This repository was archived by the owner on Mar 20, 2024. It is now read-only.
forked from barosl/homu
-
Notifications
You must be signed in to change notification settings - Fork 50
server: Support a base_secret #78
Open
cgwalters
wants to merge
1
commit into
servo:master
Choose a base branch
from
cgwalters:all-your-base-secret-are-belong-to-me
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm no cryptographer, but a (SHA1!!!!) HMAC seems like a) the wrong type of construct for this application and b) woefully insecure for any purpose. I believe this calls for a Key Derivation Function (KDF) instead, specifically a non-stretching KDF such as HKDF which supports adding a non-secret "salt" (here, the
$owner.$nameconstruct).There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I won't claim deep crypto experience either, but I'm not a novice either 😄
What we're doing here is symmetric with how Github uses HMAC. The internet has text about HMAC - this stackoverflow seems decent.
I don't think we need a key here - we're not actually using this as a key for a cipher (whether symmetric or not). We simply need a shared secret between 3 parties - Homu, Github, and the repo owner. We don't want different repo owners to have the same secret.
Basically, why do you think we need a KDF here, but Github's use of HMAC to sign their requests is OK? Or do you disagree with that as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as using SHA1...sure, though the github shared secret is a maximum of 20...characters? UTF-8? I don't know. We could likely fit enough bits to do sha256 if we base64 encoded.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I overlooked that there's two HMAC uses here. The second (original) usage to compute
computed_hmacas a signature over the data to compare tohmac_siglooks fine to me. The first usage is the one that's suspicious. We want to (deterministically) derive arepo_secretfrom abase_secretand additionally contextual info ($owner.$name), and this output needs to be a key, since we're passing it to the (second instance of) HMAC as such. This usage matches the intent of KDFs.I've done some reading (the HKDF IETF spec, the HKDF paper, etc.) and I still think a KDF such as HDFK is preferable here. HKDF in particular uses HMAC as a primitive, but in a two phase scheme with some additional tricks (feedback to minimize correlation, a counter to prevent against cycle shortcuts, etc.). For example, HKDF can have variable sized output, not just whatever the output size of the underlying HMAC is.
Since we're deriving a key from another key, we should use a key derivation function. HKDF is fast and efficient anyways, so we don't lose anything over just HMAC. If we're really worried about performance impacts, we can precompute and/or cache the
repo_secrets.I also see after reading the paper that the
$owner.$nameis better suited for the contextual information of HKDF, not the salt.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I thought about this and I see the point. Still though, unlike a main motivation for HKDF, we're not trying to stretch weak key material. There's no reason not to make the base secret as strong as you want - the suggested 160 bits is by any reasonable measure quite strong.
The main thing that's having me hesitate still is it needs to be easy for users to script. It'd be easier if we shipped with Homu a script that idempotently sets the webhook configuration for a set of repos, given a config file. Then we wouldn't need to expose the user too much to our secret calculation scheme.