From 20978f46fdf097cf3d9164918441dd296ee274f2 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Mon, 5 May 2025 13:35:36 +0200 Subject: [PATCH] crypto/rsa: remove another forgotten note to future self In CL 226937 I refactored the RSA-PSS implementation, and apparently left behind a note to think a bit harder about whether this bytes.Equal check should be constant time or not. It snuck through code review, so it's 2018 again, no one is worried about pandemics, I have just joined Google, and I am mailing CL 147637 again. Anyway, as discussed in #67043 and documented in CL 587277, the inputs to signature verification functions are not secret, and are allowed to leak through timing side channels. This means an attacker can already compute h (from signature and public key) and h0 (from message hash and public key). What the attacker can't do is produce a signature that yields the correct h (since that requires the private key). Change-Id: I6a6a4656d6255bdad628a94f48f7ea878a304263 Reviewed-on: https://go-review.googlesource.com/c/go/+/685255 LUCI-TryBot-Result: Go LUCI Reviewed-by: Dmitri Shuralyov Reviewed-by: Carlos Amedee Reviewed-by: Daniel McCarney Auto-Submit: Filippo Valsorda --- src/crypto/internal/fips140/rsa/pkcs1v22.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/crypto/internal/fips140/rsa/pkcs1v22.go b/src/crypto/internal/fips140/rsa/pkcs1v22.go index 9ec28da794..de7943773e 100644 --- a/src/crypto/internal/fips140/rsa/pkcs1v22.go +++ b/src/crypto/internal/fips140/rsa/pkcs1v22.go @@ -243,7 +243,7 @@ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error { h0 := hash.Sum(nil) // 14. If H = H', output "consistent." Otherwise, output "inconsistent." - if !bytes.Equal(h0, h) { // TODO: constant time? + if !bytes.Equal(h0, h) { return ErrVerification } return nil -- 2.50.0