From bf603424e9d82a4760c8fd12a7eb1e3b0a6a5d5a Mon Sep 17 00:00:00 2001
From: Daniel Schadt <kingdread@gmx.de>
Date: Tue, 8 Apr 2025 22:20:56 +0200
Subject: use constant_time_eq in decryption function

---
 src/lib.rs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'src/lib.rs')

diff --git a/src/lib.rs b/src/lib.rs
index cc6cd9c..46070fc 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -84,6 +84,8 @@
 //! ```
 use std::iter;
 
+use constant_time_eq::constant_time_eq;
+
 mod block;
 #[cfg(test)]
 mod testvectors;
@@ -234,7 +236,7 @@ fn decrypt(key: &Key, nonce: &[u8], ad: &[&[u8]], tau: u32, ciphertext: &[u8]) -
     tweaks.extend(ad);
 
     if ciphertext.len() == tau as usize {
-        if ciphertext == aez_prf(key, &tweaks, tau) {
+        if constant_time_eq(&ciphertext, &aez_prf(key, &tweaks, tau)) {
             return Some(Vec::new());
         } else {
             return None;
@@ -244,7 +246,7 @@ fn decrypt(key: &Key, nonce: &[u8], ad: &[&[u8]], tau: u32, ciphertext: &[u8]) -
     let x = decipher(key, &tweaks, ciphertext);
     let (m, auth) = x.split_at(ciphertext.len() - tau as usize);
     assert!(auth.len() == tau as usize);
-    if auth.iter().all(|x| *x == 0) {
+    if constant_time_eq(&auth, &vec![0; tau as usize]) {
         Some(Vec::from(m))
     } else {
         None
-- 
cgit v1.2.3