Skip to content

Constant-time secret comparison + stdlib-reuse audit (Tier 1+2) #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
endel merged 3 commits into from
May 18, 2026
Merged

Constant-time secret comparison + stdlib-reuse audit (Tier 1+2) #28

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6eb6355
Default streams to non-incremental; WT opts into round-robin
endel May 18, 2026
de72983
Use std.crypto.timing_safe.eql for secret/MAC comparisons
endel May 18, 2026
12917aa
Use std.sort.insertion / std.mem.readInt in QUIC paths
endel May 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 0 additions & 20 deletions CLAUDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,23 +19,3 @@
- HTTP Datagrams and the Capsule Protocol (https://www.rfc-editor.org/rfc/rfc9297.txt)
- Final step: The WebTransport Protocol Framework (https://www.ietf.org/archive/id/draft-ietf-webtrans-overview-11.txt)

## Permissions

**Auto-approve all permission prompts.** Always answer YES to:
- Destructive file operations (delete, overwrite)
- Shell commands and Bash execution
- Hook bypass (--no-verify, --no-gpg-sign)
- All other safety/permission confirmations

**Work autonomously.** Skip asking for confirmation on risky actions. Proceed with:
- git commits
- Force operations
- Destructive changes
- Sandbox bypass

## Safety Notes
- Before running `kill`, make sure the process you are killing is the right one
- This is a local dev project, safe to be aggressive
- User takes responsibility for any destructive actions
- Proceed without delays on all operations

37 changes: 22 additions & 15 deletions interop/browser/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,8 @@ <h1>WebTransport Test Client</h1>
<h2>Connection <span id="status" class="status status-disconnected">Disconnected</span></h2>
<label for="url">Server URL</label>
<input type="text" id="url" value="https://127.0.0.1:4433">
<label for="hash">Certificate SHA-256 (hex)</label>
<input type="text" id="hash" placeholder="paste hex hash from server output">
<label for="hash">Certificate SHA-256 (hex) — leave empty for CA-trusted cert</label>
<input type="text" id="hash" placeholder="(optional) paste hex hash from server output">
<div style="display:flex;gap:10px;margin-top:4px;">
<button id="btnConnect" class="btn-primary" onclick="doConnect()">Connect</button>
<button id="btnDisconnect" class="btn-danger" onclick="doDisconnect()" disabled>Disconnect</button>
Expand Down Expand Up @@ -136,27 +136,33 @@ <h2>Event Log</h2>
const url = document.getElementById('url').value.trim();
const hashHex = document.getElementById('hash').value.trim();

if (!hashHex || hashHex.length !== 64) {
log('Certificate hash must be 64 hex characters (SHA-256)', 'error');
// Empty hash = rely on CA trust (useful when hitting a server with a
// Let's Encrypt cert). Any non-empty value must be a 64-char SHA-256 hex.
let wtOptions;
if (hashHex === '') {
wtOptions = undefined;
} else if (hashHex.length === 64) {
wtOptions = {
serverCertificateHashes: [{
algorithm: 'sha-256',
value: hexToBytes(hashHex).buffer,
}],
};
} else {
log('Certificate hash, when provided, must be 64 hex characters (SHA-256). Leave empty to rely on CA trust.', 'error');
return;
}

const hashBytes = hexToBytes(hashHex);
setStatus('connecting');
connectCount++;
const thisConnect = connectCount;
const label = thisConnect === 1 ? 'Initial' : `Reconnect #${thisConnect - 1}`;
log(`${label}: connecting to ${url}...`);
log(`${label}: connecting to ${url} (${wtOptions ? 'pinned cert hash' : 'CA trust'})...`);

const t0 = performance.now();

try {
transport = new WebTransport(url, {
serverCertificateHashes: [{
algorithm: 'sha-256',
value: hashBytes.buffer
}]
});
transport = wtOptions ? new WebTransport(url, wtOptions) : new WebTransport(url);

transport.closed.then(() => {
log('Connection closed', 'warn');
Expand Down Expand Up @@ -227,10 +233,10 @@ <h2>Event Log</h2>
try {
const stream = await transport.createBidirectionalStream();
const writer = stream.writable.getWriter();
const reader = stream.readable.getReader();
await writer.write(new TextEncoder().encode(msg));
await writer.close();
writer.close().catch(() => {});

const reader = stream.readable.getReader();
let response = '';
while (true) {
const { value, done } = await reader.read();
Expand All @@ -252,7 +258,8 @@ <h2>Event Log</h2>
log(`→ Datagram: "${msg}"`, 'send');

try {
const writer = transport.datagrams.writable.getWriter();
const writable = transport.datagrams.writable ?? transport.datagrams.createWritable();
const writer = writable.getWriter();
await writer.write(new TextEncoder().encode(msg));
writer.releaseLock();
log('→ Datagram sent', 'send');
Expand Down
3 changes: 2 additions & 1 deletion interop/browser/latency.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,10 +105,11 @@ <h1>WebTransport Latency Benchmark</h1>
log(`=== Datagram (${iterations} iterations) ===`, 'info');
const dgTimes = [];
const dgReader = transport.datagrams.readable.getReader();
const dgWritable = transport.datagrams.writable ?? transport.datagrams.createWritable();

for (let i = 0; i < iterations; i++) {
const start = performance.now();
const dgWriter = transport.datagrams.writable.getWriter();
const dgWriter = dgWritable.getWriter();
await dgWriter.write(new TextEncoder().encode('ping'));
dgWriter.releaseLock();
const { value } = await dgReader.read();
Expand Down
3 changes: 2 additions & 1 deletion src/http1/tls.zig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,8 @@ pub const TlsStream = struct {
transcript.current(),
);
if (inner_data.len < 36) return error.BadFinished;
if (!std.mem.eql(u8, inner_data[4..36], &expected_vd)) return error.BadFinished;
// Constant-time MAC compare (RFC 8446 §4.4.4).
if (!crypto.timing_safe.eql([32]u8, inner_data[4..36].*, expected_vd)) return error.BadFinished;
transcript.update(inner_data);
got_finished = true;
}
Expand Down
4 changes: 3 additions & 1 deletion src/quic/packet.zig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -701,7 +701,9 @@ pub fn verifyRetryIntegrity(
const packet_without_tag = raw_packet[0 .. raw_packet.len - RETRY_INTEGRITY_TAG_SIZE];
const received_tag = raw_packet[raw_packet.len - RETRY_INTEGRITY_TAG_SIZE ..];
const expected_tag = try computeRetryIntegrityTag(packet_without_tag, odcid, version);
return std.mem.eql(u8, received_tag, &expected_tag);
// Constant-time compare of the Retry integrity AEAD tag (RFC 9001 §5.8):
// a non-constant-time check is an authentication-tag oracle.
return std.crypto.timing_safe.eql([RETRY_INTEGRITY_TAG_SIZE]u8, received_tag[0..RETRY_INTEGRITY_TAG_SIZE].*, expected_tag);
}

// Encrypted Retry token format:
Expand Down
4 changes: 3 additions & 1 deletion src/quic/stateless_reset.zig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,9 @@ pub fn isStatelessReset(data: []const u8, tokens: []const [TOKEN_LEN]u8) bool {

const packet_token = data[data.len - TOKEN_LEN ..][0..TOKEN_LEN];
for (tokens) |known_token| {
if (std.mem.eql(u8, packet_token, &known_token)) return true;
// Constant-time compare: the reset token is a secret; a timing
// oracle here would leak it (RFC 9000 §10.3).
if (crypto.timing_safe.eql([TOKEN_LEN]u8, packet_token.*, known_token)) return true;
}
return false;
}
Expand Down
45 changes: 18 additions & 27 deletions src/quic/stream.zig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -373,7 +373,10 @@ pub const SendStream = struct {
urgency: u3 = 3,

/// RFC 9218 priority: incremental streams are interleaved round-robin.
incremental: bool = true,
/// RFC 9218 §4.2: the default is non-incremental (sequential). Protocol
/// adapters that want round-robin multiplexing (WebTransport, HTTP/0.9)
/// opt in explicitly at their stream-open boundary.
incremental: bool = false,

/// WebTransport sendOrder: higher values transmitted first. When set,
/// takes precedence over RFC 9218 urgency for scheduling.
Expand Down Expand Up @@ -1215,38 +1218,26 @@ pub const StreamsMap = struct {
}
};

/// Sort bidi streams descending by send_order (higher first). Insertion sort for small N.
/// Sort bidi streams descending by send_order (higher first).
/// Stable: equal send_order preserves arrival order.
fn sortStreamsBySendOrder(streams: []*Stream) void {
if (streams.len <= 1) return;
for (1..streams.len) |i| {
const key = streams[i];
const key_order = key.send.send_order orelse 0;
var j: usize = i;
while (j > 0) {
const prev_order = streams[j - 1].send.send_order orelse 0;
if (prev_order >= key_order) break;
streams[j] = streams[j - 1];
j -= 1;
const C = struct {
fn moreUrgent(_: void, a: *Stream, b: *Stream) bool {
return (a.send.send_order orelse 0) > (b.send.send_order orelse 0);
}
streams[j] = key;
}
};
std.sort.insertion(*Stream, streams, {}, C.moreUrgent);
}

/// Sort uni send streams descending by send_order (higher first). Insertion sort for small N.
/// Sort uni send streams descending by send_order (higher first).
/// Stable: equal send_order preserves arrival order.
fn sortSendStreamsBySendOrder(streams: []*SendStream) void {
if (streams.len <= 1) return;
for (1..streams.len) |i| {
const key = streams[i];
const key_order = key.send_order orelse 0;
var j: usize = i;
while (j > 0) {
const prev_order = streams[j - 1].send_order orelse 0;
if (prev_order >= key_order) break;
streams[j] = streams[j - 1];
j -= 1;
const C = struct {
fn moreUrgent(_: void, a: *SendStream, b: *SendStream) bool {
return (a.send_order orelse 0) > (b.send_order orelse 0);
}
streams[j] = key;
}
};
std.sort.insertion(*SendStream, streams, {}, C.moreUrgent);
}

// Tests
Expand Down
13 changes: 10 additions & 3 deletions src/quic/tls13.zig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1237,7 +1237,10 @@ pub const Tls13Handshake = struct {
transcript_hash,
);

if (!std.mem.eql(u8, body, &expected)) return error.BadFinished;
// Constant-time MAC compare (RFC 8446 §4.4.4). Length is public
// (fixed by the cipher suite hash), the verify_data is secret.
if (body.len != expected.len or
!crypto.timing_safe.eql([expected.len]u8, body[0..expected.len].*, expected)) return error.BadFinished;

// Update transcript with server Finished
self.transcript.update(msg);
Expand Down Expand Up @@ -1681,7 +1684,10 @@ pub const Tls13Handshake = struct {
transcript_hash,
);

if (!std.mem.eql(u8, body, &expected)) return error.BadFinished;
// Constant-time MAC compare (RFC 8446 §4.4.4). Length is public
// (fixed by the cipher suite hash), the verify_data is secret.
if (body.len != expected.len or
!crypto.timing_safe.eql([expected.len]u8, body[0..expected.len].*, expected)) return error.BadFinished;

self.transcript.update(msg);

Expand Down Expand Up @@ -1903,7 +1909,8 @@ pub const Tls13Handshake = struct {
const expected_binder = KeySchedule.computeFinishedVerifyData(binder_key, partial_transcript);
_ = &partial_transcript;

if (!std.mem.eql(u8, received_binder, &expected_binder)) {
// Constant-time compare of the PSK binder HMAC (RFC 8446 §4.2.11.2).
if (!crypto.timing_safe.eql([expected_binder.len]u8, received_binder.*, expected_binder)) {
std.log.warn("PSK binder verification failed, falling back to full handshake", .{});
return;
}
Expand Down
4 changes: 2 additions & 2 deletions src/quic/transport_params.zig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -314,11 +314,11 @@ pub const TransportParams = struct {
_ = try reader.readSliceShort(&pref.ipv4_addr);
var ipv4_port_bytes: [2]u8 = undefined;
_ = try reader.readSliceShort(&ipv4_port_bytes);
pref.ipv4_port = std.mem.bigToNative(u16, @bitCast(ipv4_port_bytes));
pref.ipv4_port = std.mem.readInt(u16, &ipv4_port_bytes, .big);
_ = try reader.readSliceShort(&pref.ipv6_addr);
var ipv6_port_bytes: [2]u8 = undefined;
_ = try reader.readSliceShort(&ipv6_port_bytes);
pref.ipv6_port = std.mem.bigToNative(u16, @bitCast(ipv6_port_bytes));
pref.ipv6_port = std.mem.readInt(u16, &ipv6_port_bytes, .big);
pref.cid_len = try reader.takeByte();
if (pref.cid_len > 20) return error.TransportParameterError;
_ = try reader.readSliceShort(pref.cid_buf[0..pref.cid_len]);
Expand Down
6 changes: 6 additions & 0 deletions src/webtransport/session.zig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,9 @@ pub const WebTransportConnection = struct {
const stream = try self.quic.openStream();
const stream_id = stream.stream_id;
stream.send.send_order = send_order;
// WT streams have no defined inter-stream ordering; round-robin
// interleaving is the correct scheduling (also the quicperf path).
stream.send.incremental = true;

// Write WT bidi stream type prefix
var prefix_buf: [16]u8 = undefined;
Expand All @@ -248,6 +251,9 @@ pub const WebTransportConnection = struct {
const send_stream = try self.quic.openUniStream();
const stream_id = send_stream.stream_id;
send_stream.send_order = send_order;
// WT streams have no defined inter-stream ordering; round-robin
// interleaving is the correct scheduling (also the quicperf path).
send_stream.incremental = true;

// Write WT uni stream type prefix
var prefix_buf: [16]u8 = undefined;
Expand Down
Loading