From 1dae6093c9ff0526dcd26ebd3dc9d57a118c58f4 Mon Sep 17 00:00:00 2001
From: Timshel <Timshel@users.noreply.github.com>
Date: Sat, 15 Mar 2025 18:33:17 +0000
Subject: [PATCH 1/2] Use subtle to replace deprecated
 ring::constant_time::verify_slices_are_equal (#5680)

---
 Cargo.lock    | 5 +++--
 Cargo.toml    | 3 ++-
 src/crypto.rs | 5 ++---
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 9db5a23c..72728273 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2972,9 +2972,9 @@ dependencies = [
 
 [[package]]
 name = "ring"
-version = "0.17.11"
+version = "0.17.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da5349ae27d3887ca812fb375b45a4fbb36d8d12d2df394968cd86e35683fe73"
+checksum = "70ac5d832aa16abd7d1def883a8545280c20a60f523a370aa3a9617c2b8550ee"
 dependencies = [
  "cc",
  "cfg-if",
@@ -4142,6 +4142,7 @@ dependencies = [
  "semver",
  "serde",
  "serde_json",
+ "subtle",
  "syslog",
  "time",
  "tokio",
diff --git a/Cargo.toml b/Cargo.toml
index 68ef1866..8fdd6866 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -90,7 +90,8 @@ libsqlite3-sys = { version = "0.31.0", features = ["bundled"], optional = true }
 
 # Crypto-related libraries
 rand = "0.9.0"
-ring = "0.17.11"
+ring = "0.17.13"
+subtle = "2.6.1"
 
 # UUID generation
 uuid = { version = "1.14.0", features = ["v4"] }
diff --git a/src/crypto.rs b/src/crypto.rs
index 5ab8f1fb..ada0a26a 100644
--- a/src/crypto.rs
+++ b/src/crypto.rs
@@ -110,7 +110,6 @@ pub fn generate_api_key() -> String {
 // Constant time compare
 //
 pub fn ct_eq<T: AsRef<[u8]>, U: AsRef<[u8]>>(a: T, b: U) -> bool {
-    use ring::constant_time::verify_slices_are_equal;
-
-    verify_slices_are_equal(a.as_ref(), b.as_ref()).is_ok()
+    use subtle::ConstantTimeEq;
+    a.as_ref().ct_eq(b.as_ref()).into()
 }

From 994d157064d1fd70bbaecae956c476afc9d5bb87 Mon Sep 17 00:00:00 2001
From: Ben Sherman <bennettmsherman@gmail.com>
Date: Sat, 15 Mar 2025 11:46:42 -0700
Subject: [PATCH 2/2] Add support for mutual-tls feature flag (#5698)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Add support for mutual-tls feature flag

* Fix formatting

---------

Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
---
 .env.template | 1 +
 src/config.rs | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.env.template b/.env.template
index 80eb4756..0ea15371 100644
--- a/.env.template
+++ b/.env.template
@@ -353,6 +353,7 @@
 ## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
 ## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
 ## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
+## - "mutual-tls": Enable the use of mutual TLS on Android (Client >= 2025.2.0)
 # EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
 
 ## Require new device emails. When a user logs in an email is required to be sent.
diff --git a/src/config.rs b/src/config.rs
index 09e6ac37..f82ff63d 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -842,6 +842,7 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
         "inline-menu-positioning-improvements",
         "ssh-key-vault-item",
         "ssh-agent",
+        "mutual-tls",
     ];
     let configured_flags = parse_experimental_client_feature_flags(&cfg.experimental_client_feature_flags);
     let invalid_flags: Vec<_> = configured_flags.keys().filter(|flag| !KNOWN_FLAGS.contains(&flag.as_str())).collect();