Use constant-time equality for EphemeralKeyBytes.

Fixes #370


Extracted from: e654cc4ce6

Cargo.toml

@@ -18,6 +18,7 @@ crypto_api_chachapoly = "0.4"
 ff = "0.8"
 group = "0.8"
 rand_core = "0.5.1"
+subtle = "2.2.3"
 
 [dev-dependencies]
 zcash_primitives = { version = "0.5", path = "../../zcash_primitives" }

src/lib.rs

@@ -5,6 +5,7 @@
 
 use crypto_api_chachapoly::{ChaCha20Ietf, ChachaPolyIetf};
 use rand_core::RngCore;
+use subtle::{ConstantTimeEq, Choice};
 
 pub const COMPACT_NOTE_SIZE: usize = 1 + // version
     11 + // diversifier
@@ -31,8 +32,6 @@ impl AsRef<[u8]> for OutgoingCipherKey {
     }
 }
 
-//FIXME: use constant-time checks for equality
-#[derive(Eq, PartialEq)]
 pub struct EphemeralKeyBytes(pub [u8; 32]);
 
 impl From<[u8; 32]> for EphemeralKeyBytes {
@@ -41,6 +40,12 @@ impl From<[u8; 32]> for EphemeralKeyBytes {
     }
 }
 
+impl ConstantTimeEq for EphemeralKeyBytes {
+    fn ct_eq(&self, other: &Self) -> Choice {
+        self.0.ct_eq(&other.0)
+    }
+}
+
 pub struct NotePlaintextBytes(pub [u8; NOTE_PLAINTEXT_SIZE]);
 pub struct OutPlaintextBytes(pub [u8; OUT_PLAINTEXT_SIZE]);
 
@@ -368,7 +373,7 @@ fn check_note_validity<D: Domain>(
     } else {
         let epk_bytes = D::epk_bytes(epk);
         D::check_epk_bytes(&note, |derived_esk| {
-            if D::epk_bytes(&D::ka_derive_public(&note, &derived_esk)) == epk_bytes {
+            if D::epk_bytes(&D::ka_derive_public(&note, &derived_esk)).ct_eq(&epk_bytes).into() {
                 NoteValidity::Valid
             } else {
                 NoteValidity::Invalid