From e6d355b65a4a7e5417fbfa7f6f9c0b99345490bf Mon Sep 17 00:00:00 2001
From: Elim Tsiagbey <elim.tsiagbey@hashicorp.com>
Date: Wed, 21 Aug 2024 12:26:22 -0400
Subject: [PATCH] fix: constant-time comparison of grpc-gateway tickets (#5031)

Update GRPC Gateway tickets to compare tickets in constant-time
---
 internal/daemon/controller/interceptor.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/internal/daemon/controller/interceptor.go b/internal/daemon/controller/interceptor.go
index f4c46a1f13..5a62ab1290 100644
--- a/internal/daemon/controller/interceptor.go
+++ b/internal/daemon/controller/interceptor.go
@@ -5,6 +5,7 @@ package controller
 
 import (
 	"context"
+	"crypto/subtle"
 	"fmt"
 	"net/http"
 	"reflect"
@@ -242,7 +243,7 @@ func sharedRequestInterceptorLogic(
 	switch {
 	case requestInfo.Ticket == "":
 		return nil, errors.New(interceptorCtx, errors.Internal, op, "Invalid context (missing ticket)")
-	case requestInfo.Ticket != ticket:
+	case subtle.ConstantTimeCompare([]byte(requestInfo.Ticket), []byte(ticket)) != 1:
 		return nil, errors.New(interceptorCtx, errors.Internal, op, "Invalid context (bad ticket)")
 	}