Use constant time comparisons for client secrets

stlaz · stlaz · commit 8612686d6dda · 2021-01-13T13:41:01.000+01:00
This is a precaution to avoid possible timing attacks on
client secrets.
diff --git a/client.go b/client.go
@@ -1,5 +1,7 @@
 package osin
 
+import "crypto/subtle"
+
 // Client information
 type Client interface {
 	// Client id
@@ -49,7 +51,7 @@ func (d *DefaultClient) GetUserData() interface{} {
 
 // Implement the ClientSecretMatcher interface
 func (d *DefaultClient) ClientSecretMatches(secret string) bool {
-	return d.Secret == secret
+	return subtle.ConstantTimeCompare([]byte(d.Secret), []byte(secret)) == 1
 }
 
 func (d *DefaultClient) CopyFrom(client Client) {
diff --git a/util.go b/util.go
@@ -1,6 +1,7 @@
 package osin
 
 import (
+	"crypto/subtle"
 	"encoding/base64"
 	"errors"
 	"net/http"
@@ -28,7 +29,7 @@ func CheckClientSecret(client Client, secret string) bool {
 		return client.ClientSecretMatches(secret)
 	default:
 		// Fallback to the less secure method of extracting the plain text secret from the client for comparison
-		return client.GetSecret() == secret
+		return subtle.ConstantTimeCompare([]byte(client.GetSecret()), []byte(secret)) == 1
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`package osin`
`2`	`2`
`3`	`3`	`import (`
	`4`	`+ "crypto/subtle"`
`4`	`5`	`"encoding/base64"`
`5`	`6`	`"errors"`
`6`	`7`	`"net/http"`
`@@ -28,7 +29,7 @@ func CheckClientSecret(client Client, secret string) bool {`
`28`	`29`	`return client.ClientSecretMatches(secret)`
`29`	`30`	`default:`
`30`	`31`	`// Fallback to the less secure method of extracting the plain text secret from the client for comparison`
`31`		`- return client.GetSecret() == secret`
	`32`	`+ return subtle.ConstantTimeCompare([]byte(client.GetSecret()), []byte(secret)) == 1`
`32`	`33`	`}`
`33`	`34`	`}`
`34`	`35`