fix timing oracle attack against signature V2/V4 verification (#5335)

This change replaces the non-constant time comparison of request signatures with a constant time implementation. This prevents a timing attack which can be used to learn a valid signature for a request without knowing the secret key. Fixes #5334
2025-11-07 12:52:58 -05:00 · 2018-01-02 07:30:02 +01:00
parent e39d7ddb0f
commit a6318dbdaf
4 changed files with 52 additions and 16 deletions
--- a/cmd/streaming-signature-v4.go
+++ b/cmd/streaming-signature-v4.go
@@ -29,7 +29,7 @@ import (
 	"time"

 	humanize "github.com/dustin/go-humanize"
-	"github.com/minio/sha256-simd"
+	sha256 "github.com/minio/sha256-simd"
 )

 // Streaming AWS Signature Version '4' constants.
@@ -142,7 +142,7 @@ func calculateSeedSignature(r *http.Request) (signature string, region string, d
 	newSignature := getSignature(signingKey, stringToSign)

 	// Verify if signature match.
-	if newSignature != signV4Values.Signature {
+	if !compareSignatureV4(newSignature, signV4Values.Signature) {
 		return "", "", time.Time{}, ErrSignatureDoesNotMatch
 	}

@@ -308,7 +308,7 @@ func (cr *s3ChunkedReader) Read(buf []byte) (n int, err error) {
 			hashedChunk := hex.EncodeToString(cr.chunkSHA256Writer.Sum(nil))
 			// Calculate the chunk signature.
 			newSignature := getChunkSignature(cr.seedSignature, cr.region, cr.seedDate, hashedChunk)
-			if cr.chunkSignature != newSignature {
+			if !compareSignatureV4(cr.chunkSignature, newSignature) {
 				// Chunk signature doesn't match we return signature does not match.
 				cr.err = errSignatureMismatch
 				return 0, cr.err