change to use go's own XORBytes function #315

2025-04-26 20:26:19 +08:00 · 2025-03-13 15:15:46 +08:00 · 2025-03-13 15:15:46 +08:00 · 7a5253bfb5
commit 7a5253bfb5
parent d6f18a2cbf
15 changed files with 62 additions and 65 deletions
--- a/cbcmac/cbcmac.go
+++ b/cbcmac/cbcmac.go
@ -7,8 +7,8 @@ package cbcmac

 import (
 	"crypto/cipher"
+	"crypto/subtle"

-	"github.com/emmansun/gmsm/internal/subtle"
 	"github.com/emmansun/gmsm/padding"
 )

--- a/cipher/bc.go
+++ b/cipher/bc.go
@ -4,18 +4,17 @@ package cipher

 import (
 	"bytes"
-	_cipher "crypto/cipher"
-
-	"github.com/emmansun/gmsm/internal/subtle"
+	"crypto/cipher"
+	"crypto/subtle"
 )

 type bc struct {
-	b         _cipher.Block
+	b         cipher.Block
 	blockSize int
 	iv        []byte
 }

-func newBC(b _cipher.Block, iv []byte) *bc {
+func newBC(b cipher.Block, iv []byte) *bc {
 	return &bc{
 		b:         b,
 		blockSize: b.BlockSize(),
@ -30,13 +29,13 @@ type bcEncrypter bc
 // NewBCEncrypter will check for this interface and return the specific
 // BlockMode if found.
 type bcEncAble interface {
-	NewBCEncrypter(iv []byte) _cipher.BlockMode
+	NewBCEncrypter(iv []byte) cipher.BlockMode
 }

 // NewBCEncrypter returns a BlockMode which encrypts in block chaining
 // mode, using the given Block. The length of iv must be the same as the
 // Block's block size.
-func NewBCEncrypter(b _cipher.Block, iv []byte) _cipher.BlockMode {
+func NewBCEncrypter(b cipher.Block, iv []byte) cipher.BlockMode {
 	if len(iv) != b.BlockSize() {
 		panic("cipher.NewBCEncrypter: IV length must equal block size")
 	}
@ -81,13 +80,13 @@ type bcDecrypter bc
 // NewBCDecrypter will check for this interface and return the specific
 // BlockMode if found.
 type bcDecAble interface {
-	NewBCDecrypter(iv []byte) _cipher.BlockMode
+	NewBCDecrypter(iv []byte) cipher.BlockMode
 }

 // NewBCDecrypter returns a BlockMode which decrypts in block chaining
 // mode, using the given Block. The length of iv must be the same as the
 // Block's block size and must match the iv used to encrypt the data.
-func NewBCDecrypter(b _cipher.Block, iv []byte) _cipher.BlockMode {
+func NewBCDecrypter(b cipher.Block, iv []byte) cipher.BlockMode {
 	if len(iv) != b.BlockSize() {
 		panic("cipher.NewBCDecrypter: IV length must equal block size")
 	}
--- a/cipher/ccm.go
+++ b/cipher/ccm.go
@ -2,15 +2,14 @@
 package cipher

 import (
-	goCipher "crypto/cipher"
-	goSubtle "crypto/subtle"
+	"crypto/cipher"
+	"crypto/subtle"
 	"math"

 	"errors"

 	"github.com/emmansun/gmsm/internal/alias"
 	"github.com/emmansun/gmsm/internal/byteorder"
-	"github.com/emmansun/gmsm/internal/subtle"
 )

 const (
@ -23,11 +22,11 @@ const (
 // ccmAble is an interface implemented by ciphers that have a specific optimized
 // implementation of CCM.
 type ccmAble interface {
-	NewCCM(nonceSize, tagSize int) (goCipher.AEAD, error)
+	NewCCM(nonceSize, tagSize int) (cipher.AEAD, error)
 }

 type ccm struct {
-	cipher    goCipher.Block
+	cipher    cipher.Block
 	nonceSize int
 	tagSize   int
 }
@ -57,14 +56,14 @@ func maxlen(L, tagsize int) int {

 // NewCCM returns the given 128-bit, block cipher wrapped in CCM
 // with the standard nonce length.
-func NewCCM(cipher goCipher.Block) (goCipher.AEAD, error) {
+func NewCCM(cipher cipher.Block) (cipher.AEAD, error) {
 	return NewCCMWithNonceAndTagSize(cipher, ccmStandardNonceSize, ccmTagSize)
 }

 // NewCCMWithNonceSize returns the given 128-bit, block cipher wrapped in CCM,
 // which accepts nonces of the given length. The length must not
 // be zero.
-func NewCCMWithNonceSize(cipher goCipher.Block, size int) (goCipher.AEAD, error) {
+func NewCCMWithNonceSize(cipher cipher.Block, size int) (cipher.AEAD, error) {
 	return NewCCMWithNonceAndTagSize(cipher, size, ccmTagSize)
 }

@ -72,12 +71,12 @@ func NewCCMWithNonceSize(cipher goCipher.Block, size int) (goCipher.AEAD, error)
 // which generates tags with the given length.
 //
 // Tag sizes between 8 and 16 bytes are allowed.
-func NewCCMWithTagSize(cipher goCipher.Block, tagSize int) (goCipher.AEAD, error) {
+func NewCCMWithTagSize(cipher cipher.Block, tagSize int) (cipher.AEAD, error) {
 	return NewCCMWithNonceAndTagSize(cipher, ccmStandardNonceSize, tagSize)
 }

 // https://tools.ietf.org/html/rfc3610
-func NewCCMWithNonceAndTagSize(cipher goCipher.Block, nonceSize, tagSize int) (goCipher.AEAD, error) {
+func NewCCMWithNonceAndTagSize(cipher cipher.Block, nonceSize, tagSize int) (cipher.AEAD, error) {
 	if tagSize < ccmMinimumTagSize || tagSize > ccmBlockSize || tagSize&1 != 0 {
 		return nil, errors.New("cipher: incorrect tag size given to CCM")
 	}
@ -189,7 +188,7 @@ func (c *ccm) Seal(dst, nonce, plaintext, data []byte) []byte {
 	c.cipher.Encrypt(tagMask[:], counter[:])

 	counter[len(counter)-1] |= 1
-	ctr := goCipher.NewCTR(c.cipher, counter[:])
+	ctr := cipher.NewCTR(c.cipher, counter[:])
 	ctr.XORKeyStream(out, plaintext)

 	tag := c.auth(nonce, plaintext, data, &tagMask)
@ -231,10 +230,10 @@ func (c *ccm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
 	}

 	counter[len(counter)-1] |= 1
-	ctr := goCipher.NewCTR(c.cipher, counter[:])
+	ctr := cipher.NewCTR(c.cipher, counter[:])
 	ctr.XORKeyStream(out, ciphertext)
 	expectedTag := c.auth(nonce, out, data, &tagMask)
-	if goSubtle.ConstantTimeCompare(expectedTag, tag) != 1 {
+	if subtle.ConstantTimeCompare(expectedTag, tag) != 1 {
 		// The AESNI code decrypts and authenticates concurrently, and
 		// so overwrites dst in the event of a tag mismatch. That
 		// behavior is mimicked here in order to be consistent across
--- a/cipher/hctr.go
+++ b/cipher/hctr.go
@ -1,12 +1,12 @@
 package cipher

 import (
-	_cipher "crypto/cipher"
+	"crypto/cipher"
+	"crypto/subtle"
 	"errors"

 	"github.com/emmansun/gmsm/internal/alias"
 	"github.com/emmansun/gmsm/internal/byteorder"
-	"github.com/emmansun/gmsm/internal/subtle"
 )

 // A LengthPreservingMode represents a block cipher running in a length preserving mode (HCTR,
@ -105,7 +105,7 @@ var hctrReductionTable = []uint16{
 // https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.470.5288
 // GB/T 17964-2021 第11章 带泛杂凑函数的计数器工作模式
 type hctr struct {
-	cipher _cipher.Block
+	cipher cipher.Block
 	tweak  [blockSize]byte
 	// productTable contains the first sixteen powers of the hash key.
 	// However, they are in bit reversed order.
@ -118,7 +118,7 @@ func (h *hctr) BlockSize() int {

 // NewHCTR returns a [LengthPreservingMode] which encrypts/decrypts useing the given [Block]
 // in HCTR mode. The lenght of tweak and hash key must be the same as the [Block]'s block size.
-func NewHCTR(cipher _cipher.Block, tweak, hkey []byte) (LengthPreservingMode, error) {
+func NewHCTR(cipher cipher.Block, tweak, hkey []byte) (LengthPreservingMode, error) {
 	if len(tweak) != blockSize || len(hkey) != blockSize {
 		return nil, errors.New("cipher: invalid tweak and/or hash key length")
 	}
--- a/cipher/xts.go
+++ b/cipher/xts.go
@ -1,17 +1,18 @@
 package cipher

 import (
-	_cipher "crypto/cipher"
+	"crypto/cipher"
+	"crypto/subtle"
+
 	"errors"

 	"github.com/emmansun/gmsm/internal/alias"
 	"github.com/emmansun/gmsm/internal/byteorder"
-	"github.com/emmansun/gmsm/internal/subtle"
 )

 const GF128_FDBK byte = 0x87

-type CipherCreator func([]byte) (_cipher.Block, error)
+type CipherCreator func([]byte) (cipher.Block, error)

 type concurrentBlocks interface {
 	Concurrency() int
@ -21,7 +22,7 @@ type concurrentBlocks interface {

 // Cipher contains an expanded key structure. It is unsafe for concurrent use.
 type xts struct {
-	b     _cipher.Block
+	b     cipher.Block
 	tweak [blockSize]byte
 	isGB  bool // if true, follows GB/T 17964-2021
 }
@ -37,18 +38,18 @@ type xtsEncrypter xts
 // NewXTSEncrypter will check for this interface and return the specific
 // BlockMode if found.
 type xtsEncAble interface {
-	NewXTSEncrypter(encryptedTweak *[blockSize]byte, isGB bool) _cipher.BlockMode
+	NewXTSEncrypter(encryptedTweak *[blockSize]byte, isGB bool) cipher.BlockMode
 }

 // NewXTSEncrypter creates a Cipher given a function for creating the underlying
 // block cipher (which must have a block size of 16 bytes).
-func NewXTSEncrypter(cipherFunc CipherCreator, key, tweakKey, tweak []byte) (_cipher.BlockMode, error) {
+func NewXTSEncrypter(cipherFunc CipherCreator, key, tweakKey, tweak []byte) (cipher.BlockMode, error) {
 	return newXTSEncrypter(cipherFunc, key, tweakKey, tweak, false)
 }

 // NewXTSEncrypterWithSector creates a Cipher given a function for creating the underlying
 // block cipher (which must have a block size of 16 bytes) with sector number.
-func NewXTSEncrypterWithSector(cipherFunc CipherCreator, key, tweakKey []byte, sectorNum uint64) (_cipher.BlockMode, error) {
+func NewXTSEncrypterWithSector(cipherFunc CipherCreator, key, tweakKey []byte, sectorNum uint64) (cipher.BlockMode, error) {
 	tweak := make([]byte, blockSize)
 	byteorder.LEPutUint64(tweak[:8], sectorNum)
 	return NewXTSEncrypter(cipherFunc, key, tweakKey, tweak)
@ -57,20 +58,20 @@ func NewXTSEncrypterWithSector(cipherFunc CipherCreator, key, tweakKey []byte, s
 // NewGBXTSEncrypter creates a Cipher given a function for creating the underlying
 // block cipher (which must have a block size of 16 bytes).
 // It follows GB/T 17964-2021.
-func NewGBXTSEncrypter(cipherFunc CipherCreator, key, tweakKey, tweak []byte) (_cipher.BlockMode, error) {
+func NewGBXTSEncrypter(cipherFunc CipherCreator, key, tweakKey, tweak []byte) (cipher.BlockMode, error) {
 	return newXTSEncrypter(cipherFunc, key, tweakKey, tweak, true)
 }

 // NewGBXTSEncrypterWithSector creates a Cipher given a function for creating the underlying
 // block cipher (which must have a block size of 16 bytes) with sector number.
 // It follows GB/T 17964-2021.
-func NewGBXTSEncrypterWithSector(cipherFunc CipherCreator, key, tweakKey []byte, sectorNum uint64) (_cipher.BlockMode, error) {
+func NewGBXTSEncrypterWithSector(cipherFunc CipherCreator, key, tweakKey []byte, sectorNum uint64) (cipher.BlockMode, error) {
 	tweak := make([]byte, blockSize)
 	byteorder.LEPutUint64(tweak[:8], sectorNum)
 	return NewGBXTSEncrypter(cipherFunc, key, tweakKey, tweak)
 }

-func newXTSEncrypter(cipherFunc CipherCreator, key, tweakKey, tweak []byte, isGB bool) (_cipher.BlockMode, error) {
+func newXTSEncrypter(cipherFunc CipherCreator, key, tweakKey, tweak []byte, isGB bool) (cipher.BlockMode, error) {
 	if len(tweak) != blockSize {
 		return nil, errors.New("cipher: invalid tweak length")
 	}
@ -109,18 +110,18 @@ type xtsDecrypter xts
 // NewXTSDecrypter will check for this interface and return the specific
 // BlockMode if found.
 type xtsDecAble interface {
-	NewXTSDecrypter(encryptedTweak *[blockSize]byte, isGB bool) _cipher.BlockMode
+	NewXTSDecrypter(encryptedTweak *[blockSize]byte, isGB bool) cipher.BlockMode
 }

 // NewXTSDecrypter creates a Cipher given a function for creating the underlying
 // block cipher (which must have a block size of 16 bytes) for decryption.
-func NewXTSDecrypter(cipherFunc CipherCreator, key, tweakKey, tweak []byte) (_cipher.BlockMode, error) {
+func NewXTSDecrypter(cipherFunc CipherCreator, key, tweakKey, tweak []byte) (cipher.BlockMode, error) {
 	return newXTSDecrypter(cipherFunc, key, tweakKey, tweak, false)
 }

 // NewXTSDecrypterWithSector creates a Cipher given a function for creating the underlying
 // block cipher (which must have a block size of 16 bytes) with sector number for decryption.
-func NewXTSDecrypterWithSector(cipherFunc CipherCreator, key, tweakKey []byte, sectorNum uint64) (_cipher.BlockMode, error) {
+func NewXTSDecrypterWithSector(cipherFunc CipherCreator, key, tweakKey []byte, sectorNum uint64) (cipher.BlockMode, error) {
 	tweak := make([]byte, blockSize)
 	byteorder.LEPutUint64(tweak[:8], sectorNum)
 	return NewXTSDecrypter(cipherFunc, key, tweakKey, tweak)
@ -129,20 +130,20 @@ func NewXTSDecrypterWithSector(cipherFunc CipherCreator, key, tweakKey []byte, s
 // NewGBXTSDecrypter creates a Cipher given a function for creating the underlying
 // block cipher (which must have a block size of 16 bytes) for decryption.
 // It follows GB/T 17964-2021.
-func NewGBXTSDecrypter(cipherFunc CipherCreator, key, tweakKey, tweak []byte) (_cipher.BlockMode, error) {
+func NewGBXTSDecrypter(cipherFunc CipherCreator, key, tweakKey, tweak []byte) (cipher.BlockMode, error) {
 	return newXTSDecrypter(cipherFunc, key, tweakKey, tweak, true)
 }

 // NewGBXTSDecrypterWithSector creates a Cipher given a function for creating the underlying
 // block cipher (which must have a block size of 16 bytes) with sector number for decryption.
 // It follows GB/T 17964-2021.
-func NewGBXTSDecrypterWithSector(cipherFunc CipherCreator, key, tweakKey []byte, sectorNum uint64) (_cipher.BlockMode, error) {
+func NewGBXTSDecrypterWithSector(cipherFunc CipherCreator, key, tweakKey []byte, sectorNum uint64) (cipher.BlockMode, error) {
 	tweak := make([]byte, blockSize)
 	byteorder.LEPutUint64(tweak[:8], sectorNum)
 	return NewGBXTSDecrypter(cipherFunc, key, tweakKey, tweak)
 }

-func newXTSDecrypter(cipherFunc CipherCreator, key, tweakKey, tweak []byte, isGB bool) (_cipher.BlockMode, error) {
+func newXTSDecrypter(cipherFunc CipherCreator, key, tweakKey, tweak []byte, isGB bool) (cipher.BlockMode, error) {
 	if len(tweak) != blockSize {
 		return nil, errors.New("cipher: invalid tweak length")
 	}
--- a/drbg/ctr_drbg.go
+++ b/drbg/ctr_drbg.go
@ -2,11 +2,11 @@ package drbg

 import (
 	"crypto/cipher"
+	"crypto/subtle"
 	"errors"
 	"time"

 	"github.com/emmansun/gmsm/internal/byteorder"
-	"github.com/emmansun/gmsm/internal/subtle"
 	"github.com/emmansun/gmsm/sm4"
 )

--- a/internal/cryptotest/stream.go
+++ b/internal/cryptotest/stream.go
@ -7,11 +7,10 @@ package cryptotest
 import (
 	"bytes"
 	"crypto/cipher"
+	"crypto/subtle"
 	"fmt"
 	"strings"
 	"testing"
-
-	"github.com/emmansun/gmsm/internal/subtle"
 )

 // Each test is executed with each of the buffer lengths in bufLens.
--- a/internal/sm4/cbc_cipher_asm.go
+++ b/internal/sm4/cbc_cipher_asm.go
@ -5,9 +5,9 @@ package sm4
 import (
 	"bytes"
 	"crypto/cipher"
+	"crypto/subtle"

 	"github.com/emmansun/gmsm/internal/alias"
-	"github.com/emmansun/gmsm/internal/subtle"
 )

 // Assert that sm4CipherAsm implements the cbcEncAble and cbcDecAble interfaces.
--- a/internal/sm4/ctr_cipher_asm.go
+++ b/internal/sm4/ctr_cipher_asm.go
@ -4,9 +4,9 @@ package sm4

 import (
 	"crypto/cipher"
+	"crypto/subtle"

 	"github.com/emmansun/gmsm/internal/alias"
-	"github.com/emmansun/gmsm/internal/subtle"
 )

 // Assert that sm4CipherAsm implements the ctrAble interface.
--- a/internal/sm4/gcm_cipher_asm.go
+++ b/internal/sm4/gcm_cipher_asm.go
@ -4,12 +4,11 @@ package sm4

 import (
 	"crypto/cipher"
-	goSubtle "crypto/subtle"
+	"crypto/subtle"
 	"errors"

 	"github.com/emmansun/gmsm/internal/alias"
 	"github.com/emmansun/gmsm/internal/byteorder"
-	"github.com/emmansun/gmsm/internal/subtle"
 )

 // Assert that sm4CipherAsm implements the gcmAble interface.
@ -147,7 +146,7 @@ func (g *gcm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
 		panic("cipher: invalid buffer overlap")
 	}

-	if goSubtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
+	if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
 		// The AESNI code decrypts and authenticates concurrently, and
 		// so overwrites dst in the event of a tag mismatch. That
 		// behavior is mimicked here in order to be consistent across
--- a/internal/sm4/gcm_ppc64x.go
+++ b/internal/sm4/gcm_ppc64x.go
@ -8,13 +8,12 @@ package sm4

 import (
 	"crypto/cipher"
-	_subtle "crypto/subtle"
+	"crypto/subtle"
 	"errors"
 	"runtime"

 	"github.com/emmansun/gmsm/internal/alias"
 	"github.com/emmansun/gmsm/internal/byteorder"
-	"github.com/emmansun/gmsm/internal/subtle"
 )

 // Assert that sm4CipherAsm implements the gcmAble interface.
@ -236,7 +235,7 @@ func (g *gcmAsm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
 		panic("cipher: invalid buffer overlap")
 	}

-	if _subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
+	if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
 		clear(out)
 		return nil, errOpen
 	}
--- a/internal/zuc/eea.go
+++ b/internal/zuc/eea.go
@ -1,9 +1,10 @@
 package zuc

 import (
+	"crypto/subtle"
+
 	"github.com/emmansun/gmsm/internal/alias"
 	"github.com/emmansun/gmsm/internal/byteorder"
-	"github.com/emmansun/gmsm/internal/subtle"
 )

 const (
--- a/sm2/sm2_legacy.go
+++ b/sm2/sm2_legacy.go
@ -3,16 +3,16 @@ package sm2
 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
-	_subtle "crypto/subtle"
+	"crypto/subtle"
 	"errors"
 	"fmt"
 	"io"
 	"math/big"
 	"strings"

-	"github.com/emmansun/gmsm/internal/subtle"
 	"github.com/emmansun/gmsm/sm2/sm2ec"
 	"github.com/emmansun/gmsm/sm3"
+	_subtle "github.com/emmansun/gmsm/internal/subtle"
 	"golang.org/x/crypto/cryptobyte"
 	"golang.org/x/crypto/cryptobyte/asn1"
 )
@ -260,7 +260,7 @@ func encryptLegacy(random io.Reader, pub *ecdsa.PublicKey, msg []byte, opts *Enc

 		//A5, calculate t=KDF(x2||y2, klen)
 		c2 := sm3.Kdf(append(bigIntToBytes(curve, x2), bigIntToBytes(curve, y2)...), msgLen)
-		if subtle.ConstantTimeAllZero(c2) == 1 {
+		if _subtle.ConstantTimeAllZero(c2) == 1 {
 			retryCount++
 			if retryCount > maxRetryLimit {
 				return nil, fmt.Errorf("sm2: A5, failed to calculate valid t, tried %v times", retryCount)
@ -319,7 +319,7 @@ func rawDecrypt(priv *PrivateKey, x1, y1 *big.Int, c2, c3 []byte) ([]byte, error
 	x2, y2 := curve.ScalarMult(x1, y1, priv.D.Bytes())
 	msgLen := len(c2)
 	msg := sm3.Kdf(append(bigIntToBytes(curve, x2), bigIntToBytes(curve, y2)...), msgLen)
-	if subtle.ConstantTimeAllZero(c2) == 1 {
+	if _subtle.ConstantTimeAllZero(c2) == 1 {
 		return nil, ErrDecryption
 	}

@ -327,7 +327,7 @@ func rawDecrypt(priv *PrivateKey, x1, y1 *big.Int, c2, c3 []byte) ([]byte, error
 	subtle.XORBytes(msg, c2, msg)

 	u := calculateC3(curve, x2, y2, msg)
-	if _subtle.ConstantTimeCompare(u, c3) == 1 {
+	if subtle.ConstantTimeCompare(u, c3) == 1 {
 		return msg, nil
 	}
 	return nil, ErrDecryption
--- a/sm2/sm2_pke.go
+++ b/sm2/sm2_pke.go
@ -12,7 +12,7 @@ package sm2
 import (
 	"crypto"
 	"crypto/ecdsa"
-	_subtle "crypto/subtle"
+	"crypto/subtle"
 	"errors"
 	"fmt"
 	"io"
@ -20,7 +20,7 @@ import (

 	"github.com/emmansun/gmsm/internal/bigmod"
 	_sm2ec "github.com/emmansun/gmsm/internal/sm2ec"
-	"github.com/emmansun/gmsm/internal/subtle"
+	_subtle "github.com/emmansun/gmsm/internal/subtle"
 	"github.com/emmansun/gmsm/sm3"
 	"golang.org/x/crypto/cryptobyte"
 	"golang.org/x/crypto/cryptobyte/asn1"
@ -175,7 +175,7 @@ func encryptSM2EC(c *sm2Curve, pub *ecdsa.PublicKey, random io.Reader, msg []byt
 		}
 		C2Bytes := C2.Bytes()[1:]
 		c2 := sm3.Kdf(C2Bytes, len(msg))
-		if subtle.ConstantTimeAllZero(c2) == 1 {
+		if _subtle.ConstantTimeAllZero(c2) == 1 {
 			retryCount++
 			if retryCount > maxRetryLimit {
 				return nil, fmt.Errorf("sm2: A5, failed to calculate valid t, tried %v times", retryCount)
@ -271,7 +271,7 @@ func decryptSM2EC(c *sm2Curve, priv *PrivateKey, ciphertext []byte, opts *Decryp
 	C2Bytes := C2.Bytes()[1:]
 	msgLen := len(c2)
 	msg := sm3.Kdf(C2Bytes, msgLen)
-	if subtle.ConstantTimeAllZero(c2) == 1 {
+	if _subtle.ConstantTimeAllZero(c2) == 1 {
 		return nil, ErrDecryption
 	}

@ -284,7 +284,7 @@ func decryptSM2EC(c *sm2Curve, priv *PrivateKey, ciphertext []byte, opts *Decryp
 	md.Write(C2Bytes[len(C2Bytes)/2:])
 	u := md.Sum(nil)

-	if _subtle.ConstantTimeCompare(u, c3) == 1 {
+	if subtle.ConstantTimeCompare(u, c3) == 1 {
 		return msg, nil
 	}
 	return nil, ErrDecryption
--- a/sm9/enc_mode.go
+++ b/sm9/enc_mode.go
@ -2,10 +2,10 @@ package sm9

 import (
 	"crypto/cipher"
+	"crypto/subtle"
 	"io"

 	_cipher "github.com/emmansun/gmsm/cipher"
-	"github.com/emmansun/gmsm/internal/subtle"
 	"github.com/emmansun/gmsm/padding"
 	"github.com/emmansun/gmsm/sm4"
 )