acvp: don't send the Authorization header when renewing tokens
ACVP authorisation tokens expire and, once expired, need to be renewed
by sending a new TOTP code. We almost never hit this but some FIPS
modules are slow enough that they can't compute the response within the
token lifetime.
But the ACVP code was putting an Authorization header on the renewal
message because it put that header on every message. But doing so breaks
the renewal because the server rejects the request because the token has
expired before noticing that it's a renewal request.
Also, put a 10 second buffer on deciding if a token has expired to
account for the transmission delay.
Change-Id: I50643a223cdb313d07dd7b2c559ad160cbe608ff
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51385
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
diff --git a/util/fipstools/acvp/acvptool/acvp/acvp.go b/util/fipstools/acvp/acvptool/acvp/acvp.go
index 04f0932..9419508 100644
--- a/util/fipstools/acvp/acvptool/acvp/acvp.go
+++ b/util/fipstools/acvp/acvptool/acvp/acvp.go
@@ -33,6 +33,8 @@
"time"
)
+const loginEndpoint = "acvp/v1/login"
+
// Server represents an ACVP server.
type Server struct {
// PrefixTokens are access tokens that apply to URLs under a certain prefix.
@@ -239,7 +241,7 @@
if json.Unmarshal(jsonBytes, &token) != nil {
return false
}
- return token.Expiry > 0 && token.Expiry < uint64(time.Now().Unix())
+ return token.Expiry > 0 && token.Expiry < uint64(time.Now().Add(-10*time.Second).Unix())
}
func (server *Server) getToken(endPoint string) (string, error) {
@@ -255,7 +257,7 @@
var reply struct {
AccessToken string `json:"accessToken"`
}
- if err := server.postMessage(&reply, "acvp/v1/login", map[string]string{
+ if err := server.postMessage(&reply, loginEndpoint, map[string]string{
"password": server.totpFunc(),
"accessToken": token,
}); err != nil {
@@ -278,7 +280,7 @@
SizeLimit int64 `json:"sizeConstraint"`
}
- if err := server.postMessage(&reply, "acvp/v1/login", map[string]string{"password": server.totpFunc()}); err != nil {
+ if err := server.postMessage(&reply, loginEndpoint, map[string]string{"password": server.totpFunc()}); err != nil {
return err
}
@@ -372,7 +374,7 @@
if err != nil {
return nil, err
}
- if len(token) != 0 {
+ if len(token) != 0 && endpoint != loginEndpoint {
req.Header.Add("Authorization", "Bearer "+token)
}
return req, nil