Skip to content

fix(crypto): make timingSafeEqual() truly timing-safe #6801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

fix(crypto): make timingSafeEqual() truly timing-safe #6801

wants to merge 2 commits into from

Conversation

babiabeo
Copy link
Contributor

@babiabeo babiabeo commented Aug 18, 2025
edited
Loading

The current timingSafeEqual() is not timing-safe and vulnerable to timing based attacks due to its early return on mismatched lengths:

if (a.byteLength !== b.byteLength) return false;

This PR refactors the function to use constant-time comparison.

(Im not sure if there is a way to test this)

@babiabeo babiabeo requested a review from kt3k as a code owner August 18, 2025 15:17
@codecov Codecov
Copy link

codecov bot commented Aug 18, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.19%. Comparing base (590b165) to head (0bb6075).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #6801   +/-   ##
=======================================
  Coverage   94.19%   94.19%           
=======================================
  Files         590      590           
  Lines       42649    42653    +4     
  Branches     6726     6726           
=======================================
+ Hits        40173    40177    +4     
  Misses       2427     2427           
  Partials       49       49

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@kt3k
Copy link
Member

kt3k commented Aug 19, 2025

The current timingSafeEqual() is not timing-safe and vulnerable

Does this mean the length of compared bytes can be detected by changing the input length?

I think the length of the compared bytes can be still detected as lengthMax can be controlled by the attacker's input length

@babiabeo
Copy link
Contributor Author

babiabeo commented Aug 19, 2025
edited
Loading

The current timingSafeEqual() is not timing-safe and vulnerable

Does this mean the length of compared bytes can be detected by changing the input length?

I think the length of the compared bytes can be still detected as lengthMax can be controlled by the attacker's input length

The main goal isn't to hide the length but to make the comparison constant-time. For example, in a non-timing-safe comparison, when comparing "abc" (the input) with "abcde" (the secret one), it'll immediately return false due to different lengths. The attacker can try other inputs until they find the one taking longer to process.

@babiabeo
Copy link
Contributor Author

Ok after thinking it over, the early return on mismatched length is totally fine since the length is not secret and it doesn’t leak secret information.

I'll close this PR.

@babiabeo babiabeo closed this Aug 19, 2025
@babiabeo babiabeo deleted the fix-timing-safe branch August 19, 2025 04:08
@babiabeo babiabeo restored the fix-timing-safe branch August 20, 2025 01:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kt3k kt3k Awaiting requested review from kt3k kt3k is a code owner

Assignees
No one assigned
Labels
crypto
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@babiabeo @kt3k