Implement constant time comparison for SecretKey

tcharding · tcharding · commit 7cf3c6c8a4ba · 2022-11-22T10:27:54.000+11:00
The current implementation of `PartialEq` leaks data because it is not
constant time.

Attempt to make the `PartialEq` implementation constant time.
diff --git a/src/key.rs b/src/key.rs
@@ -61,9 +61,12 @@ pub struct SecretKey([u8; constants::SECRET_KEY_SIZE]);
 impl_display_secret!(SecretKey);
 
 impl PartialEq for SecretKey {
+    /// This implementation is designed to be constant time to help prevent side channel attacks.
     #[inline]
     fn eq(&self, other: &Self) -> bool {
-        self[..] == other[..]
+        let accum = self.0.iter().zip(&other.0)
+            .fold(0, |accum, (a, b)| accum | a ^ b);
+        unsafe { core::ptr::read_volatile(&accum) == 0 }
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -61,9 +61,12 @@ pub struct SecretKey([u8; constants::SECRET_KEY_SIZE]);`
`61`	`61`	`impl_display_secret!(SecretKey);`
`62`	`62`
`63`	`63`	`impl PartialEq for SecretKey {`
	`64`	`+ /// This implementation is designed to be constant time to help prevent side channel attacks.`
`64`	`65`	`#[inline]`
`65`	`66`	`fn eq(&self, other: &Self) -> bool {`
`66`		`- self[..] == other[..]`
	`67`	`+ let accum = self.0.iter().zip(&other.0)`
	`68`	`+ .fold(0, \|accum, (a, b)\| accum \| a ^ b);`
	`69`	`+ unsafe { core::ptr::read_volatile(&accum) == 0 }`
`67`	`70`	`}`
`68`	`71`	`}`
`69`	`72`