verify_access_token in Identity Service does this so probably we should do it here too.
Depends on D9241
Paths
| Differential D9242 Authored by bartek on Sep 20 2023, 2:50 AM.
Details Summary verify_access_token in Identity Service does this so probably we should do it here too. Depends on D9241 Test Plan I did some simple comparisons and it seems to work fine.
Diff Detail
Event Timelinebartek held this revision as a draft. Herald added a reviewer: • jon. · View Herald TranscriptSep 20 2023, 2:50 AM2023-09-20 02:50:25 (UTC-7) Harbormaster completed remote builds in B22754: Diff 31306.Sep 20 2023, 3:07 AM2023-09-20 03:07:16 (UTC-7) Comment Actions I'm not really familiar with this stuff, so I might be completely wrong but: From the contant_time_eq docs:
We don't check the length anywhere so couldn't the attacker start by sending a one-byte token, and after they find a match send a two-byte token, etc...? For context the comment from https://phab.comm.dev/D4199?id=13456#inline-26218:
Comment Actions
i'm not sure what you mean by this. an attacker could learn the length of the token, but that's not a big deal - there'd still be enough entropy for a proper token This revision is now accepted and ready to land.Sep 20 2023, 11:22 PM2023-09-20 23:22:13 (UTC-7) Closed by commit rCOMM863cdaaa62b7: [services-lib] Use constant-time-eq for token verification (authored by bartek). · Explain WhyOct 2 2023, 6:27 AM2023-10-02 06:27:37 (UTC-7) This revision was automatically updated to reflect the committed changes.
Revision Contents
Diff 31589 services/backup/Cargo.lock
services/blob/Cargo.lock
services/comm-services-lib/Cargo.lock
services/comm-services-lib/Cargo.toml
|