k3s/pkg/authenticator
Brad Davidson 239021e759 Consistently use constant-time comparison of password hashes
As per https://github.com/golang/go/issues/47001 even subtle.ConstantTimeCompare should never be used with variable-length inputs, as it will return 0 if the lengths do not match. Switch to consistently using constant-time comparisons of hashes for password checks to avoid any possible side-channel leaks that could be combined with other vectors to discover password lengths.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-09 13:54:50 -07:00
..
basicauth
hash
passwordfile Consistently use constant-time comparison of password hashes 2023-05-09 13:54:50 -07:00
authenticator.go