[fix-auth-ct-eq] use consant time comparison for awsv4 signature verification

2024-02-29 12:43:25 +01:00 · 2024-02-29 12:43:25 +01:00 · 6d33e721c4
commit 6d33e721c4
parent eaac4924ef
1 changed files with 4 additions and 3 deletions
--- a/src/api/signature/payload.rs
+++ b/src/api/signature/payload.rs
@ -375,9 +375,10 @@ pub async fn verify_v4(
 	)
 	.ok_or_internal_error("Unable to build signing HMAC")?;
 	hmac.update(payload);
-	let our_signature = hex::encode(hmac.finalize().into_bytes());
+	let signature =
-	if auth.signature != our_signature {
+		hex::decode(&auth.signature).map_err(|_| Error::forbidden("Invalid signature"))?;
-		return Err(Error::forbidden("Invalid signature".to_string()));
+	if hmac.verify_slice(&signature).is_err() {
 		return Err(Error::forbidden("Invalid signature"));
 	}
 	Ok(key)