Merge pull request #43078 from jbeda/constant-token-compare

Automatic merge from submit-queue (batch tested with PRs 43022, 43078) Use constant time compare for bootstrap tokens This is a subtle security issue that should go in for 1.6 on a new feature (bootstrap tokens). ```release-note NONE ```
2025-07-22 19:31:44 +00:00 · 2017-03-14 08:49:20 -07:00 · 2017-03-14 08:49:20 -07:00 · 204540e36a
commit 204540e36a
parent c425b4edb9 c46d6bb825
1 changed files with 2 additions and 1 deletions
--- a/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go
+++ b/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go
@ -20,6 +20,7 @@ Package bootstrap provides a token authenticator for TLS bootstrap secrets.
 package bootstrap

 import (
+	"crypto/subtle"
 	"fmt"
 	"regexp"
 	"time"
@ -95,7 +96,7 @@ func (t *TokenAuthenticator) AuthenticateToken(token string) (user.Info, bool, e
 	}

 	ts := getSecretString(secret, bootstrapapi.BootstrapTokenSecretKey)
-	if ts != tokenSecret {
+	if subtle.ConstantTimeCompare([]byte(ts), []byte(tokenSecret)) != 1 {
 		return nil, false, nil
 	}