Merge pull request #1861 from concourse/pr/bcrypt-for-client-secret-sync

Use constant time comparison for client secret verification
This commit is contained in:
Márk Sági-Kazár 2021-05-17 17:27:42 +02:00 committed by GitHub
commit 18d1f70cee
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 1 deletions

View file

@ -2,6 +2,7 @@ package server
import ( import (
"crypto/sha256" "crypto/sha256"
"crypto/subtle"
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
"fmt" "fmt"
@ -678,7 +679,8 @@ func (s *Server) withClientFromStorage(w http.ResponseWriter, r *http.Request, h
} }
return return
} }
if client.Secret != clientSecret {
if subtle.ConstantTimeCompare([]byte(client.Secret), []byte(clientSecret)) != 1 {
if clientSecret == "" { if clientSecret == "" {
s.logger.Infof("missing client_secret on token request for client: %s", client.ID) s.logger.Infof("missing client_secret on token request for client: %s", client.ID)
} else { } else {

View file

@ -204,6 +204,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
if c.Storage == nil { if c.Storage == nil {
return nil, errors.New("server: storage cannot be nil") return nil, errors.New("server: storage cannot be nil")
} }
if len(c.SupportedResponseTypes) == 0 { if len(c.SupportedResponseTypes) == 0 {
c.SupportedResponseTypes = []string{responseTypeCode} c.SupportedResponseTypes = []string{responseTypeCode}
} }