Deuxfleurs/garage
48
56
Fork 73
Code Issues 100 Pull requests 13 Releases 30 Wiki Activity

[fix-auth-ct-eq] use consant time comparison for awsv4 signature verification
All checks were successful
ci/woodpecker/pr/debug Pipeline was successful
Details
ci/woodpecker/push/debug Pipeline was successful
Details

Browse source
This commit is contained in:
Alex 2024-02-29 12:43:25 +01:00
parent c00a028cc8
commit 70899b0e37
Signed by: lx
GPG key ID: 0E496D15096376BE
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/api/signature/payload.rs
View file

@ -350,9 +350,9 @@ pub async fn verify_v4(
) )
.ok_or_internal_error("Unable to build signing HMAC")?; .ok_or_internal_error("Unable to build signing HMAC")?;
hmac.update(payload); hmac.update(payload);
let our_signature = hex::encode(hmac.finalize().into_bytes()); let signature = hex::decode(&signature).map_err(|_| Error::forbidden("Invalid signature"))?;
if signature != our_signature { if hmac.verify_slice(&signature).is_err() {
return Err(Error::forbidden("Invalid signature".to_string())); return Err(Error::forbidden("Invalid signature"));
} }
Ok(key) Ok(key)