mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-11-20 10:11:34 +01:00
Code Issues Projects Releases Wiki Activity

auth/app-id: protect against timing attack. Credit @kenbreeman

Browse Source
This commit is contained in:
Armon Dadgar 2015-07-13 14:58:18 +10:00
parent 0ac071d15c
commit d54ff83113
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
builtin/credential/app-id/path_login.go
View File

@ -2,6 +2,7 @@ package appId
import ( import (
"crypto/sha1" "crypto/sha1"
"crypto/subtle"
"encoding/hex" "encoding/hex"
"fmt" "fmt"
"net" "net"
@ -82,8 +83,11 @@ func (b *backend) pathLogin(
// Verify that the app is in the list // Verify that the app is in the list
found := false found := false
appIdBytes := []byte(appId)
for _, app := range strings.Split(apps, ",") { for _, app := range strings.Split(apps, ",") {
if strings.TrimSpace(app) == appId { match := []byte(strings.TrimSpace(app))
// Protect against a timing attack with the app_id comparison
if subtle.ConstantTimeCompare(match, appIdBytes) == 1 {
found = true found = true
} }
} }