if ctx.len() > 255 {
+            return Err(SigningError::PrehashedContextLength.into());
+        }
+
         // SHAKE256(dom4(F, C) || R || A || PH(M), 114) -> scalar k
         let mut bytes = WideEdwardsScalarBytes::default();
-        let ctx_len = ctx.len() as u8;
+        let ctx_len = u8::try_from(ctx.len()).map_err(|_| SigningError::PrehashedContextLength.into())?;
         let mut reader = Shake256::default()
             .chain(HASH_HEAD)
             .chain([phflag])