TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-05-06 07:37:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

cmd/tsidp: use constant time comparison for client_id/secret (#15222)

Browse Source 
Use secure constant time comparisons for the client ID and secret values
during the allowRelyingParty authorization check.

Updates #cleanup

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
This commit is contained in:
Patrick O'Doherty 2025-03-06 08:52:35 -08:00 committed by GitHub
parent ffb0b66d5b
commit 9d7f2719bb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
cmd/tsidp/tsidp.go
View File

@ -11,6 +11,7 @@ import (
"context" "context"
crand "crypto/rand" crand "crypto/rand"
"crypto/rsa" "crypto/rsa"
"crypto/subtle"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"encoding/base64" "encoding/base64"
@ -345,7 +346,9 @@ func (ar *authRequest) allowRelyingParty(r *http.Request, lc *local.Client) erro
clientID = r.FormValue("client_id") clientID = r.FormValue("client_id")
clientSecret = r.FormValue("client_secret") clientSecret = r.FormValue("client_secret")
} }
if ar.funnelRP.ID != clientID || ar.funnelRP.Secret != clientSecret { clientIDcmp := subtle.ConstantTimeCompare([]byte(clientID), []byte(ar.funnelRP.ID))
clientSecretcmp := subtle.ConstantTimeCompare([]byte(clientSecret), []byte(ar.funnelRP.Secret))
if clientIDcmp != 1 || clientSecretcmp != 1 {
return fmt.Errorf("tsidp: invalid client credentials") return fmt.Errorf("tsidp: invalid client credentials")
} }
return nil return nil