You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This implementation's verify_raw() function doesn't make any attempt to use constant-time comparison, opening up the potential for side-channel attacks:
This implementation's
verify_raw()
function doesn't make any attempt to use constant-time comparison, opening up the potential for side-channel attacks:https://github.com/sru-systems/rust-argon2/blob/master/src/argon2.rs#L543
The reference implementation does attempt to make the comparison constant-time:
https://github.com/P-H-C/phc-winner-argon2/blob/f30e1f11f2e2619f07a4950abe1419218c4900be/src/argon2.c#L239
(As far as I can tell, the spec does not explicitly mention a requirement for this.)
The text was updated successfully, but these errors were encountered: