The implementations of PrivateKey.Equal in the crypto/ed25519, crypto/ecdsa, and crypto/rsa packages
leak timing information during key comparison. We do not consider this a serious security issue, as
attacker controlled private key attacks are generally considered out of scope, the Equals methods
are not used during any cryptographic operations, and because these methods were never documented to
Regardless, we should make these methods constant-time, since it is (mostly) trivial to do, and because
our stance is that the crypto/* libraries should be generally safe to use by default, and hard to
Thanks to Zach Collier (@zamicol) for reporting this issue to the Security team.
The text was updated successfully, but these errors were encountered: