Merge pull request #45 from stlaz/client_secrets_comparison

Bug 1720269: make client secret comparisons in constant time
openshift · May 26, 2020 · 9f35321 · 9f35321
2 parents 31279d2 + 462daaf
commit 9f35321
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/pkg/osinserver/registrystorage/storage.go b/pkg/osinserver/registrystorage/storage.go
@@ -19,6 +19,7 @@ import (
 	"github.com/openshift/oauth-server/pkg/api"
 	"github.com/openshift/oauth-server/pkg/oauth/handlers"
 	"github.com/openshift/oauth-server/pkg/scopecovers"
+	"github.com/openshift/oauth-server/pkg/server/crypto"
 )
 
 type storage struct {
@@ -58,12 +59,12 @@ func (w *clientWrapper) GetSecret() string {
 }
 
 func (w *clientWrapper) ClientSecretMatches(secret string) bool {
-	if w.client.Secret == secret {
+	if crypto.IsEqualConstantTime(w.client.Secret, secret) {
 		return true
 	}
 
 	for _, additionalSecret := range w.client.AdditionalSecrets {
-		if additionalSecret == secret {
+		if crypto.IsEqualConstantTime(additionalSecret, secret) {
 			return true
 		}
 	}