Several well-used programs in Golang use int64 as an identifier, but do not use constant time comparison when authenticating. This could be used to leak information to an adversary (potentially). Unfortunately, crypto/subtle does not have a constant-time comparison algorithm for int64, which would clearly be useful to have.
I do not have a clear understanding of how things work "under the hood" in Golang, so I do not trust myself to write a proper constant time int64 comparison algorithm for crypto/subtle. However, I think one could be easily implemented/adapted.
@FiloSottile@rsc@agl It looks like you guys know what you're doing on crypto/subtle. Could you help out here?
The text was updated successfully, but these errors were encountered: