Backport: sec: perform constant time compare for sensitive values (#22537) (#22792)

LakshmiNarayananDesikan · web-flow · commit 55e3dbf278bb · 2025-09-19T11:16:15.000Z
diff --git a/.changelog/22537.txt b/.changelog/22537.txt
@@ -0,0 +1,3 @@
+```release-note:security
+security: perform constant time compare for sensitive values.
+```
diff --git a/agent/consul/acl.go b/agent/consul/acl.go
@@ -5,6 +5,7 @@ package consul
 
 import (
 	"context"
+	"crypto/subtle"
 	"fmt"
 	"sort"
 	"sync"
@@ -969,7 +970,7 @@ func (r *ACLResolver) resolveTokenToIdentityAndPolicies(token string) (structs.A
 		lastErr = err
 
 		if tokenErr, ok := err.(*policyOrRoleTokenError); ok {
-			if acl.IsErrNotFound(err) && tokenErr.token == identity.SecretToken() {
+			if acl.IsErrNotFound(err) && subtle.ConstantTimeCompare([]byte(tokenErr.token), []byte(identity.SecretToken())) == 1 {
 				// token was deleted while resolving policies
 				return nil, nil, acl.ErrNotFound
 			}
@@ -1008,8 +1009,7 @@ func (r *ACLResolver) resolveTokenToIdentityAndRoles(token string) (structs.ACLI
 		lastErr = err
 
 		if tokenErr, ok := err.(*policyOrRoleTokenError); ok {
-			if acl.IsErrNotFound(err) && tokenErr.token == identity.SecretToken() {
-				// token was deleted while resolving roles
+			if acl.IsErrNotFound(err) && subtle.ConstantTimeCompare([]byte(tokenErr.token), []byte(identity.SecretToken())) == 1 { // token was deleted while resolving roles
 				return nil, nil, acl.ErrNotFound
 			}
 
diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go
@@ -5,6 +5,7 @@ package consul
 
 import (
 	"context"
+	"crypto/subtle"
 	"errors"
 	"fmt"
 	"os"
@@ -613,7 +614,7 @@ func (a *ACL) TokenDelete(args *structs.ACLTokenDeleteRequest, reply *string) er
 	}
 
 	if token != nil {
-		if args.Token == token.SecretID {
+		if subtle.ConstantTimeCompare([]byte(args.Token), []byte(token.SecretID)) == 1 {
 			return fmt.Errorf("Deletion of the request's authorization token is not permitted")
 		}
 
diff --git a/agent/consul/auth/token_writer.go b/agent/consul/auth/token_writer.go
@@ -4,6 +4,7 @@
 package auth
 
 import (
+	"crypto/subtle"
 	"errors"
 	"fmt"
 	"time"
@@ -185,7 +186,7 @@ func (w *TokenWriter) Update(token *structs.ACLToken) (*structs.ACLToken, error)
 
 	if token.SecretID == "" {
 		token.SecretID = match.SecretID
-	} else if match.SecretID != token.SecretID {
+	} else if subtle.ConstantTimeCompare([]byte(match.SecretID), []byte(token.SecretID)) != 1 {
 		return nil, errors.New("Changing a token's SecretID is not permitted")
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:security
	`2`	`+security: perform constant time compare for sensitive values.`
	`3`	+```
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ package consul`
`5`	`5`
`6`	`6`	`import (`
`7`	`7`	`"context"`
	`8`	`+ "crypto/subtle"`
`8`	`9`	`"errors"`
`9`	`10`	`"fmt"`
`10`	`11`	`"os"`
`@@ -613,7 +614,7 @@ func (a ACL) TokenDelete(args structs.ACLTokenDeleteRequest, reply *string) er`
`613`	`614`	`}`
`614`	`615`
`615`	`616`	`if token != nil {`
`616`		`- if args.Token == token.SecretID {`
	`617`	`+ if subtle.ConstantTimeCompare([]byte(args.Token), []byte(token.SecretID)) == 1 {`
`617`	`618`	`return fmt.Errorf("Deletion of the request's authorization token is not permitted")`
`618`	`619`	`}`
`619`	`620`