New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/subtle: change ConstantTimeLessOrEq to have less undefined behaviour #42685
Comments
Change https://golang.org/cl/270959 mentions this issue: |
Cc @FiloSottile |
As we're currently in a code freeze for Go 1.16, could you clarify if you intend this issue for 1.17 or 1.16? See https://github.com/golang/go/wiki/Go-Release-Cycle. In particular, if this is considered a bug or a problem that the user can't easily work around, then you could probably argue it should be reviewed and merged during the freeze, and be released with 1.16 in two months. Otherwise, it would wait until 1.17 in eight months. |
I've added this to the backlog milestone while @mvdan questions are answered. |
Thank you @isislovecruft! As you said, this is currently working as documented, so this should target Go 1.17, since Go 1.16 is in code freeze. |
Hi, I can't comment on the CL at the moment but I think the algorithm is incorrect. Haven't had a chance to look at it further.
```
$ cat x.go
package main
import ( func main() {
} // golang.org/issues/42685
}
|
Ah, not wrong per-se. Just missing |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes. (With apologies for my vintage go compiler.)
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
I have a better algorithm for the
ConstantTimeLessOrEq
function which works for all inputs in [0, 2^32). Currently theConstantTimeLessOrEq
function only works (as documented) for inputs in [0, 2^31) and is UB for everything else (including negative signed integers, which it takes signed ints). Implementing the algorithm and testing it shows that it works for correctly for positive inputs, which means we could also change the interface to beConstantTimeLessOrEq(x, y uint32) int
which would remove all UB, but this is obviously a decision for the maintainers.The algorithm is:
What did you expect to see?
N/A.
What did you see instead?
EDIT: This is obvious but an example test case which (expectedly) fails the previous algorithm is:
EDIT #2: Perhaps less obvious, this algorithm also implements
ConstantTimeGreater
by changing the final line toreturn int(bit & 1)
, which is also useful for some of the algorithms in a few post-quantum cryptographic algorithms, particularly those which require a constant-time sorting network.The text was updated successfully, but these errors were encountered: