Google Git
Sign in
pigweed / third_party / boringssl / boringssl / 44a141fa1057c330cd533eb6523769e7e1ca1255^! / .
commit44a141fa1057c330cd533eb6523769e7e1ca1255[log] [tgz]
authorAdam Langley <alangley@gmail.com>Mon Feb 14 09:40:45 2022 -0800
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Mon Feb 14 18:40:35 2022 +0000
tree96ee70346873bb85b7357457f527057c4b52693d
parent5112b45ce2eae2ed253adeacb8887d42f429e27b [diff]
acvp: don't send the Authorization header when renewing tokens

ACVP authorisation tokens expire and, once expired, need to be renewed
by sending a new TOTP code. We almost never hit this but some FIPS
modules are slow enough that they can't compute the response within the
token lifetime.

But the ACVP code was putting an Authorization header on the renewal
message because it put that header on every message. But doing so breaks
the renewal because the server rejects the request because the token has
expired before noticing that it's a renewal request.

Also, put a 10 second buffer on deciding if a token has expired to
account for the transmission delay.

Change-Id: I50643a223cdb313d07dd7b2c559ad160cbe608ff
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51385
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>

diff --git a/util/fipstools/acvp/acvptool/acvp/acvp.go b/util/fipstools/acvp/acvptool/acvp/acvp.go
index 04f0932..9419508 100644
--- a/util/fipstools/acvp/acvptool/acvp/acvp.go
+++ b/util/fipstools/acvp/acvptool/acvp/acvp.go

@@ -33,6 +33,8 @@
 	"time"
 )
 
+const loginEndpoint = "acvp/v1/login"
+
 // Server represents an ACVP server.
 type Server struct {
 	// PrefixTokens are access tokens that apply to URLs under a certain prefix.
@@ -239,7 +241,7 @@
 	if json.Unmarshal(jsonBytes, &token) != nil {
 		return false
 	}
-	return token.Expiry > 0 && token.Expiry < uint64(time.Now().Unix())
+	return token.Expiry > 0 && token.Expiry < uint64(time.Now().Add(-10*time.Second).Unix())
 }
 
 func (server *Server) getToken(endPoint string) (string, error) {
@@ -255,7 +257,7 @@
 		var reply struct {
 			AccessToken string `json:"accessToken"`
 		}
-		if err := server.postMessage(&reply, "acvp/v1/login", map[string]string{
+		if err := server.postMessage(&reply, loginEndpoint, map[string]string{
 			"password":    server.totpFunc(),
 			"accessToken": token,
 		}); err != nil {
@@ -278,7 +280,7 @@
 		SizeLimit             int64  `json:"sizeConstraint"`
 	}
 
-	if err := server.postMessage(&reply, "acvp/v1/login", map[string]string{"password": server.totpFunc()}); err != nil {
+	if err := server.postMessage(&reply, loginEndpoint, map[string]string{"password": server.totpFunc()}); err != nil {
 		return err
 	}
 
@@ -372,7 +374,7 @@
 	if err != nil {
 		return nil, err
 	}
-	if len(token) != 0 {
+	if len(token) != 0 && endpoint != loginEndpoint {
 		req.Header.Add("Authorization", "Bearer "+token)
 	}
 	return req, nil