[fix] Use hmac_sha512 instead of md5 for cookie hashing. Don't store the key in token anymore (#80)

* [fix] uses hmac_sha512 for hasing the token and don't store the key in it anymore * [mod] remove python script and talk directly to openssl
2024-09-03 20:06:27 +02:00 · 2017-05-18 08:34:36 +02:00 · 2017-05-18 08:34:36 +02:00 · 2456eda200
commit 2456eda200
parent 96b077fe02
1 changed files with 26 additions and 4 deletions
--- a/helpers.lua
+++ b/helpers.lua
@ -70,6 +70,28 @@ function flash(wat, message)
 end


+-- Hash a string using hmac_sha512, return a hexa string
+function hmac_sha512(key, message)
+    -- lua ecosystem is a disaster and it was not possible to find a good
+    -- easily multiplatform integrable code for this
+    -- Python has this buildin, so we call it directly
+    --
+    -- this is a bad and probably leak the key and the message in the process list
+    -- but if someone got there I guess we really have other problems
+    -- and also this is way better than the previous situation
+    local pipe = io.popen("echo -n '" ..message.. "' | openssl sha512 -hmac '" ..key.. "'")
+
+    -- openssl returns something like this:
+    -- root@yunohost:~# echo -n "qsd" | openssl sha512 -hmac "key"
+    -- (stdin)= f1c2b1658fe64c5a3d16459f2f4eea213e4181905c190235b060ab2a4e7d6a41c15ea2c246828537a1e32ae524b7a7ed309e6d296089194c3e3e3efb98c1fbe3
+    --
+    -- so we need to remove the "(stdin)= " at the beginning
+    local hash = pipe:read():sub(string.len("(stdin)= ") + 1)
+    pipe:close()
+    return hash
+end
+
+
 -- Convert a table of arguments to an URI string
 function uri_args_string(args)
    if not args then
@ -110,8 +132,8 @@ function set_auth_cookie(user, domain)
        session_key = random_string()
        cache:add("session_"..user, session_key, conf["session_max_timeout"])
    end
-    local hash = ngx.md5(srvkey..
-               "|" ..ngx.var.remote_addr..
+    local hash = hmac_sha512(srvkey,
+               ngx.var.remote_addr..
               "|"..user..
               "|"..expire..
               "|"..session_key)
@ -179,8 +201,8 @@ function is_logged_in()
                -- Check cache
                if cache:get(user.."-password") then
                    authUser = user
-                    local hash = ngx.md5(srvkey..
-                            "|"..ngx.var.remote_addr..
+                    local hash = hmac_sha512(srvkey,
+                            ngx.var.remote_addr..
                            "|"..authUser..
                            "|"..expireTime..
                            "|"..session_key)