Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tweak signature verification #15069

Merged
merged 3 commits into from
Nov 1, 2020
Merged

Tweak signature verification #15069

merged 3 commits into from
Nov 1, 2020

Conversation

ClearlyClaire
Copy link
Contributor

  • check request body digest separately to give software implementers more accurate feedback in case the signature check fails
  • relax the requirement for the Host header to be signed for POST requests, to restore compatibility with software that did not sign it (I'm not sure there is any software that was broken by this single change)

@ClearlyClaire
Add more specific error message when request body digest is invalid
a8ad900 
This may help other implementors debug their implementation.
@ClearlyClaire
Relax Host parameter requirement to GET requests
ca567c7 
The only POST requests processed by Mastodon need objects/actors (including
their host) to be explicitly mentioned in the request's body, so replaying
a legitimate request to another host should not be a security issue.
@ClearlyClaire ClearlyClaire force-pushed the fixes/signature-verification-tweaks branch from 9a91a2e to ca567c7 Compare October 30, 2020 12:12
@Gargron
Copy link
Member

Gargron commented Oct 30, 2020

Relax the requirement for the Host header to be signed for POST requests, to restore compatibility with software that did not sign it (I'm not sure there is any software that was broken by this single change)

Not sure why this? If I understand correctly, without Host being signed, the same signature could be used on multiple different recipients in the allowed time window? Also, if no known software was broken by this requirement, why remove it?

@ClearlyClaire
Copy link
Contributor Author

Relax the requirement for the Host header to be signed for POST requests, to restore compatibility with software that did not sign it (I'm not sure there is any software that was broken by this single change)

Not sure why this? If I understand correctly, without Host being signed, the same signature could be used on multiple different recipients in the allowed time window?

Yes, that is an issue with GET. But as far as POST is concerned, we won't do anything if we haven't received an Activity targeting one of our actors, so something targeting another fediverse instance would be irrelevant to us and we would discard it even if it were replayed.

Also, if no known software was broken by this requirement, why remove it?

#15016 (comment) but I don't know if more are affected.

Either way, I'm not opposed to drop this PR, since we already have a release with that restriction anyway

@ClearlyClaire ClearlyClaire force-pushed the fixes/signature-verification-tweaks branch from 14223c7 to 175b9a6 Compare November 1, 2020 12:46
@ClearlyClaire
Copy link
Contributor Author

Changed it again to accept actually valid Digest headers that include multiple hashes (provided sha-256 is in it) or use different casing for the sha-256 algorithm (the specs says algorithm names are case-insensitive and that lowercase is preferred, so our current code is wrong)

@Gargron Gargron merged commit fa929d8 into mastodon:master Nov 1, 2020
umonaca pushed a commit to umonaca/mastodon that referenced this pull request Nov 8, 2020
@ClearlyClaire @umonaca
Tweak signature verification (mastodon#15069)
00a3e24 
* Add more specific error message when request body digest is invalid

This may help other implementors debug their implementation.

* Relax Host parameter requirement to GET requests

The only POST requests processed by Mastodon need objects/actors (including
their host) to be explicitly mentioned in the request's body, so replaying
a legitimate request to another host should not be a security issue.

* Support Digest headers using multiple algorithms or lowercase alogirthm names
@trwnh trwnh mentioned this pull request Dec 7, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gargron Gargron Gargron approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ClearlyClaire @Gargron