tka: use constant-time comparison of disablement secret (#19064)

The actual secret is passed through argon2 first, so a timing attack is not feasible remotely, and pretty unlikely locally. Still, clean this up. Fixes #19063 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2026-03-20 11:30:26 -07:00
parent ffa7df2789
commit 34477cf3e7
1 changed files with 2 additions and 1 deletions
@@ -7,6 +7,7 @@ package tka

 import (
 	"bytes"
+	"crypto/subtle"
 	"errors"
 	"fmt"

@@ -127,7 +128,7 @@ func DisablementKDF(secret []byte) []byte {
 func (s State) checkDisablement(secret []byte) bool {
 	derived := DisablementKDF(secret)
 	for _, candidate := range s.DisablementSecrets {
-		if bytes.Equal(derived, candidate) {
+		if subtle.ConstantTimeCompare(derived, candidate) == 1 {
 			return true
 		}
 	}