diff options
author | Alex Auvolat <alex@adnab.me> | 2024-02-29 12:43:25 +0100 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2024-02-29 18:13:41 +0100 |
commit | 70899b0e378fe671af177d87311568cd88e0fda2 (patch) | |
tree | 8695d17a0c81b5b9120ad7d6e19d4ec1908be724 /src/api/signature | |
parent | c00a028cc8f11bb9f84b81a076ec5258998db276 (diff) | |
download | garage-70899b0e378fe671af177d87311568cd88e0fda2.tar.gz garage-70899b0e378fe671af177d87311568cd88e0fda2.zip |
[fix-auth-ct-eq] use consant time comparison for awsv4 signature verificationbackport-737-0.8.x
Diffstat (limited to 'src/api/signature')
-rw-r--r-- | src/api/signature/payload.rs | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/api/signature/payload.rs b/src/api/signature/payload.rs index b50fb3bb..4a84610c 100644 --- a/src/api/signature/payload.rs +++ b/src/api/signature/payload.rs @@ -350,9 +350,9 @@ pub async fn verify_v4( ) .ok_or_internal_error("Unable to build signing HMAC")?; hmac.update(payload); - let our_signature = hex::encode(hmac.finalize().into_bytes()); - if signature != our_signature { - return Err(Error::forbidden("Invalid signature".to_string())); + let signature = hex::decode(&signature).map_err(|_| Error::forbidden("Invalid signature"))?; + if hmac.verify_slice(&signature).is_err() { + return Err(Error::forbidden("Invalid signature")); } Ok(key) |