From 34477cf3e70aac1aa3265033a46e3fe9acd5535c Mon Sep 17 00:00:00 2001
From: Andrew Lytvynov <awly@tailscale.com>
Date: Fri, 20 Mar 2026 11:30:26 -0700
Subject: [PATCH] tka: use constant-time comparison of disablement secret
 (#19064)

The actual secret is passed through argon2 first, so a timing attack is
not feasible remotely, and pretty unlikely locally. Still, clean this
up.

Fixes #19063

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
---
 tka/state.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tka/state.go b/tka/state.go
index 06fdc6504..66f88d672 100644
--- a/tka/state.go
+++ b/tka/state.go
@@ -7,6 +7,7 @@ package tka
 
 import (
 	"bytes"
+	"crypto/subtle"
 	"errors"
 	"fmt"
 
@@ -127,7 +128,7 @@ func DisablementKDF(secret []byte) []byte {
 func (s State) checkDisablement(secret []byte) bool {
 	derived := DisablementKDF(secret)
 	for _, candidate := range s.DisablementSecrets {
-		if bytes.Equal(derived, candidate) {
+		if subtle.ConstantTimeCompare(derived, candidate) == 1 {
 			return true
 		}
 	}