Re: [PATCH] crypto: rsassa-pkcs1: use constant-time comparison for digest and signature verification

From: Lukas Wunner

Date: Sat Jul 11 2026 - 11:17:48 EST


On Sat, Jul 11, 2026 at 01:23:36PM +0200, David Gall wrote:
> That said, this function [rsassa_pkcs1_verify()] already uses
> crypto_memneq() for the hash-prefix check a few lines above.
> I'd argue for consistency it's worth using it for the digest
> comparison too.

I'd prefer the other way round, i.e. to use memcmp() for the hash_prefix
comparison.

Thanks,

Lukas