Clean up repeated constant time bytes comparison (#12996)

alex · web-flow · commit c0eac0f13626 · 2025-05-27T17:38:02.000-07:00
diff --git a/src/rust/cryptography-crypto/src/constant_time.rs b/src/rust/cryptography-crypto/src/constant_time.rs
@@ -0,0 +1,12 @@
+// This file is dual licensed under the terms of the Apache License, Version
+// 2.0, and the BSD License. See the LICENSE file in the root of this repository
+// for complete details.
+
+/// Performs a constant-time comparison of two byte slices.
+pub fn bytes_eq(a: &[u8], b: &[u8]) -> bool {
+    if a.len() != b.len() {
+        return false;
+    }
+
+    openssl::memcmp::eq(a, b)
+}
diff --git a/src/rust/cryptography-crypto/src/lib.rs b/src/rust/cryptography-crypto/src/lib.rs
@@ -2,6 +2,7 @@
 // 2.0, and the BSD License. See the LICENSE file in the root of this repository
 // for complete details.
 
+pub mod constant_time;
 pub mod encoding;
 pub mod pbkdf1;
 pub mod pkcs12;
diff --git a/src/rust/src/backend/cmac.rs b/src/rust/src/backend/cmac.rs
@@ -2,6 +2,7 @@
 // 2.0, and the BSD License. See the LICENSE file in the root of this repository
 // for complete details.
 
+use cryptography_crypto::constant_time;
 use pyo3::types::{PyAnyMethods, PyBytesMethods};
 
 use crate::backend::cipher_registry;
@@ -84,7 +85,7 @@ impl Cmac {
     fn verify(&mut self, py: pyo3::Python<'_>, signature: &[u8]) -> CryptographyResult<()> {
         let actual = self.finalize(py)?;
         let actual = actual.as_bytes();
-        if actual.len() != signature.len() || !openssl::memcmp::eq(actual, signature) {
+        if !constant_time::bytes_eq(actual, signature) {
             return Err(CryptographyError::from(
                 exceptions::InvalidSignature::new_err("Signature did not match digest."),
             ));
diff --git a/src/rust/src/backend/hmac.rs b/src/rust/src/backend/hmac.rs
@@ -2,6 +2,7 @@
 // 2.0, and the BSD License. See the LICENSE file in the root of this repository
 // for complete details.
 
+use cryptography_crypto::constant_time;
 use pyo3::types::PyBytesMethods;
 
 use crate::backend::hashes::message_digest_from_algorithm;
@@ -90,7 +91,7 @@ impl Hmac {
     fn verify(&mut self, py: pyo3::Python<'_>, signature: &[u8]) -> CryptographyResult<()> {
         let actual_bound = self.finalize(py)?;
         let actual = actual_bound.as_bytes();
-        if actual.len() != signature.len() || !openssl::memcmp::eq(actual, signature) {
+        if !constant_time::bytes_eq(actual, signature) {
             return Err(CryptographyError::from(
                 exceptions::InvalidSignature::new_err("Signature did not match digest."),
             ));
diff --git a/src/rust/src/backend/kdf.rs b/src/rust/src/backend/kdf.rs
@@ -7,6 +7,8 @@ use base64::engine::general_purpose::STANDARD_NO_PAD;
 #[cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)]
 use base64::engine::Engine;
 #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))]
+use cryptography_crypto::constant_time;
+#[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))]
 use pyo3::types::PyBytesMethods;
 
 use crate::backend::hashes;
@@ -152,9 +154,7 @@ impl Scrypt {
         let actual_bytes = actual.as_bytes();
         let expected_bytes = expected_key.as_bytes();
 
-        if actual_bytes.len() != expected_bytes.len()
-            || !openssl::memcmp::eq(actual_bytes, expected_bytes)
-        {
+        if !constant_time::bytes_eq(actual_bytes, expected_bytes) {
             return Err(CryptographyError::from(exceptions::InvalidKey::new_err(
                 "Keys do not match.",
             )));
@@ -314,9 +314,7 @@ impl Argon2id {
         let actual_bytes = actual.as_bytes();
         let expected_bytes = expected_key.as_bytes();
 
-        if actual_bytes.len() != expected_bytes.len()
-            || !openssl::memcmp::eq(actual_bytes, expected_bytes)
-        {
+        if !constant_time::bytes_eq(actual_bytes, expected_bytes) {
             return Err(CryptographyError::from(exceptions::InvalidKey::new_err(
                 "Keys do not match.",
             )));
@@ -435,9 +433,7 @@ impl Argon2id {
         let derived_key = argon2.derive(py, key_material)?;
         let derived_bytes = derived_key.as_bytes();
 
-        if derived_bytes.len() != hash_bytes.len()
-            || !openssl::memcmp::eq(derived_bytes, &hash_bytes)
-        {
+        if !constant_time::bytes_eq(derived_bytes, &hash_bytes) {
             return Err(CryptographyError::from(exceptions::InvalidKey::new_err(
                 "Keys do not match.",
             )));
diff --git a/src/rust/src/backend/poly1305.rs b/src/rust/src/backend/poly1305.rs
@@ -2,6 +2,7 @@
 // 2.0, and the BSD License. See the LICENSE file in the root of this repository
 // for complete details.
 
+use cryptography_crypto::constant_time;
 use pyo3::types::PyBytesMethods;
 
 use crate::buf::CffiBuf;
@@ -191,7 +192,7 @@ impl Poly1305 {
     fn verify(&mut self, py: pyo3::Python<'_>, signature: &[u8]) -> CryptographyResult<()> {
         let actual_bound = self.finalize(py)?;
         let actual = actual_bound.as_bytes();
-        if actual.len() != signature.len() || !openssl::memcmp::eq(actual, signature) {
+        if !constant_time::bytes_eq(actual, signature) {
             return Err(CryptographyError::from(
                 exceptions::InvalidSignature::new_err("Value did not match computed tag."),
             ));
diff --git a/src/rust/src/buf.rs b/src/rust/src/buf.rs
@@ -2,10 +2,12 @@
 // 2.0, and the BSD License. See the LICENSE file in the root of this repository
 // for complete details.
 
+use std::slice;
+
+use pyo3::types::PyAnyMethods;
+
 #[cfg(not(Py_3_11))]
 use crate::types;
-use pyo3::types::PyAnyMethods;
-use std::slice;
 
 // Common error message generation
 fn generate_non_convertible_buffer_error_msg(pyobj: &pyo3::Bound<'_, pyo3::PyAny>) -> String {
