mirror
/
s3proxy
kopia lustrzana https://github.com/gaul/s3proxy
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

Compare signatures with constant time comparison 

Fixes #250.
pull/257/head
Andrew Gaul 2018-01-08 23:23:09 -08:00
rodzic a80e75a20f
commit 757a9dc855
1 zmienionych plików z 8 dodań i 3 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

11
src/main/java/org/gaul/s3proxy/S3ProxyHandler.java
Wyświetl plik

@ -575,7 +575,7 @@ public class S3ProxyHandler {
} }
} }
if (!expectedSignature.equals(authHeader.signature)) { if (!constantTimeEquals(expectedSignature, authHeader.signature)) {
logger.debug("fail to validate signature"); logger.debug("fail to validate signature");
throw new S3Exception(S3ErrorCode.SIGNATURE_DOES_NOT_MATCH); throw new S3Exception(S3ErrorCode.SIGNATURE_DOES_NOT_MATCH);
} }
@ -1931,7 +1931,7 @@ public class S3ProxyHandler {
"aws4_request".getBytes(StandardCharsets.UTF_8), kService); "aws4_request".getBytes(StandardCharsets.UTF_8), kService);
String expectedSignature = BaseEncoding.base16().lowerCase().encode( String expectedSignature = BaseEncoding.base16().lowerCase().encode(
hmac("HmacSHA256", policy, kSigning)); hmac("HmacSHA256", policy, kSigning));
if (!signature.equals(expectedSignature)) { if (!constantTimeEquals(signature, expectedSignature)) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN); response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return; return;
} }
@ -1939,7 +1939,7 @@ public class S3ProxyHandler {
String expectedSignature = BaseEncoding.base64().encode( String expectedSignature = BaseEncoding.base64().encode(
hmac("HmacSHA1", policy, hmac("HmacSHA1", policy,
credential.getBytes(StandardCharsets.UTF_8))); credential.getBytes(StandardCharsets.UTF_8)));
if (!signature.equals(expectedSignature)) { if (!constantTimeEquals(signature, expectedSignature)) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN); response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return; return;
} }
@ -2795,4 +2795,9 @@ public class S3ProxyHandler {
} }
return true; return true;
} }
private static boolean constantTimeEquals(String x, String y) {
return MessageDigest.isEqual(x.getBytes(StandardCharsets.UTF_8),
y.getBytes(StandardCharsets.UTF_8));
}
} }