[pbs-devel] [PATCH proxmox 04/12] auth-api: move to hmac signing for csrf tokens

[Wolfgang Bumiller]

On Fri, Feb 23, 2024 at 10:26:15AM +0100, Stefan Sterz wrote:
> On Tue Feb 20, 2024 at 1:54 PM CET, Max Carrara wrote:
> > On 2/19/24 17:02, Max Carrara wrote:
> > > On 2/15/24 16:19, Stefan Sterz wrote:
> > >> +        let mut hasher = openssl::sha::Sha256::new();
> > >> +        let data = format!("{:08X}:{}:", ttime, userid);
> > >> +        hasher.update(data.as_bytes());
> > >> +        hasher.update(&secret.as_bytes()?);
> > >> +        let old_digest = hasher.finish();
> > >> +
> > >> +        if old_digest.len() != sig.len() && openssl::memcmp::eq(&old_digest, &sig) {
> > >> +            bail!("invalid signature.");
> > >> +        }
> > >
> > > This check should IMO be split into two for some finer-grained error handling - meaning,
> > > one `bail!()` for different `.len()`s and one if `old_digest` and `sig` are equal.
> > >
> 
> as discussed off-list: we should avoid very spcific error messages in
> this case. usually that is good practice as it makes debugging easier.
> however, here it just give more information to a potential attacker. i'm
> not even sure we should return an "invalid signature" error message
> here, rather a "csrf token is invalid" for all failure cases would
> probably be best. but since we are already here, changing it would also
> give more information to a potential attacker.

I'd stick with *not* splitting up the error message here - but mostly
out of habit, because the security impact is rather limited, given that
there aren't that many valid lengths to choose from when the code is
open source, so that's not something security should depend on either
;-)