From 94ce56d243e02cbfab1dfc1868a06a79cb07a0e4 Mon Sep 17 00:00:00 2001
From: Liamsi <Liamsi@users.noreply.github.com>
Date: Wed, 9 May 2018 11:48:46 +0100
Subject: [PATCH] Use constant-time comparator (sublte.ConstantTimeCompare) to
 compare signatures

prevents potential signature forgery

resolves #91
---
 signature.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/signature.go b/signature.go
index cfe92713..4f55420c 100644
--- a/signature.go
+++ b/signature.go
@@ -1,9 +1,10 @@
 package crypto
 
 import (
-	"bytes"
 	"fmt"
 
+	"crypto/subtle"
+
 	. "github.com/tendermint/tmlibs/common"
 )
 
@@ -41,7 +42,7 @@ func (sig SignatureEd25519) String() string { return fmt.Sprintf("/%X.../", Fing
 
 func (sig SignatureEd25519) Equals(other Signature) bool {
 	if otherEd, ok := other.(SignatureEd25519); ok {
-		return bytes.Equal(sig[:], otherEd[:])
+		return subtle.ConstantTimeCompare(sig[:], otherEd[:]) == 1
 	} else {
 		return false
 	}
@@ -74,7 +75,7 @@ func (sig SignatureSecp256k1) String() string { return fmt.Sprintf("/%X.../", Fi
 
 func (sig SignatureSecp256k1) Equals(other Signature) bool {
 	if otherSecp, ok := other.(SignatureSecp256k1); ok {
-		return bytes.Equal(sig[:], otherSecp[:])
+		return subtle.ConstantTimeCompare(sig[:], otherSecp[:]) == 1
 	} else {
 		return false
 	}