crypto/internal/fips140/edwards25519: make Scalar.SetCanonicalBytes constant time
Internally we only use SetCanonicalBytes as part of
Ed25519
verification, where all inputs are public, so it doesn't need to be
constant time.
However, this code is replicated outside of the standard library. Even
there, an attack is not practical, so this should not be considered a
security vulnerability:
- For specific scalars, this only leaks at most four bits of
information, and always the same four bits (so it's not an adaptive
attack).
- For derived scalars, assuming they are valid and uniformly
distributed, the loop would return true on the first iteration with
probability (1 - 2⁻¹²⁷) due to the shape of the scalar field order.
Still, making it constant time is easy enough and saves the next person
from having to think about it.
This was previously reported by Yawning Angel, and then as part of a
security audit.
Change-Id: I6a6a46563c8abecb0b4a6f12033a71c4c4da6fa7
Reviewed-on: https://go-review.googlesource.com/c/go/+/648035
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>