[fix] Use hmac_sha512 instead of md5 for cookie hashing. Don't store the key in token anymore (#80)

* [fix] uses hmac_sha512 for hasing the token and don't store the key in it anymore
* [mod] remove python script and talk directly to openssl
This commit is contained in:
Laurent Peuch 2017-05-18 08:34:36 +02:00 committed by opi
parent 96b077fe02
commit 2456eda200

View file

@ -70,6 +70,28 @@ function flash(wat, message)
end end
-- Hash a string using hmac_sha512, return a hexa string
function hmac_sha512(key, message)
-- lua ecosystem is a disaster and it was not possible to find a good
-- easily multiplatform integrable code for this
-- Python has this buildin, so we call it directly
--
-- this is a bad and probably leak the key and the message in the process list
-- but if someone got there I guess we really have other problems
-- and also this is way better than the previous situation
local pipe = io.popen("echo -n '" ..message.. "' | openssl sha512 -hmac '" ..key.. "'")
-- openssl returns something like this:
-- root@yunohost:~# echo -n "qsd" | openssl sha512 -hmac "key"
-- (stdin)= f1c2b1658fe64c5a3d16459f2f4eea213e4181905c190235b060ab2a4e7d6a41c15ea2c246828537a1e32ae524b7a7ed309e6d296089194c3e3e3efb98c1fbe3
--
-- so we need to remove the "(stdin)= " at the beginning
local hash = pipe:read():sub(string.len("(stdin)= ") + 1)
pipe:close()
return hash
end
-- Convert a table of arguments to an URI string -- Convert a table of arguments to an URI string
function uri_args_string(args) function uri_args_string(args)
if not args then if not args then
@ -110,8 +132,8 @@ function set_auth_cookie(user, domain)
session_key = random_string() session_key = random_string()
cache:add("session_"..user, session_key, conf["session_max_timeout"]) cache:add("session_"..user, session_key, conf["session_max_timeout"])
end end
local hash = ngx.md5(srvkey.. local hash = hmac_sha512(srvkey,
"|" ..ngx.var.remote_addr.. ngx.var.remote_addr..
"|"..user.. "|"..user..
"|"..expire.. "|"..expire..
"|"..session_key) "|"..session_key)
@ -179,8 +201,8 @@ function is_logged_in()
-- Check cache -- Check cache
if cache:get(user.."-password") then if cache:get(user.."-password") then
authUser = user authUser = user
local hash = ngx.md5(srvkey.. local hash = hmac_sha512(srvkey,
"|"..ngx.var.remote_addr.. ngx.var.remote_addr..
"|"..authUser.. "|"..authUser..
"|"..expireTime.. "|"..expireTime..
"|"..session_key) "|"..session_key)