From a1bbcbd5a82081bd79fa916a8ea803c3ac1b2433 Mon Sep 17 00:00:00 2001
From: Sudhi Herle <sudhi@herle.net>
Date: Sat, 19 Oct 2019 14:42:19 -0700
Subject: [PATCH] Fixed slice aliasing error in signature creation

---
 sign/sign.go      |  9 ++++++---
 sign/sign_test.go | 12 ++++++------
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/sign/sign.go b/sign/sign.go
index 87d08ef..8525049 100644
--- a/sign/sign.go
+++ b/sign/sign.go
@@ -344,10 +344,13 @@ func (sk *PrivateKey) SignMessage(ck []byte, comment string) (*Signature, error)
 		return nil, fmt.Errorf("can't sign %x: %s", ck, err)
 	}
 
-	return &Signature{
+	ss := &Signature{
 		Sig:    sig,
-		pkhash: sk.pk.hash,
-	}, nil
+		pkhash: make([]byte, len(sk.pk.hash)),
+	}
+
+	copy(ss.pkhash, sk.pk.hash)
+	return ss, nil
 }
 
 // Read and sign a file
diff --git a/sign/sign_test.go b/sign/sign_test.go
index 7174e3d..b29de39 100644
--- a/sign/sign_test.go
+++ b/sign/sign_test.go
@@ -14,7 +14,6 @@
 package sign
 
 import (
-	"crypto/rand"
 	"crypto/subtle"
 	"fmt"
 	"io/ioutil"
@@ -55,7 +54,7 @@ func tempdir(t *testing.T) string {
 	var b [10]byte
 
 	dn := os.TempDir()
-	rand.Read(b[:])
+	randread(b[:])
 
 	tmp := path.Join(dn, fmt.Sprintf("%x", b[:]))
 	err := os.MkdirAll(tmp, 0755)
@@ -91,6 +90,7 @@ r: 8
 p: 1
 `
 
+
 // #1. Create new key pair, and read them back.
 func Test0(t *testing.T) {
 	assert := newAsserter(t)
@@ -154,7 +154,7 @@ func Test1(t *testing.T) {
 
 	var ck [64]byte // simulates sha512 sum
 
-	rand.Read(ck[:])
+	randread(ck[:])
 
 	pk := &kp.Pub
 	sk := &kp.Sec
@@ -167,7 +167,7 @@ func Test1(t *testing.T) {
 	assert(ss.IsPKMatch(pk), "pk match fail")
 
 	// Corrupt the pkhash and see
-	rand.Read(ss.pkhash[:])
+	randread(ss.pkhash)
 	assert(!ss.IsPKMatch(pk), "corrupt pk match fail")
 
 	// Incorrect checksum == should fail verification
@@ -204,7 +204,7 @@ func Test1(t *testing.T) {
 	assert(err == nil, "file.dat creat file")
 
 	for i := 0; i < 8; i++ {
-		rand.Read(buf[:])
+		randread(buf[:])
 		n, err := fd.Write(buf[:])
 		assert(err == nil, fmt.Sprintf("file.dat write fail: %s", err))
 		assert(n == 8192, fmt.Sprintf("file.dat i/o fail: exp 8192 saw %v", n))
@@ -300,7 +300,7 @@ func benchVerify(b *testing.B, buf []byte, sig *Signature, pk *PublicKey) {
 
 func randbuf(sz uint) []byte {
 	b := make([]byte, sz)
-	rand.Read(b)
+	randread(b)
 	return b
 }