From 70899b0e378fe671af177d87311568cd88e0fda2 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Thu, 29 Feb 2024 12:43:25 +0100 Subject: [PATCH] [fix-auth-ct-eq] use consant time comparison for awsv4 signature verification --- src/api/signature/payload.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/api/signature/payload.rs b/src/api/signature/payload.rs index b50fb3bb..4a84610c 100644 --- a/src/api/signature/payload.rs +++ b/src/api/signature/payload.rs @@ -350,9 +350,9 @@ pub async fn verify_v4( ) .ok_or_internal_error("Unable to build signing HMAC")?; hmac.update(payload); - let our_signature = hex::encode(hmac.finalize().into_bytes()); - if signature != our_signature { - return Err(Error::forbidden("Invalid signature".to_string())); + let signature = hex::decode(&signature).map_err(|_| Error::forbidden("Invalid signature"))?; + if hmac.verify_slice(&signature).is_err() { + return Err(Error::forbidden("Invalid signature")); } Ok(key)