constant_time.go

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package subtle
     6  
     7  import (
     8  	"crypto/internal/constanttime"
     9  	"crypto/internal/fips140deps/byteorder"
    10  	"math/bits"
    11  )
    12  
    13  // ConstantTimeCompare returns 1 if the two slices, x and y, have equal contents
    14  // and 0 otherwise. The time taken is a function of the length of the slices and
    15  // is independent of the contents. If the lengths of x and y do not match it
    16  // returns 0 immediately.
    17  func ConstantTimeCompare(x, y []byte) int {
    18  	if len(x) != len(y) {
    19  		return 0
    20  	}
    21  
    22  	var v byte
    23  
    24  	for i := 0; i < len(x); i++ {
    25  		v |= x[i] ^ y[i]
    26  	}
    27  
    28  	return constanttime.ByteEq(v, 0)
    29  }
    30  
    31  // ConstantTimeLessOrEqBytes returns 1 if x <= y and 0 otherwise. The comparison
    32  // is lexigraphical, or big-endian. The time taken is a function of the length of
    33  // the slices and is independent of the contents. If the lengths of x and y do not
    34  // match it returns 0 immediately.
    35  func ConstantTimeLessOrEqBytes(x, y []byte) int {
    36  	if len(x) != len(y) {
    37  		return 0
    38  	}
    39  
    40  	// Do a constant time subtraction chain y - x.
    41  	// If there is no borrow at the end, then x <= y.
    42  	var b uint64
    43  	for len(x) > 8 {
    44  		x0 := byteorder.BEUint64(x[len(x)-8:])
    45  		y0 := byteorder.BEUint64(y[len(y)-8:])
    46  		_, b = bits.Sub64(y0, x0, b)
    47  		x = x[:len(x)-8]
    48  		y = y[:len(y)-8]
    49  	}
    50  	if len(x) > 0 {
    51  		xb := make([]byte, 8)
    52  		yb := make([]byte, 8)
    53  		copy(xb[8-len(x):], x)
    54  		copy(yb[8-len(y):], y)
    55  		x0 := byteorder.BEUint64(xb)
    56  		y0 := byteorder.BEUint64(yb)
    57  		_, b = bits.Sub64(y0, x0, b)
    58  	}
    59  	return int(b ^ 1)
    60  }
    61  
    62  // ConstantTimeCopy copies the contents of y into x (a slice of equal length)
    63  // if v == 1. If v == 0, x is left unchanged. Its behavior is undefined if v
    64  // takes any other value.
    65  func ConstantTimeCopy(v int, x, y []byte) {
    66  	if len(x) != len(y) {
    67  		panic("subtle: slices have different lengths")
    68  	}
    69  
    70  	xmask := byte(v - 1)
    71  	ymask := byte(^(v - 1))
    72  	for i := 0; i < len(x); i++ {
    73  		x[i] = x[i]&xmask | y[i]&ymask
    74  	}
    75  }
    76
View as plain text