github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 09:22:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #120400 from neolit123/1.29-fix-bootstrap-token-constant-time

Browse Source 
cluster-bootstrap: address constant-time problems as in NCC-E003660-TTV
This commit is contained in:
Kubernetes Prow Robot 2023-10-06 11:57:55 +02:00 committed by GitHub
commit 5ff79611d5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 39 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
staging/src/k8s.io/cluster-bootstrap/token/util/helpers.go
View File

@ -17,9 +17,9 @@ limitations under the License.
package util package util
import ( import (
"bufio"
"crypto/rand" "crypto/rand"
"fmt" "fmt"
"math/big"
"regexp" "regexp"
"strings" "strings"
@ -59,29 +59,21 @@ func GenerateBootstrapToken() (string, error) {
// randBytes returns a random string consisting of the characters in // randBytes returns a random string consisting of the characters in
// validBootstrapTokenChars, with the length customized by the parameter // validBootstrapTokenChars, with the length customized by the parameter
func randBytes(length int) (string, error) { func randBytes(length int) (string, error) {
// len("0123456789abcdefghijklmnopqrstuvwxyz") = 36 which doesn't evenly divide
// the possible values of a byte: 256 mod 36 = 4. Discard any random bytes we
// read that are >= 252 so the bytes we evenly divide the character set.
const maxByteValue = 252
var ( var (
b byte
err error
token = make([]byte, length) token = make([]byte, length)
max = new(big.Int).SetUint64(uint64(len(validBootstrapTokenChars)))
) )
reader := bufio.NewReaderSize(rand.Reader, length*2)
for i := range token { for i := range token {
for { val, err := rand.Int(rand.Reader, max)
if b, err = reader.ReadByte(); err != nil { if err != nil {
return "", err return "", fmt.Errorf("could not generate random integer: %w", err)
}
if b < maxByteValue {
break
}
} }
// Use simple operations in constant-time to obtain a byte in the a-z,0-9
token[i] = validBootstrapTokenChars[int(b)%len(validBootstrapTokenChars)] // character range
x := val.Uint64()
res := x + 48 + (39 & ((9 - x) >> 8))
token[i] = byte(res)
} }
return string(token), nil return string(token), nil
@ -92,10 +84,36 @@ func TokenFromIDAndSecret(id, secret string) string {
return fmt.Sprintf("%s.%s", id, secret) return fmt.Sprintf("%s.%s", id, secret)
} }
// IsValidBootstrapToken returns whether the given string is valid as a Bootstrap Token and // IsValidBootstrapToken returns whether the given string is valid as a Bootstrap Token.
// in other words satisfies the BootstrapTokenRegexp // Avoid using BootstrapTokenRegexp.MatchString(token) and instead perform constant-time
// comparisons on the secret.
func IsValidBootstrapToken(token string) bool { func IsValidBootstrapToken(token string) bool {
return BootstrapTokenRegexp.MatchString(token) // Must be exactly two strings separated by "."
t := strings.Split(token, ".")
if len(t) != 2 {
return false
}
// Validate the ID: t[0]
// Using a Regexp for it is safe because the ID is public already
if !BootstrapTokenIDRegexp.MatchString(t[0]) {
return false
}
// Validate the secret with constant-time: t[1]
secret := t[1]
if len(secret) != api.BootstrapTokenSecretBytes { // Must be an exact size
return false
}
for i := range secret {
c := int(secret[i])
notDigit := (c < 48 || c > 57) // Character is not in the 0-9 range
notLetter := (c < 97 || c > 122) // Character is not in the a-z range
if notDigit && notLetter {
return false
}
}
return true
} }
// IsValidBootstrapTokenID returns whether the given string is valid as a Bootstrap Token ID and // IsValidBootstrapTokenID returns whether the given string is valid as a Bootstrap Token ID and