Unverified Commit c46d6bb8 authored by Joe Beda's avatar Joe Beda

Use constant time compare for bootstrap tokens

parent 5e29e1ee
...@@ -20,6 +20,7 @@ Package bootstrap provides a token authenticator for TLS bootstrap secrets. ...@@ -20,6 +20,7 @@ Package bootstrap provides a token authenticator for TLS bootstrap secrets.
package bootstrap package bootstrap
import ( import (
"crypto/subtle"
"fmt" "fmt"
"regexp" "regexp"
"time" "time"
...@@ -95,7 +96,7 @@ func (t *TokenAuthenticator) AuthenticateToken(token string) (user.Info, bool, e ...@@ -95,7 +96,7 @@ func (t *TokenAuthenticator) AuthenticateToken(token string) (user.Info, bool, e
} }
ts := getSecretString(secret, bootstrapapi.BootstrapTokenSecretKey) ts := getSecretString(secret, bootstrapapi.BootstrapTokenSecretKey)
if ts != tokenSecret { if subtle.ConstantTimeCompare([]byte(ts), []byte(tokenSecret)) != 1 {
return nil, false, nil return nil, false, nil
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment