mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
[fix] Use hmac_sha512 instead of md5 for cookie hashing. Don't store the key in token anymore (#80)
* [fix] uses hmac_sha512 for hasing the token and don't store the key in it anymore * [mod] remove python script and talk directly to openssl
This commit is contained in:
parent
96b077fe02
commit
2456eda200
1 changed files with 26 additions and 4 deletions
30
helpers.lua
30
helpers.lua
|
@ -70,6 +70,28 @@ function flash(wat, message)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
-- Hash a string using hmac_sha512, return a hexa string
|
||||||
|
function hmac_sha512(key, message)
|
||||||
|
-- lua ecosystem is a disaster and it was not possible to find a good
|
||||||
|
-- easily multiplatform integrable code for this
|
||||||
|
-- Python has this buildin, so we call it directly
|
||||||
|
--
|
||||||
|
-- this is a bad and probably leak the key and the message in the process list
|
||||||
|
-- but if someone got there I guess we really have other problems
|
||||||
|
-- and also this is way better than the previous situation
|
||||||
|
local pipe = io.popen("echo -n '" ..message.. "' | openssl sha512 -hmac '" ..key.. "'")
|
||||||
|
|
||||||
|
-- openssl returns something like this:
|
||||||
|
-- root@yunohost:~# echo -n "qsd" | openssl sha512 -hmac "key"
|
||||||
|
-- (stdin)= f1c2b1658fe64c5a3d16459f2f4eea213e4181905c190235b060ab2a4e7d6a41c15ea2c246828537a1e32ae524b7a7ed309e6d296089194c3e3e3efb98c1fbe3
|
||||||
|
--
|
||||||
|
-- so we need to remove the "(stdin)= " at the beginning
|
||||||
|
local hash = pipe:read():sub(string.len("(stdin)= ") + 1)
|
||||||
|
pipe:close()
|
||||||
|
return hash
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
-- Convert a table of arguments to an URI string
|
-- Convert a table of arguments to an URI string
|
||||||
function uri_args_string(args)
|
function uri_args_string(args)
|
||||||
if not args then
|
if not args then
|
||||||
|
@ -110,8 +132,8 @@ function set_auth_cookie(user, domain)
|
||||||
session_key = random_string()
|
session_key = random_string()
|
||||||
cache:add("session_"..user, session_key, conf["session_max_timeout"])
|
cache:add("session_"..user, session_key, conf["session_max_timeout"])
|
||||||
end
|
end
|
||||||
local hash = ngx.md5(srvkey..
|
local hash = hmac_sha512(srvkey,
|
||||||
"|" ..ngx.var.remote_addr..
|
ngx.var.remote_addr..
|
||||||
"|"..user..
|
"|"..user..
|
||||||
"|"..expire..
|
"|"..expire..
|
||||||
"|"..session_key)
|
"|"..session_key)
|
||||||
|
@ -179,8 +201,8 @@ function is_logged_in()
|
||||||
-- Check cache
|
-- Check cache
|
||||||
if cache:get(user.."-password") then
|
if cache:get(user.."-password") then
|
||||||
authUser = user
|
authUser = user
|
||||||
local hash = ngx.md5(srvkey..
|
local hash = hmac_sha512(srvkey,
|
||||||
"|"..ngx.var.remote_addr..
|
ngx.var.remote_addr..
|
||||||
"|"..authUser..
|
"|"..authUser..
|
||||||
"|"..expireTime..
|
"|"..expireTime..
|
||||||
"|"..session_key)
|
"|"..session_key)
|
||||||
|
|
Loading…
Reference in a new issue