crypto: use constant time compare when decoding private keys

In practice, this is impossible to exploit without being able to corrupt the private key which would allow a much simpler guess-and-check attack. However, it's still a bad practice to compare private key material like this.

crypto: use constant time compare when decoding private keys
In practice, this is impossible to exploit without being able to corrupt the private key which would allow a much simpler guess-and-check attack. However, it's still a bad practice to compare private key material like this.
947196bb · Steven Allen · 3b4a4b47 · 947196bb
Commit 947196bb authored Sep 24, 2019 by Steven Allen
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

crypto/ed25519.go crypto/ed25519.go +1 -1

No files found.
--- a/crypto/ed25519.go
+++ b/crypto/ed25519.go
@@ -132,7 +132,7 @@ func UnmarshalEd25519PrivateKey(data []byte) (PrivKey, error) {
 		// Remove the redundant public key. See issue #36.
 		redundantPk := data[ed25519.PrivateKeySize:]
 		pk := data[ed25519.PrivateKeySize-ed25519.PublicKeySize : ed25519.PrivateKeySize]
-		if !bytes.Equal(pk, redundantPk) {
+		if subtle.ConstantTimeCompare(pk, redundantPk) == 0 {
 			return nil, errors.New("expected redundant ed25519 public key to be redundant")
 		}