mirror of
https://github.com/XTLS/REALITY.git
synced 2025-08-22 14:38:35 +00:00
320c4a6448
For #69536 Change-Id: I2d7b6e7b9932d0f0f582a5ab0bb871395dc2a1e8 Reviewed-on: https://go-review.googlesource.com/c/go/+/626675 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org>
97 lines
2.6 KiB
Go
97 lines
2.6 KiB
Go
// Copyright 2009 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package subtle
|
|
|
|
import (
|
|
"math/bits"
|
|
|
|
"github.com/xtls/reality/byteorder"
|
|
)
|
|
|
|
// ConstantTimeCompare returns 1 if the two slices, x and y, have equal contents
|
|
// and 0 otherwise. The time taken is a function of the length of the slices and
|
|
// is independent of the contents. If the lengths of x and y do not match it
|
|
// returns 0 immediately.
|
|
func ConstantTimeCompare(x, y []byte) int {
|
|
if len(x) != len(y) {
|
|
return 0
|
|
}
|
|
|
|
var v byte
|
|
|
|
for i := 0; i < len(x); i++ {
|
|
v |= x[i] ^ y[i]
|
|
}
|
|
|
|
return ConstantTimeByteEq(v, 0)
|
|
}
|
|
|
|
// ConstantTimeLessOrEqBytes returns 1 if x <= y and 0 otherwise. The comparison
|
|
// is lexigraphical, or big-endian. The time taken is a function of the length of
|
|
// the slices and is independent of the contents. If the lengths of x and y do not
|
|
// match it returns 0 immediately.
|
|
func ConstantTimeLessOrEqBytes(x, y []byte) int {
|
|
if len(x) != len(y) {
|
|
return 0
|
|
}
|
|
|
|
// Do a constant time subtraction chain y - x.
|
|
// If there is no borrow at the end, then x <= y.
|
|
var b uint64
|
|
for len(x) > 8 {
|
|
x0 := byteorder.BEUint64(x[len(x)-8:])
|
|
y0 := byteorder.BEUint64(y[len(y)-8:])
|
|
_, b = bits.Sub64(y0, x0, b)
|
|
x = x[:len(x)-8]
|
|
y = y[:len(y)-8]
|
|
}
|
|
if len(x) > 0 {
|
|
xb := make([]byte, 8)
|
|
yb := make([]byte, 8)
|
|
copy(xb[8-len(x):], x)
|
|
copy(yb[8-len(y):], y)
|
|
x0 := byteorder.BEUint64(xb)
|
|
y0 := byteorder.BEUint64(yb)
|
|
_, b = bits.Sub64(y0, x0, b)
|
|
}
|
|
return int(b ^ 1)
|
|
}
|
|
|
|
// ConstantTimeSelect returns x if v == 1 and y if v == 0.
|
|
// Its behavior is undefined if v takes any other value.
|
|
func ConstantTimeSelect(v, x, y int) int { return ^(v-1)&x | (v-1)&y }
|
|
|
|
// ConstantTimeByteEq returns 1 if x == y and 0 otherwise.
|
|
func ConstantTimeByteEq(x, y uint8) int {
|
|
return int((uint32(x^y) - 1) >> 31)
|
|
}
|
|
|
|
// ConstantTimeEq returns 1 if x == y and 0 otherwise.
|
|
func ConstantTimeEq(x, y int32) int {
|
|
return int((uint64(uint32(x^y)) - 1) >> 63)
|
|
}
|
|
|
|
// ConstantTimeCopy copies the contents of y into x (a slice of equal length)
|
|
// if v == 1. If v == 0, x is left unchanged. Its behavior is undefined if v
|
|
// takes any other value.
|
|
func ConstantTimeCopy(v int, x, y []byte) {
|
|
if len(x) != len(y) {
|
|
panic("subtle: slices have different lengths")
|
|
}
|
|
|
|
xmask := byte(v - 1)
|
|
ymask := byte(^(v - 1))
|
|
for i := 0; i < len(x); i++ {
|
|
x[i] = x[i]&xmask | y[i]&ymask
|
|
}
|
|
}
|
|
|
|
// ConstantTimeLessOrEq returns 1 if x <= y and 0 otherwise.
|
|
// Its behavior is undefined if x or y are negative or > 2**31 - 1.
|
|
func ConstantTimeLessOrEq(x, y int) int {
|
|
x32 := int32(x)
|
|
y32 := int32(y)
|
|
return int(((x32 - y32 - 1) >> 31) & 1)
|
|
} |