From 65e7ede4994237f160e8db558e74da113f886f98 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Wed, 19 Feb 2025 19:25:04 +0100
Subject: [PATCH] crypto.Ed25519.KeyPair: return an error rather than assert

When runtime safety is turned on, `Ed25519.fromSecretKey()` can
currently hit an assertion if the format of the secret key is
invalid.

Return an error instead, so that applications can recover.
---
 lib/std/crypto/25519/ed25519.zig | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/std/crypto/25519/ed25519.zig b/lib/std/crypto/25519/ed25519.zig
index 54fbe2bdab..94dd370d01 100644
--- a/lib/std/crypto/25519/ed25519.zig
+++ b/lib/std/crypto/25519/ed25519.zig
@@ -299,7 +299,9 @@ pub const Ed25519 = struct {
             if (std.debug.runtime_safety) {
                 const pk_p = try Curve.fromBytes(secret_key.publicKeyBytes());
                 const recomputed_kp = try generateDeterministic(secret_key.seed());
-                debug.assert(mem.eql(u8, &recomputed_kp.public_key.toBytes(), &pk_p.toBytes()));
+                if (!mem.eql(u8, &recomputed_kp.public_key.toBytes(), &pk_p.toBytes())) {
+                    return error.NonCanonical;
+                }
             }
             return KeyPair{
                 .public_key = try PublicKey.fromBytes(secret_key.publicKeyBytes()),