[security] harden account update logic (#3198)

* on account update, ensure that public key has not changed * change expected error message * also support the case of changing account keys when expired (not waiting for handshake) * tweak account update hardening logic, add tests for updating account with pubkey expired * add check for whether incoming data was via federator, accepting keys if so * use freshest window for federated account updates + comment about it
2025-06-05 21:59:39 +02:00 · 2024-08-13 15:37:09 +00:00
parent 5212a1057e
commit 9cd27b412d
4 changed files with 249 additions and 16 deletions
--- a/internal/federation/dereferencing/authenticate.go
+++ b/internal/federation/dereferencing/authenticate.go
@@ -0,0 +1,54 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package dereferencing
+
+import (
+	"time"
+
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+)
+
+// verifyAccountKeysOnUpdate verifies that account's public key hasn't changed on update from
+// our existing stored representation, UNLESS the key has been explicitly expired (i.e. key rotation).
+func verifyAccountKeysOnUpdate(existing, latest *gtsmodel.Account, now time.Time, federated bool) bool {
+	if federated {
+		// If this data was federated
+		// to us then we implicitly trust
+		// it on the grounds that it
+		// passed any signature checks.
+		return true
+	}
+
+	if existing.PublicKey == nil {
+		// New account which has been
+		// passed as a placeholder.
+		// This is always permitted.
+		return true
+	}
+
+	// Ensure that public keys have not changed.
+	if existing.PublicKey.Equal(latest.PublicKey) &&
+		existing.PublicKeyURI == latest.PublicKeyURI {
+		return true
+	}
+
+	// The only time that an account key change is
+	// permitted is when it is marked as expired.
+	return !existing.PublicKeyExpiresAt.IsZero() &&
+		existing.PublicKeyExpiresAt.Before(now)
+}