// Copyright 2009 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. // Package subtle implements functions that are often useful in cryptographic // code but require careful thought to use correctly. package subtle // ConstantTimeCompare returns 1 if and only if the two slices, x // and y, have equal contents. The time taken is a function of the length of // the slices and is independent of the contents. func ConstantTimeCompare(x, y []byte) int { if len(x) != len(y) { return 0 } var v byte for i := 0; i < len(x); i++ { v |= x[i] ^ y[i] } return ConstantTimeByteEq(v, 0) } // ConstantTimeSelect returns x if v is 1 and y if v is 0. // Its behavior is undefined if v takes any other value. func ConstantTimeSelect(v, x, y int) int { return ^(v-1)&x | (v-1)&y } // ConstantTimeByteEq returns 1 if x == y and 0 otherwise. func ConstantTimeByteEq(x, y uint8) int { z := ^(x ^ y) z &= z >> 4 z &= z >> 2 z &= z >> 1 return int(z) } // ConstantTimeEq returns 1 if x == y and 0 otherwise. func ConstantTimeEq(x, y int32) int { z := ^(x ^ y) z &= z >> 16 z &= z >> 8 z &= z >> 4 z &= z >> 2 z &= z >> 1 return int(z & 1) } // ConstantTimeCopy copies the contents of y into x (a slice of equal length) // if v == 1. If v == 0, x is left unchanged. Its behavior is undefined if v // takes any other value. func ConstantTimeCopy(v int, x, y []byte) { if len(x) != len(y) { panic("subtle: slices have different lengths") } xmask := byte(v - 1) ymask := byte(^(v - 1)) for i := 0; i < len(x); i++ { x[i] = x[i]&xmask | y[i]&ymask } } // ConstantTimeLessOrEq returns 1 if x <= y and 0 otherwise. // Its behavior is undefined if x or y are negative or > 2**31 - 1. func ConstantTimeLessOrEq(x, y int) int { x32 := int32(x) y32 := int32(y) return int(((x32 - y32 - 1) >> 31) & 1) }