Fix potential timing side-channels in authentication mechanisms #737

Merged

lx merged 2 commits from fix-auth-ct-eq into main

2024-02-29 14:04:38 +00:00

lx commented

2024-02-29 11:48:04 +00:00

Owner

Use Argon2 password hashing from the argon2 crate, and its associated verification function, to check admin and metric tokens
Use Hmac's built-in verification function that operates in constant-time for AWS signatures v4 verification

- [x] Use Argon2 password hashing from the `argon2` crate, and its associated verification function, to check admin and metric tokens - [x] Use `Hmac`'s built-in verification function that operates in constant-time for AWS signatures v4 verification

lx force-pushed fix-auth-ct-eq from b94532ee02 to 6d33e721c4

2024-02-29 12:07:26 +00:00

Compare

lx merged commit b8c7a560ef into main

2024-02-29 14:04:38 +00:00

lx deleted branch fix-auth-ct-eq

2024-02-29 14:04:39 +00:00

lx referenced this issue from a commit

2024-02-29 14:04:40 +00:00

Merge pull request 'Fix potential timing side-channels in authentication mechanisms' (#737) from fix-auth-ct-eq into main

lx referenced this pull request

2024-02-29 15:31:19 +00:00

Security: backport #737 to the v0.8.x branch #740

lx referenced this issue from a commit

2024-03-01 11:16:43 +00:00

Merge pull request 'Security: backport #737 to the v0.8.x branch' (#740) from backport-737-0.8.x into main-0.8.x

~~lx referenced this pull request 2024-03-01 14:14:56 +00:00~~

Bump version to v0.9.2 #747

Sign in to join this conversation.

No reviewers

No Label

S3 Compatibility

No Milestone

No Assignees

1 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Deuxfleurs/garage#737

No description provided.