Page MenuHomePhabricator
Differential D9242

[services-lib] Use constant-time-eq for token verification
ClosedPublic
Actions

Authored by bartek on Sep 20 2023, 2:50 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Jun 30, 5:51 PM
Unknown Object (File)
Sun, Jun 30, 5:51 PM
Unknown Object (File)
Sun, Jun 30, 5:50 PM
Unknown Object (File)
Sun, Jun 30, 5:45 PM
Unknown Object (File)
Thu, Jun 27, 10:52 PM
Unknown Object (File)
Thu, Jun 27, 3:44 PM
Unknown Object (File)
Wed, Jun 26, 2:11 PM
Unknown Object (File)
Tue, Jun 25, 3:17 PM
View All 58 Files
Subscribers
ashoat
tomek

Details

Reviewers
varun
michal
jon
Commits
rCOMM863cdaaa62b7: [services-lib] Use constant-time-eq for token verification
Summary

verify_access_token in Identity Service does this so probably we should do it here too.

Depends on D9241

Test Plan

I did some simple comparisons and it seems to work fine.

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

bartek created this revision.Sep 20 2023, 2:50 AM
bartek held this revision as a draft.
Herald added a reviewer: jon. · View Herald TranscriptSep 20 2023, 2:50 AM
Herald added subscribers: tomek, ashoat. · View Herald Transcript
bartek added a child revision: D9243: [services-lib] Support auth token in HTTP middleware.Sep 20 2023, 2:57 AM
bartek published this revision for review.Sep 20 2023, 3:02 AM
Harbormaster completed remote builds in B22754: Diff 31306.Sep 20 2023, 3:07 AM
michal added a comment.Sep 20 2023, 5:40 AM

I'm not really familiar with this stuff, so I might be completely wrong but:

From the contant_time_eq docs:

// Not equal-sized, so won't take constant time.
assert!(!constant_time_eq(b"foo", b""));

We don't check the length anywhere so couldn't the attacker start by sending a one-byte token, and after they find a match send a two-byte token, etc...?

For context the comment from https://phab.comm.dev/D4199?id=13456#inline-26218:

[without using the constant_time_eq] This introduces a timing side channel attack where the attacker can extract information about how much of the request token is right by the amount of time the comparison takes

varun added a comment.Sep 20 2023, 11:22 PM

after they find a match

i'm not sure what you mean by this. an attacker could learn the length of the token, but that's not a big deal - there'd still be enough entropy for a proper token

varun accepted this revision.Sep 20 2023, 11:22 PM
This revision is now accepted and ready to land.Sep 20 2023, 11:22 PM
michal accepted this revision.Sep 21 2023, 6:22 AM

Ok, seems like constant_time_eq checks the lengths inside, from looking at the code

bartek mentioned this in D9279: [services-lib] Add fn to verify services token.Sep 25 2023, 11:26 AM
Closed by commit rCOMM863cdaaa62b7: [services-lib] Use constant-time-eq for token verification (authored by bartek). · Explain WhyOct 2 2023, 6:27 AM
This revision was automatically updated to reflect the committed changes.
bartek added a commit: rCOMM863cdaaa62b7: [services-lib] Use constant-time-eq for token verification.

Revision Contents
Changeset List

PathSize
services/
backup/
blob/
comm-services-lib/
1 line
src/
9 lines
commtest/
feature-flags/
reports/

Diff 31589

View Options

services/backup/Cargo.lock

Loading...
View Options

services/blob/Cargo.lock

Loading...
View Options

services/comm-services-lib/Cargo.lock

Loading...
View Options

services/comm-services-lib/Cargo.toml

Loading...
View Options

services/comm-services-lib/src/auth.rs

Loading...
View Options

services/commtest/Cargo.lock

Loading...
View Options

services/feature-flags/Cargo.lock

Loading...
View Options

services/reports/Cargo.lock

Loading...