acvp: don't send the Authorization header when renewing tokens ACVP authorisation tokens expire and, once expired, need to be renewed by sending a new TOTP code. We almost never hit this but some FIPS modules are slow enough that they can't compute the response within the token lifetime. But the ACVP code was putting an Authorization header on the renewal message because it put that header on every message. But doing so breaks the renewal because the server rejects the request because the token has expired before noticing that it's a renewal request. Also, put a 10 second buffer on deciding if a token has expired to account for the transmission delay. Change-Id: I50643a223cdb313d07dd7b2c559ad160cbe608ff Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51385 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com>
diff --git a/util/fipstools/acvp/acvptool/acvp/acvp.go b/util/fipstools/acvp/acvptool/acvp/acvp.go index 04f0932..9419508 100644 --- a/util/fipstools/acvp/acvptool/acvp/acvp.go +++ b/util/fipstools/acvp/acvptool/acvp/acvp.go
@@ -33,6 +33,8 @@ "time" ) +const loginEndpoint = "acvp/v1/login" + // Server represents an ACVP server. type Server struct { // PrefixTokens are access tokens that apply to URLs under a certain prefix. @@ -239,7 +241,7 @@ if json.Unmarshal(jsonBytes, &token) != nil { return false } - return token.Expiry > 0 && token.Expiry < uint64(time.Now().Unix()) + return token.Expiry > 0 && token.Expiry < uint64(time.Now().Add(-10*time.Second).Unix()) } func (server *Server) getToken(endPoint string) (string, error) { @@ -255,7 +257,7 @@ var reply struct { AccessToken string `json:"accessToken"` } - if err := server.postMessage(&reply, "acvp/v1/login", map[string]string{ + if err := server.postMessage(&reply, loginEndpoint, map[string]string{ "password": server.totpFunc(), "accessToken": token, }); err != nil { @@ -278,7 +280,7 @@ SizeLimit int64 `json:"sizeConstraint"` } - if err := server.postMessage(&reply, "acvp/v1/login", map[string]string{"password": server.totpFunc()}); err != nil { + if err := server.postMessage(&reply, loginEndpoint, map[string]string{"password": server.totpFunc()}); err != nil { return err } @@ -372,7 +374,7 @@ if err != nil { return nil, err } - if len(token) != 0 { + if len(token) != 0 && endpoint != loginEndpoint { req.Header.Add("Authorization", "Bearer "+token) } return req, nil