Skip to content

GitLab

Trac
Trac

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Closed (moved)
Opened by Isis Lovecruft@isis

Add timestamp/expiry to HMAC verification code in BridgeDB's local CAPTCHAs

The CAPTCHAs created in #10809 (moved) are in the form:

HMACFn := HMAC(HMAC_KEY, REQUEST_IP_ADDR)
CAPTCHA_VERIFICATION := HMACFn(RSA_ENC(CAPTCHA_ANSWER))

When they really should be more like:

HMACFn := HMAC(HMAC_KEY, REQUEST_IP_ADDR)
CAPTCHA_VERIFICATION := HMACFn(TIMESTAMP, RSA_ENC(CAPTCHA_ANSWER))

See this commit message from the original branch. After adding the timestamp to the CAPTCHA_VERIFICATION creation in bridgedb.captcha.GimpCaptcha.createChallenge(), said timestamp should obviously be checked that it is not expired (according to some easily configurable expiration period) in bridgedb.captcha.GimpCaptcha.checkSolution().

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information