chacha20poly1305: verify tag in constant time

2026-01-21 06:45:24 +00:00 · 2019-11-05 11:51:16 -05:00 · 2019-11-05 11:51:16 -05:00 · ae7bb4ecc0
commit ae7bb4ecc0
parent fbe7d8c1cb
1 changed files with 8 additions and 2 deletions
--- a/lib/std/crypto/chacha20.zig
+++ b/lib/std/crypto/chacha20.zig
@ -503,8 +503,14 @@ pub fn chacha20poly1305Open(dst: []u8, ciphertext: []const u8, data: []const u8,
    var computedTag: [16]u8 = undefined;
    mac.final(computedTag[0..]);

-    // verify mac
-    if (!mem.eql(u8, polyTag, computedTag[0..])) {
+    // verify mac in constant time
+    // TODO: we can't currently guarantee that this will run in constant time.
+    // See https://github.com/ziglang/zig/issues/1776
+    var acc: u8 = 0;
+    for (computedTag) |_, i| {
+        acc |= (computedTag[i] ^ polyTag[i]);
+    }
+    if (acc != 0) {
        return false;
    }