From 8612686d6dda34ae9ef6b5a974e4b7accb4fea29 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Wed, 20 May 2020 13:12:58 +0200
Subject: [PATCH] Use constant time comparisons for client secrets

This is a precaution to avoid possible timing attacks on
client secrets.
---
 client.go | 4 +++-
 util.go   | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/client.go b/client.go
index f32a038..f4e0a24 100644
--- a/client.go
+++ b/client.go
@@ -1,5 +1,7 @@
 package osin
 
+import "crypto/subtle"
+
 // Client information
 type Client interface {
 	// Client id
@@ -49,7 +51,7 @@ func (d *DefaultClient) GetUserData() interface{} {
 
 // Implement the ClientSecretMatcher interface
 func (d *DefaultClient) ClientSecretMatches(secret string) bool {
-	return d.Secret == secret
+	return subtle.ConstantTimeCompare([]byte(d.Secret), []byte(secret)) == 1
 }
 
 func (d *DefaultClient) CopyFrom(client Client) {
diff --git a/util.go b/util.go
index a630998..d44efb0 100644
--- a/util.go
+++ b/util.go
@@ -1,6 +1,7 @@
 package osin
 
 import (
+	"crypto/subtle"
 	"encoding/base64"
 	"errors"
 	"net/http"
@@ -28,7 +29,7 @@ func CheckClientSecret(client Client, secret string) bool {
 		return client.ClientSecretMatches(secret)
 	default:
 		// Fallback to the less secure method of extracting the plain text secret from the client for comparison
-		return client.GetSecret() == secret
+		return subtle.ConstantTimeCompare([]byte(client.GetSecret()), []byte(secret)) == 1
 	}
 }