From c89eac2b140d9a26d9b97d6d91bd80dd9ac92ed9 Mon Sep 17 00:00:00 2001 From: Aaron Feickert <66188213+AaronFeickert@users.noreply.github.com> Date: Mon, 15 Jan 2024 16:39:45 -0600 Subject: [PATCH] Add constant-time trait bounds --- Cargo.toml | 4 +++- src/dhke.rs | 18 ++++++++++++++++-- src/keys.rs | 5 +++-- src/ristretto/ristretto_keys.rs | 23 ++++++++++++++++++----- 4 files changed, 40 insertions(+), 10 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 8be02791..a69edc6f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -24,6 +24,7 @@ rand_core = { version = "0.6" , default-features = false} serde = { version = "1.0", optional = true } sha3 = { version = "0.10", default-features = false } snafu = { version = "0.7", default-features = false} +subtle = { verion = "2.5.0", default-features = false } zeroize = {version = "1" , default-features = false} [dev-dependencies] @@ -48,6 +49,7 @@ std = [ "serde?/std", "sha3/std", "snafu/std", + "subtle/std", "tari_utilities/std", "zeroize/std", ] @@ -61,4 +63,4 @@ crate-type = ["lib", "cdylib"] [[bench]] name = "benches" path = "benches/mod.rs" -harness = false \ No newline at end of file +harness = false diff --git a/src/dhke.rs b/src/dhke.rs index 41c08c93..73d7efa6 100644 --- a/src/dhke.rs +++ b/src/dhke.rs @@ -18,11 +18,11 @@ use crate::keys::PublicKey; /// The result of a Diffie-Hellman key exchange #[derive(Zeroize, ZeroizeOnDrop)] pub struct DiffieHellmanSharedSecret

(P) -where P: Zeroize; +where P: PublicKey; impl

DiffieHellmanSharedSecret

where - P: PublicKey + Zeroize, + P: PublicKey, for<'a> &'a

::K: Mul<&'a P, Output = P>, { /// Perform a Diffie-Hellman key exchange @@ -36,6 +36,20 @@ where } } +impl

Eq for DiffieHellmanSharedSecret

+where + P: PublicKey, +{} + +impl

PartialEq for DiffieHellmanSharedSecret

+where + P: PublicKey, +{ + fn eq(&self, other: &DiffieHellmanSharedSecret

) -> bool { + self.0.ct_eq(&other.0).into() + } +} + #[cfg(test)] mod test { use rand_core::OsRng; diff --git a/src/keys.rs b/src/keys.rs index b1692f26..aecdc942 100644 --- a/src/keys.rs +++ b/src/keys.rs @@ -9,6 +9,7 @@ use core::ops::Add; use rand_core::{CryptoRng, RngCore}; +use subtle::ConstantTimeEq; use tari_utilities::{ByteArray, ByteArrayError}; use zeroize::{Zeroize, ZeroizeOnDrop}; @@ -27,7 +28,7 @@ use zeroize::{Zeroize, ZeroizeOnDrop}; /// let p = RistrettoPublicKey::from_secret_key(&k); /// ``` pub trait SecretKey: - ByteArray + Clone + PartialEq + Eq + Add + Default + Zeroize + ZeroizeOnDrop + ByteArray + Clone + ConstantTimeEq + PartialEq + Eq + Add + Default + Zeroize + ZeroizeOnDrop { /// The length of the byte encoding of a key, in bytes const KEY_LEN: usize; @@ -54,7 +55,7 @@ pub trait SecretKey: /// implementations need to implement this trait for them to be used in Tari. /// /// See [SecretKey](trait.SecretKey.html) for an example. -pub trait PublicKey: ByteArray + Add + Clone + PartialOrd + Ord + Default + Zeroize { +pub trait PublicKey: ByteArray + ConstantTimeEq + PartialEq + Eq + Add + Clone + PartialOrd + Ord + Default + Zeroize { /// The length of the byte encoding of a key, in bytes const KEY_LEN: usize; diff --git a/src/ristretto/ristretto_keys.rs b/src/ristretto/ristretto_keys.rs index fc5d1efc..d9907128 100644 --- a/src/ristretto/ristretto_keys.rs +++ b/src/ristretto/ristretto_keys.rs @@ -3,6 +3,7 @@ //! The Tari-compatible implementation of Ristretto based on the curve25519-dalek implementation use alloc::{string::ToString, vec::Vec}; +use subtle::ConstantTimeEq; use core::{ borrow::Borrow, cmp::Ordering, @@ -51,7 +52,7 @@ use crate::{ /// let _k2 = RistrettoSecretKey::from_hex(&"100000002000000030000000040000000"); /// let _k3 = RistrettoSecretKey::random(&mut rng); /// ``` -#[derive(Eq, Clone, Default, Zeroize, ZeroizeOnDrop)] +#[derive(Clone,Default, Zeroize, ZeroizeOnDrop)] pub struct RistrettoSecretKey(pub(crate) Scalar); #[cfg(feature = "borsh")] @@ -132,12 +133,20 @@ impl Hash for RistrettoSecretKey { } } +impl ConstantTimeEq for RistrettoSecretKey { + fn ct_eq(&self, other: &Self) -> subtle::Choice { + self.0.ct_eq(&other.0) + } +} + impl PartialEq for RistrettoSecretKey { fn eq(&self, other: &Self) -> bool { - self.0.eq(&other.0) + self.ct_eq(&other).into() } } +impl Eq for RistrettoSecretKey {} + //---------------------------------- RistrettoSecretKey Debug --------------------------------------------// impl fmt::Debug for RistrettoSecretKey { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { @@ -423,6 +432,12 @@ impl fmt::Display for RistrettoPublicKey { } } +impl ConstantTimeEq for RistrettoPublicKey { + fn ct_eq(&self, other: &Self) -> subtle::Choice { + self.point.ct_eq(&other.point) + } +} + impl RistrettoPublicKey { // Formats a 64 char hex string to a given width. // If w >= 64, we pad the result. @@ -471,9 +486,7 @@ impl fmt::Debug for RistrettoPublicKey { impl PartialEq for RistrettoPublicKey { fn eq(&self, other: &RistrettoPublicKey) -> bool { - // Although this is slower than `self.compressed == other.compressed`, expanded point comparison is an equal - // time comparison - self.point == other.point + self.ct_eq(other).into() } }