Implement constant-time equality for delete tokens, inline alias cleanup

This commit is contained in:
asonix 2023-10-04 12:11:29 -05:00
parent d5a7e07118
commit 914e21c043
6 changed files with 11 additions and 4 deletions

1
Cargo.lock generated
View file

@ -1860,6 +1860,7 @@ dependencies = [
"sled",
"storage-path-generator",
"streem",
"subtle",
"thiserror",
"time",
"tokio",

View file

@ -53,6 +53,7 @@ sha2 = "0.10.0"
sled = { version = "0.34.7" }
storage-path-generator = "0.1.0"
streem = "0.2.0"
subtle = { version = "2.5.0", default-features = false }
thiserror = "1.0"
time = { version = "0.3.0", features = ["serde", "serde-well-known"] }
tokio = { version = "1", features = ["full", "tracing"] }

View file

@ -712,7 +712,8 @@ async fn delete(
let token = DeleteToken::from_existing(&token);
let alias = Alias::from_existing(&alias);
queue::cleanup_alias(&repo, alias, token).await?;
// delete alias inline
queue::cleanup::alias(&repo, alias, token).await?;
Ok(HttpResponse::NoContent().finish())
}

View file

@ -16,7 +16,7 @@ use std::{
};
use tracing::Instrument;
mod cleanup;
pub(crate) mod cleanup;
mod process;
const CLEANUP_QUEUE: &str = "cleanup";

View file

@ -111,10 +111,10 @@ async fn hash(repo: &ArcRepo, hash: Hash) -> Result<(), Error> {
}
#[tracing::instrument(skip_all)]
async fn alias(repo: &ArcRepo, alias: Alias, token: DeleteToken) -> Result<(), Error> {
pub(crate) async fn alias(repo: &ArcRepo, alias: Alias, token: DeleteToken) -> Result<(), Error> {
let saved_delete_token = repo.delete_token(&alias).await?;
if saved_delete_token.is_some() && saved_delete_token != Some(token) {
if !saved_delete_token.is_some_and(|t| t.ct_eq(&token)) {
return Err(UploadError::InvalidToken.into());
}

View file

@ -71,6 +71,10 @@ impl DeleteToken {
None
}
}
pub(crate) fn ct_eq(&self, rhs: &Self) -> bool {
subtle::ConstantTimeEq::ct_eq(self.id.as_bytes(), rhs.id.as_bytes()).unwrap_u8() == 1
}
}
impl std::str::FromStr for DeleteToken {