core/crypto: Add constant-time memory comparison routines

Using a constant-time comparison is required when comparing things like MACs, password digests, and etc to avoid exposing sensitive data via trivial timing attacks. These routines could also live under core:mem, but they are somewhat specialized, and are likely only useful for cryptographic applications.
2025-12-31 02:12:04 +00:00 · 2021-11-06 02:36:30 +00:00
parent 9be0d18e5d
commit d1e76ee4f2
1 changed files with 41 additions and 0 deletions
--- a/core/crypto/crypto.odin
+++ b/core/crypto/crypto.odin
@@ -0,0 +1,41 @@
+package crypto
+
+import "core:mem"
+
+// compare_constant_time returns 1 iff a and b are equal, 0 otherwise.
+//
+// The execution time of this routine is constant regardless of the contents
+// of the slices being compared, as long as the length of the slices is equal.
+// If the length of the two slices is different, it will early-return 0.
+compare_constant_time :: proc "contextless" (a, b: []byte) -> int {
+	// If the length of the slices is different, early return.
+	//
+	// This leaks the fact that the slices have a different length,
+	// but the routine is primarily intended for comparing things
+	// like MACS and password digests.
+	n := len(a)
+	if n != len(b) {
+		return 0
+	}
+
+	return compare_byte_ptrs_constant_time(raw_data(a), raw_data(b), n)
+}
+
+// compare_byte_ptrs_constant_time returns 1 iff the bytes pointed to by
+// a and b are equal, 0 otherwise.
+//
+// The execution time of this routine is constant regardless of the
+// contents of the memory being compared.
+compare_byte_ptrs_constant_time :: proc "contextless" (a, b: ^byte, n: int) -> int {
+	x := mem.slice_ptr(a, n)
+	y := mem.slice_ptr(b, n)
+
+	v: byte
+	for i in 0..<n {
+		v |= x[i] ~ y[i]
+	}
+
+	// After the loop, v == 0 iff a == b.  The subtraction will underflow
+	// iff v == 0, setting the sign-bit, which gets returned.
+	return int((u32(v)-1) >> 31)
+}