1 files changed, 8 insertions, 2 deletions

diff --git a/lib/std/crypto/chacha20.zig b/lib/std/crypto/chacha20.zig
index eaa1fc03c2..18ea7a2bfe 100644
--- a/lib/std/crypto/chacha20.zig
+++ b/lib/std/crypto/chacha20.zig
@@ -503,8 +503,14 @@ pub fn chacha20poly1305Open(dst: []u8, ciphertext: []const u8, data: []const u8,
     var computedTag: [16]u8 = undefined;
     mac.final(computedTag[0..]);
 
-    // verify mac
-    if (!mem.eql(u8, polyTag, computedTag[0..])) {
+    // verify mac in constant time
+    // TODO: we can't currently guarantee that this will run in constant time.
+    // See https://github.com/ziglang/zig/issues/1776
+    var acc: u8 = 0;
+    for (computedTag) |_, i| {
+        acc |= (computedTag[i] ^ polyTag[i]);
+    }
+    if (acc != 0) {
         return false;
     }