From b1392567d1db17b021ab146b44562f1eb83be91e Mon Sep 17 00:00:00 2001 From: vishalnayak Date: Tue, 13 Sep 2016 20:12:43 -0400 Subject: [PATCH 1/2] Use constant time comparisons for client nonce --- builtin/credential/aws-ec2/path_login.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/builtin/credential/aws-ec2/path_login.go b/builtin/credential/aws-ec2/path_login.go index 9462c27a0..45a64b74a 100644 --- a/builtin/credential/aws-ec2/path_login.go +++ b/builtin/credential/aws-ec2/path_login.go @@ -1,6 +1,7 @@ package awsec2 import ( + "crypto/subtle" "encoding/pem" "fmt" "time" @@ -126,7 +127,7 @@ func validateMetadata(clientNonce, pendingTime string, storedIdentity *whitelist // // This is a weak criterion and hence the `allow_instance_migration` option // should be used with caution. - if clientNonce != storedIdentity.ClientNonce { + if subtle.ConstantTimeCompare([]byte(clientNonce), []byte(storedIdentity.ClientNonce)) == 0 { if !roleEntry.AllowInstanceMigration { return fmt.Errorf("client nonce mismatch") } From 455a4ae05501c78c06a117124b81a082f2b53266 Mon Sep 17 00:00:00 2001 From: vishalnayak Date: Wed, 14 Sep 2016 12:08:35 -0400 Subject: [PATCH 2/2] address review feedback --- builtin/credential/aws-ec2/path_login.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/builtin/credential/aws-ec2/path_login.go b/builtin/credential/aws-ec2/path_login.go index 45a64b74a..d880914b5 100644 --- a/builtin/credential/aws-ec2/path_login.go +++ b/builtin/credential/aws-ec2/path_login.go @@ -127,7 +127,7 @@ func validateMetadata(clientNonce, pendingTime string, storedIdentity *whitelist // // This is a weak criterion and hence the `allow_instance_migration` option // should be used with caution. - if subtle.ConstantTimeCompare([]byte(clientNonce), []byte(storedIdentity.ClientNonce)) == 0 { + if subtle.ConstantTimeCompare([]byte(clientNonce), []byte(storedIdentity.ClientNonce)) != 1 { if !roleEntry.AllowInstanceMigration { return fmt.Errorf("client nonce mismatch") }