From 3d2bc6f6ae691d405e8d6bfce9d66af816454ff0 Mon Sep 17 00:00:00 2001 From: Ted Yu Date: Wed, 7 Aug 2019 22:07:56 -0700 Subject: [PATCH] Constant time password comparison --- pkg/kubeapiserver/options/authentication.go | 1 + .../pkg/authenticator/password/passwordfile/passwordfile.go | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go index 383717487a8..68c4fba0149 100644 --- a/pkg/kubeapiserver/options/authentication.go +++ b/pkg/kubeapiserver/options/authentication.go @@ -259,6 +259,7 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+ "If set, the file that will be used to admit requests to the secure port of the API server "+ "via http basic authentication.") + fs.MarkDeprecated("basic-auth-file", "Basic authentication mode is deprecated and will be removed in a future release. It is not recommended for production environments.") } if s.RequestHeader != nil { diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile.go b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile.go index 3c54ed78e13..be5504bec0e 100644 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile.go +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile.go @@ -18,6 +18,7 @@ package passwordfile import ( "context" + "crypto/subtle" "encoding/csv" "fmt" "io" @@ -85,7 +86,7 @@ func (a *PasswordAuthenticator) AuthenticatePassword(ctx context.Context, userna if !ok { return nil, false, nil } - if user.password != password { + if subtle.ConstantTimeCompare([]byte(user.password), []byte(password)) == 0 { return nil, false, nil } return &authenticator.Response{User: user.info}, true, nil