chacha20poly1305: verify tag in constant time

author: lukechampine <luke.champine@gmail.com> 2019-11-05 11:51:16 -0500
committer: lukechampine <luke.champine@gmail.com> 2019-12-30 13:34:57 -0500
commit: ae7bb4ecc03d063acc75058f74fcf43b61b5a358 (patch)
tree: d41fc995d68d4e6bba5ff000f148b0c208aa03c5 /lib
parent: fbe7d8c1cbb3fa6a6b080cad97067705cb7da1be (diff)
download: zig-ae7bb4ecc03d063acc75058f74fcf43b61b5a358.tar.gz
zig-ae7bb4ecc03d063acc75058f74fcf43b61b5a358.zip
1 files changed, 8 insertions, 2 deletions
diff --git a/lib/std/crypto/chacha20.zig b/lib/std/crypto/chacha20.zig
index eaa1fc03c2..18ea7a2bfe 100644
--- a/lib/std/crypto/chacha20.zig
+++ b/lib/std/crypto/chacha20.zig
@@ -503,8 +503,14 @@ pub fn chacha20poly1305Open(dst: []u8, ciphertext: []const u8, data: []const u8,
     var computedTag: [16]u8 = undefined;
     mac.final(computedTag[0..]);
 
-    // verify mac
-    if (!mem.eql(u8, polyTag, computedTag[0..])) {
+    // verify mac in constant time
+    // TODO: we can't currently guarantee that this will run in constant time.
+    // See https://github.com/ziglang/zig/issues/1776
+    var acc: u8 = 0;
+    for (computedTag) |_, i| {
+        acc |= (computedTag[i] ^ polyTag[i]);
+    }
+    if (acc != 0) {
         return false;
     }
author	lukechampine <luke.champine@gmail.com>	2019-11-05 11:51:16 -0500
committer	lukechampine <luke.champine@gmail.com>	2019-12-30 13:34:57 -0500
commit	ae7bb4ecc03d063acc75058f74fcf43b61b5a358 (patch)
tree	d41fc995d68d4e6bba5ff000f148b0c208aa03c5 /lib
parent	fbe7d8c1cbb3fa6a6b080cad97067705cb7da1be (diff)
download	zig-ae7bb4ecc03d063acc75058f74fcf43b61b5a358.tar.gz zig-ae7bb4ecc03d063acc75058f74fcf43b61b5a358.zip