add docs to utils and expose `constant_time_cmp()` to consumers

signalapp / libsignal

Home to the Signal Protocol as well as other cryptographic primitives which make Signal possible.

GNU Affero General Public License v3.0

3.08k stars 362 forks source link

add docs to utils and expose `constant_time_cmp()` to consumers #469

Closed cosmicexplorer closed 2 years ago

cosmicexplorer commented 2 years ago

Broken out of #287.

This key comparison method is useful to have for downstream consumers to avoid leaking timing information when comparing bytes. If downstream consumers of the libsignal crate wish to implement their own structs wrapping secret bytes, they now have a clearly documented example of how to implement that.

jrose-signal commented 2 years ago

I got curious as to why subtle doesn't have this, since it seems like they could implement it similarly, and found https://github.com/dalek-cryptography/subtle/issues/61. libsignal-protocol's implementation isn't actually lexicographic, it's length-lexicographic, and (as noted) not constant-time in that case. I'd say that tips it over the edge to being left as an implementation detail; the place for this is really subtle (or subtle-ng), and just because they don't have it doesn't mean we should provide our own quirky implementation.

cosmicexplorer commented 2 years ago

Ok, that is exactly what I was hoping to learn from filing this (my thought was: if we're doing something very wonky, let's document it, and if we're not, let's use the more canonical thing)! I'll close this PR and see what subtle/subtle-ng thinks about this use case.

cosmicexplorer commented 2 years ago

I am hoping to implement this in zkcrypto/subtle-ng#5!

cosmicexplorer commented 1 year ago

Note: subtle-ng is unmaintained, subtle is the correct project.