From 5f9953f41ff7761cdf86c211c91de7470425771c Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Fri, 14 Aug 2020 16:08:26 +0200 Subject: [PATCH] Remove mem.timingSafeEqual() for now This requires assembly implementations, and is not needed for signature verification. Thanks @daurnimator --- lib/std/crypto/25519/ed25519.zig | 2 +- lib/std/mem.zig | 25 ------------------------- 2 files changed, 1 insertion(+), 26 deletions(-) diff --git a/lib/std/crypto/25519/ed25519.zig b/lib/std/crypto/25519/ed25519.zig index c5baf37683..f174fd8581 100644 --- a/lib/std/crypto/25519/ed25519.zig +++ b/lib/std/crypto/25519/ed25519.zig @@ -96,7 +96,7 @@ pub const Ed25519 = struct { const p = try a.neg().mul(hram); const check = (try Curve.basePoint().mul(s.*)).add(p).toBytes(); - if (mem.timingSafeEqual(u8, &check, r) == false) { + if (mem.eql(u8, &check, r) == false) { return error.InvalidSignature; } } diff --git a/lib/std/mem.zig b/lib/std/mem.zig index dc26ed3d33..1ba64f47fa 100644 --- a/lib/std/mem.zig +++ b/lib/std/mem.zig @@ -334,31 +334,6 @@ test "mem.secureZero" { testing.expectEqualSlices(u8, a[0..], b[0..]); } -/// Constant-time (for a given length) comparison. -pub fn timingSafeEqual(comptime T: type, a: []const T, b: []const T) bool { - const length = a.len; - if (length != b.len) { - return false; - } - const ap = @ptrCast([*]const volatile T, a.ptr); - const bp = @ptrCast([*]const volatile T, b.ptr); - var c: u8 = 0; - var i: usize = 0; - while (i < length) : (i += 1) { - c |= a[i] ^ b[i]; - } - return c == 0; -} - -test "mem.timingSafeEqual" { - var a = [_]u8{0xfe} ** 8; - var b = [_]u8{0xfe} ** 8; - - testing.expect(timingSafeEqual(u8, &a, &b)); - a[0] += 1; - testing.expect(!timingSafeEqual(u8, &a, &b)); -} - /// Initializes all fields of the struct with their default value, or zero values if no default value is present. /// If the field is present in the provided initial values, it will have that value instead. /// Structs are initialized recursively.