From c46d6bb825cb621e3c9abf98d232f5fcc855ae06 Mon Sep 17 00:00:00 2001 From: Joe Beda Date: Tue, 14 Mar 2017 14:06:33 +0000 Subject: [PATCH] Use constant time compare for bootstrap tokens Signed-off-by: Joe Beda --- plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go b/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go index 862393fb30c..f605ab6d6d2 100644 --- a/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go +++ b/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go @@ -20,6 +20,7 @@ Package bootstrap provides a token authenticator for TLS bootstrap secrets. package bootstrap import ( + "crypto/subtle" "fmt" "regexp" "time" @@ -95,7 +96,7 @@ func (t *TokenAuthenticator) AuthenticateToken(token string) (user.Info, bool, e } ts := getSecretString(secret, bootstrapapi.BootstrapTokenSecretKey) - if ts != tokenSecret { + if subtle.ConstantTimeCompare([]byte(ts), []byte(tokenSecret)) != 1 { return nil, false, nil }