Base64 Encoding is not Constant-Time

[soatok]

Wickr uses a straightforward implementation of the RFC 4648 base64 codec in util.c.

To facilitate the translation between bit sequences, a lookup table is employed. The rest of the code subsequently uses this look-up table to encode. As well as to decode.

At first, I thought this was a security vulnerability that could leak private keys, due to this paper (also attached).

However, these utilities are only used in test scripts. The hex-encoding function is also used to encode fingerprints, but those are not sensitive.

Since I can't see a way to exploit this, I thought I would report it as a regular issue.