Use constant-time comparison in eddsa25519
Created by: EinMByte
By submitting this issue, I confirm the following:
- I have read and understood the contributor guide.
- I have checked that the issue I am reporting can be replicated or that the feature I am suggesting is not present.
- I have checked opened or recently closed pull requests for existing solutions/implementations to my issue/suggestion.
Place an X inside the bracket to confirm
-
I confirm.
crypto_verify
should be implemented as a constant-time comparison rather than by using memcmp
.
Theoretically, this could leak (part of) the valid signature. That might allow an attacker to forge a signature.