Deuxfleurs
/
garage
41
37
Fork 55
Code Issues 70 Pull Requests 6 Releases 29 Wiki Activity

[fix-auth-ct-eq] use consant time comparison for awsv4 signature verification
ci/woodpecker/push/debug Pipeline was successful Details
ci/woodpecker/pr/debug Pipeline was successful Details

This commit is contained in:
Alex 2024-02-29 12:43:25 +01:00
parent eaac4924ef
commit 6d33e721c4
Signed by: lx
GPG Key ID: 0E496D15096376BE
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/api/signature/payload.rs
View File

@ -375,9 +375,10 @@ pub async fn verify_v4(
)
.ok_or_internal_error("Unable to build signing HMAC")?;
hmac.update(payload);
let our_signature = hex::encode(hmac.finalize().into_bytes());
if auth.signature != our_signature {
return Err(Error::forbidden("Invalid signature".to_string()));
let signature =
hex::decode(&auth.signature).map_err(|_| Error::forbidden("Invalid signature"))?;
if hmac.verify_slice(&signature).is_err() {
return Err(Error::forbidden("Invalid signature"));
}
Ok(key)