Use constant time comparisons for client secrets

This is a precaution to avoid possible timing attacks on client secrets.
openshift · Jan 13, 2021 · 8612686 · 8612686
1 parent d9cfac1
commit 8612686
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/client.go b/client.go
@@ -1,5 +1,7 @@
 package osin
 
+import "crypto/subtle"
+
 // Client information
 type Client interface {
 	// Client id
@@ -49,7 +51,7 @@ func (d *DefaultClient) GetUserData() interface{} {
 
 // Implement the ClientSecretMatcher interface
 func (d *DefaultClient) ClientSecretMatches(secret string) bool {
-	return d.Secret == secret
+	return subtle.ConstantTimeCompare([]byte(d.Secret), []byte(secret)) == 1
 }
 
 func (d *DefaultClient) CopyFrom(client Client) {

diff --git a/util.go b/util.go
@@ -1,6 +1,7 @@
 package osin
 
 import (
+	"crypto/subtle"
 	"encoding/base64"
 	"errors"
 	"net/http"
@@ -28,7 +29,7 @@ func CheckClientSecret(client Client, secret string) bool {
 		return client.ClientSecretMatches(secret)
 	default:
 		// Fallback to the less secure method of extracting the plain text secret from the client for comparison
-		return client.GetSecret() == secret
+		return subtle.ConstantTimeCompare([]byte(client.GetSecret()), []byte(secret)) == 1
 	}
 }