Merge pull request #94 from Liamsi/const_time

Use constant-time comparator to compare signatures

signature.go

@@ -1,9 +1,10 @@
 package crypto
 
 import (
-	"bytes"
 	"fmt"
 
+	"crypto/subtle"
+
 	. "github.com/tendermint/tmlibs/common"
 )
 
@@ -41,7 +42,7 @@ func (sig SignatureEd25519) String() string { return fmt.Sprintf("/%X.../", Fing
 
 func (sig SignatureEd25519) Equals(other Signature) bool {
 	if otherEd, ok := other.(SignatureEd25519); ok {
-		return bytes.Equal(sig[:], otherEd[:])
+		return subtle.ConstantTimeCompare(sig[:], otherEd[:]) == 1
 	} else {
 		return false
 	}
@@ -74,7 +75,7 @@ func (sig SignatureSecp256k1) String() string { return fmt.Sprintf("/%X.../", Fi
 
 func (sig SignatureSecp256k1) Equals(other Signature) bool {
 	if otherSecp, ok := other.(SignatureSecp256k1); ok {
-		return bytes.Equal(sig[:], otherSecp[:])
+		return subtle.ConstantTimeCompare(sig[:], otherSecp[:]) == 1
 	} else {
 		return false
 	}