ed25519: don't use constant-time functions in Verify.

Verify operates only on public data and thus is not constant-time. The
use of a constant-time function in Verify was thus misleading.

Fixes golang/go#21137

Change-Id: I1ff5a0371fbe8abe62420f19acf3e416fe1b1428
Reviewed-on: https://go-review.googlesource.com/53074
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Kevin Burke <kev@inburke.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

ed25519/ed25519.go

@@ -13,10 +13,10 @@ package ed25519
 // from SUPERCOP.
 
 import (
+	"bytes"
 	"crypto"
 	cryptorand "crypto/rand"
 	"crypto/sha512"
-	"crypto/subtle"
 	"errors"
 	"io"
 	"strconv"
@@ -177,5 +177,5 @@ func Verify(publicKey PublicKey, message, sig []byte) bool {
 
 	var checkR [32]byte
 	R.ToBytes(&checkR)
-	return subtle.ConstantTimeCompare(sig[:32], checkR[:]) == 1
+	return bytes.Equal(sig[:32], checkR[:])
 }