From 2456eda200d75c07ff4d76cd34ea5f4ebd4d53a5 Mon Sep 17 00:00:00 2001
From: Laurent Peuch <cortex@worlddomination.be>
Date: Thu, 18 May 2017 08:34:36 +0200
Subject: [PATCH] [fix] Use hmac_sha512 instead of md5 for cookie hashing.
 Don't store the key in token anymore (#80)

* [fix] uses hmac_sha512 for hasing the token and don't store the key in it anymore
* [mod] remove python script and talk directly to openssl
---
 helpers.lua | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/helpers.lua b/helpers.lua
index e834f28..f460122 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -70,6 +70,28 @@ function flash(wat, message)
 end
 
 
+-- Hash a string using hmac_sha512, return a hexa string
+function hmac_sha512(key, message)
+    -- lua ecosystem is a disaster and it was not possible to find a good
+    -- easily multiplatform integrable code for this
+    -- Python has this buildin, so we call it directly
+    --
+    -- this is a bad and probably leak the key and the message in the process list
+    -- but if someone got there I guess we really have other problems
+    -- and also this is way better than the previous situation
+    local pipe = io.popen("echo -n '" ..message.. "' | openssl sha512 -hmac '" ..key.. "'")
+
+    -- openssl returns something like this:
+    -- root@yunohost:~# echo -n "qsd" | openssl sha512 -hmac "key"
+    -- (stdin)= f1c2b1658fe64c5a3d16459f2f4eea213e4181905c190235b060ab2a4e7d6a41c15ea2c246828537a1e32ae524b7a7ed309e6d296089194c3e3e3efb98c1fbe3
+    --
+    -- so we need to remove the "(stdin)= " at the beginning
+    local hash = pipe:read():sub(string.len("(stdin)= ") + 1)
+    pipe:close()
+    return hash
+end
+
+
 -- Convert a table of arguments to an URI string
 function uri_args_string(args)
     if not args then
@@ -110,8 +132,8 @@ function set_auth_cookie(user, domain)
         session_key = random_string()
         cache:add("session_"..user, session_key, conf["session_max_timeout"])
     end
-    local hash = ngx.md5(srvkey..
-               "|" ..ngx.var.remote_addr..
+    local hash = hmac_sha512(srvkey,
+               ngx.var.remote_addr..
                "|"..user..
                "|"..expire..
                "|"..session_key)
@@ -179,8 +201,8 @@ function is_logged_in()
                 -- Check cache
                 if cache:get(user.."-password") then
                     authUser = user
-                    local hash = ngx.md5(srvkey..
-                            "|"..ngx.var.remote_addr..
+                    local hash = hmac_sha512(srvkey,
+                            ngx.var.remote_addr..
                             "|"..authUser..
                             "|"..expireTime..
                             "|"..session_key)