luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity

Use constant time comparisons for client nonce

Browse source
This commit is contained in:
vishalnayak 2016-09-13 20:12:43 -04:00
parent 74a0bfadb8
commit b1392567d1
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
builtin/credential/aws-ec2/path_login.go
View file

@ -1,6 +1,7 @@
package awsec2 package awsec2
import ( import (
"crypto/subtle"
"encoding/pem" "encoding/pem"
"fmt" "fmt"
"time" "time"
@ -126,7 +127,7 @@ func validateMetadata(clientNonce, pendingTime string, storedIdentity *whitelist
// //
// This is a weak criterion and hence the `allow_instance_migration` option // This is a weak criterion and hence the `allow_instance_migration` option
// should be used with caution. // should be used with caution.
if clientNonce != storedIdentity.ClientNonce { if subtle.ConstantTimeCompare([]byte(clientNonce), []byte(storedIdentity.ClientNonce)) == 0 {
if !roleEntry.AllowInstanceMigration { if !roleEntry.AllowInstanceMigration {
return fmt.Errorf("client nonce mismatch") return fmt.Errorf("client nonce mismatch")
} }