From: Filippo Valsorda Date: Mon, 5 May 2025 11:35:36 +0000 (+0200) Subject: crypto/rsa: remove another forgotten note to future self X-Git-Tag: go1.25rc3~5^2~48 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=20978f46fd;p=gostls13.git crypto/rsa: remove another forgotten note to future self In CL 226937 I refactored the RSA-PSS implementation, and apparently left behind a note to think a bit harder about whether this bytes.Equal check should be constant time or not. It snuck through code review, so it's 2018 again, no one is worried about pandemics, I have just joined Google, and I am mailing CL 147637 again. Anyway, as discussed in #67043 and documented in CL 587277, the inputs to signature verification functions are not secret, and are allowed to leak through timing side channels. This means an attacker can already compute h (from signature and public key) and h0 (from message hash and public key). What the attacker can't do is produce a signature that yields the correct h (since that requires the private key). Change-Id: I6a6a4656d6255bdad628a94f48f7ea878a304263 Reviewed-on: https://go-review.googlesource.com/c/go/+/685255 LUCI-TryBot-Result: Go LUCI Reviewed-by: Dmitri Shuralyov Reviewed-by: Carlos Amedee Reviewed-by: Daniel McCarney Auto-Submit: Filippo Valsorda --- diff --git a/src/crypto/internal/fips140/rsa/pkcs1v22.go b/src/crypto/internal/fips140/rsa/pkcs1v22.go index 9ec28da794..de7943773e 100644 --- a/src/crypto/internal/fips140/rsa/pkcs1v22.go +++ b/src/crypto/internal/fips140/rsa/pkcs1v22.go @@ -243,7 +243,7 @@ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error { h0 := hash.Sum(nil) // 14. If H = H', output "consistent." Otherwise, output "inconsistent." - if !bytes.Equal(h0, h) { // TODO: constant time? + if !bytes.Equal(h0, h) { return ErrVerification } return nil