luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Merge pull request #1887 from hashicorp/ec2-nonce-constant-compare 

Use constant time comparisons for client nonce
This commit is contained in:
Vishal Nayak 2016-09-14 12:40:17 -04:00 committed by GitHub
parent 74a0bfadb8 455a4ae055
commit eece4e047b
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
builtin/credential/aws-ec2/path_login.go
View File

@ -1,6 +1,7 @@
package awsec2 package awsec2
import ( import (
"crypto/subtle"
"encoding/pem" "encoding/pem"
"fmt" "fmt"
"time" "time"
@ -126,7 +127,7 @@ func validateMetadata(clientNonce, pendingTime string, storedIdentity *whitelist
// //
// This is a weak criterion and hence the `allow_instance_migration` option // This is a weak criterion and hence the `allow_instance_migration` option
// should be used with caution. // should be used with caution.
if clientNonce != storedIdentity.ClientNonce { if subtle.ConstantTimeCompare([]byte(clientNonce), []byte(storedIdentity.ClientNonce)) != 1 {
if !roleEntry.AllowInstanceMigration { if !roleEntry.AllowInstanceMigration {
return fmt.Errorf("client nonce mismatch") return fmt.Errorf("client nonce mismatch")
} }