tka: use constant-time comparison of disablement secret (#19064)
The actual secret is passed through argon2 first, so a timing attack is not feasible remotely, and pretty unlikely locally. Still, clean this up. Fixes #19063 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit is contained in:
Andrew Lytvynov
GitHub
+2
-1
@@ -7,6 +7,7 @@ package tka
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
|
"crypto/subtle"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
@@ -127,7 +128,7 @@ func DisablementKDF(secret []byte) []byte {
|
|||||||
func (s State) checkDisablement(secret []byte) bool {
|
func (s State) checkDisablement(secret []byte) bool {
|
||||||
derived := DisablementKDF(secret)
|
derived := DisablementKDF(secret)
|
||||||
for _, candidate := range s.DisablementSecrets {
|
for _, candidate := range s.DisablementSecrets {
|
||||||
if bytes.Equal(derived, candidate) {
|
if subtle.ConstantTimeCompare(derived, candidate) == 1 {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user