Merge pull request #1861 from concourse/pr/bcrypt-for-client-secret-sync

Use constant time comparison for client secret verification
5 years ago · 18d1f70cee
2 changed files with 4 additions and 1 deletions
--- a/server/handlers.go
+++ b/server/handlers.go
@ -2,6 +2,7 @@ package server

 import (
 	"crypto/sha256"
+	"crypto/subtle"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@ -678,7 +679,8 @@ func (s *Server) withClientFromStorage(w http.ResponseWriter, r *http.Request, h
 		}
 		return
 	}
-	if client.Secret != clientSecret {
+
+	if subtle.ConstantTimeCompare([]byte(client.Secret), []byte(clientSecret)) != 1 {
 		if clientSecret == "" {
 			s.logger.Infof("missing client_secret on token request for client: %s", client.ID)
 		} else {
--- a/server/server.go
+++ b/server/server.go
@ -204,6 +204,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 	if c.Storage == nil {
 		return nil, errors.New("server: storage cannot be nil")
 	}
+
 	if len(c.SupportedResponseTypes) == 0 {
 		c.SupportedResponseTypes = []string{responseTypeCode}
 	}