daphne icon indicating copy to clipboard operation
daphne copied to clipboard
verified publisher icon cloudflare

Use `subtle` for constant-time compare

Open cjpatton opened this issue 2 years ago • 1 comments

When validating a bearer token we use a constant-time comparison algorithm in order to avoid leaking bits of the bearer token via a side channel: https://github.com/cloudflare/daphne/blob/main/daphne/src/messages/mod.rs#L1184

We should replace this with the implementation in the subtle crate, since the code is delicate and easy to get wrong.

cjpatton avatar Mar 15 '23 23:03 cjpatton

While at it, address this: https://github.com/cloudflare/daphne/pull/473/files#diff-6660c5f7b70da1bf7dd0a22e00b5ee3191e693b9cef73a0fb5aeb31ae514f28cR59

cjpatton avatar Jan 14 '24 21:01 cjpatton