From 7d0f72c60a47bc2b71cd5486e462507de1b012e0 Mon Sep 17 00:00:00 2001
From: Hans Hasselberg <me@hans.io>
Date: Mon, 16 Dec 2019 21:54:52 +0100
Subject: [PATCH] acl: use constant time comparing to check token (#6943)

---
 agent/token/store.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/agent/token/store.go b/agent/token/store.go
index e450a028ef..a89816a274 100644
--- a/agent/token/store.go
+++ b/agent/token/store.go
@@ -2,6 +2,8 @@ package token
 
 import (
 	"sync"
+
+	"crypto/subtle"
 )
 
 type TokenSource bool
@@ -166,5 +168,5 @@ func (t *Store) IsAgentMasterToken(token string) bool {
 	t.l.RLock()
 	defer t.l.RUnlock()
 
-	return (token != "") && (token == t.agentMasterToken)
+	return (token != "") && (subtle.ConstantTimeCompare([]byte(token), []byte(t.agentMasterToken)) == 1)
 }