From d71b5bc2a17970c83a8b8baee3b6283f16a7353b Mon Sep 17 00:00:00 2001
From: Laurent Peuch <cortex@worlddomination.be>
Date: Mon, 15 May 2017 03:52:53 +0200
Subject: [PATCH] [fix] uses hmac_sha512 for hasing the token and don't store
 the key in it anymore

---
 helpers.lua    | 24 ++++++++++++++++++++----
 hmac_sha512.py | 10 ++++++++++
 2 files changed, 30 insertions(+), 4 deletions(-)
 create mode 100644 hmac_sha512.py

diff --git a/helpers.lua b/helpers.lua
index e834f28..b293df1 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -70,6 +70,22 @@ function flash(wat, message)
 end
 
 
+-- Hash a string using hmac_sha512, return a hexa string
+function hmac_sha512(key, message)
+    -- lua ecosystem is a disaster and it was not possible to find a good
+    -- easily multiplatform integrable code for this
+    -- Python has this buildin, so we call it directly
+    --
+    -- this is a bad and probably leak the key and the message in the process list
+    -- but if someone got there I guess we really have other problems
+    -- and also this is way better than the previous situation
+    local pipe = io.popen("python /usr/share/ssowat/hmac_sha512.py '" ..key.. "' '" ..message.. "'")
+    local hash = pipe:read()
+    pipe:close()
+    return hash
+end
+
+
 -- Convert a table of arguments to an URI string
 function uri_args_string(args)
     if not args then
@@ -110,8 +126,8 @@ function set_auth_cookie(user, domain)
         session_key = random_string()
         cache:add("session_"..user, session_key, conf["session_max_timeout"])
     end
-    local hash = ngx.md5(srvkey..
-               "|" ..ngx.var.remote_addr..
+    local hash = hmac_sha512(srvkey,
+               ngx.var.remote_addr..
                "|"..user..
                "|"..expire..
                "|"..session_key)
@@ -179,8 +195,8 @@ function is_logged_in()
                 -- Check cache
                 if cache:get(user.."-password") then
                     authUser = user
-                    local hash = ngx.md5(srvkey..
-                            "|"..ngx.var.remote_addr..
+                    local hash = hmac_sha512(srvkey,
+                            ngx.var.remote_addr..
                             "|"..authUser..
                             "|"..expireTime..
                             "|"..session_key)
diff --git a/hmac_sha512.py b/hmac_sha512.py
new file mode 100644
index 0000000..d45c510
--- /dev/null
+++ b/hmac_sha512.py
@@ -0,0 +1,10 @@
+import sys
+import hashlib
+import hmac
+
+key = sys.argv[1]
+message = sys.argv[2]
+
+result = hmac.new(key, digestmod=hashlib.sha512)
+result.update(message)
+print result.hexdigest()