From fa5b6696cfeeee13931e09237a78f8ff26e49f8a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9o=20Rebert?= <cleo.rebert@gmail.com>
Date: Mon, 9 May 2022 20:03:01 +0200
Subject: [PATCH] Possible timing attack in totp-rs (#1229)

* Create RUSTSEC-0000-0000.md

* Fix [affected.functions]
---
 crates/totp-rs/RUSTSEC-0000-0000.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 crates/totp-rs/RUSTSEC-0000-0000.md

diff --git a/crates/totp-rs/RUSTSEC-0000-0000.md b/crates/totp-rs/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..fccb5cb
--- /dev/null
+++ b/crates/totp-rs/RUSTSEC-0000-0000.md
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "totp-rs"
+date = "2022-05-09"
+url = "https://github.com/constantoine/totp-rs/security/advisories/GHSA-8vxv-2g8p-2249"
+categories = ["crypto-failure"]
+cvss = "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N"
+keywords = ["side-channel", "timing-attack"]
+aliases = ["CVE-2022-29185"]
+
+[affected.functions]
+"totp_rs::TOTP::check" = ["< 1.1.0"]
+
+[versions]
+patched = [">= 1.1.0"]
+```
+
+# Timing attack
+
+Affecting versions did not compare tokens in constant time, which could make it possible for an attacker to guess the 2fa token of a user.
+
+This has been fixed by using using the crate constant_time_eq for comparison.