YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

[fix] uses hmac_sha512 for hasing the token and don't store the key in it anymore

Browse source
This commit is contained in:
Laurent Peuch 2017-05-15 03:52:53 +02:00
parent 46b6d1048e
commit d71b5bc2a1
2 changed files with 30 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
helpers.lua
View file

@ -70,6 +70,22 @@ function flash(wat, message)
end end
-- Hash a string using hmac_sha512, return a hexa string
function hmac_sha512(key, message)
-- lua ecosystem is a disaster and it was not possible to find a good
-- easily multiplatform integrable code for this
-- Python has this buildin, so we call it directly
--
-- this is a bad and probably leak the key and the message in the process list
-- but if someone got there I guess we really have other problems
-- and also this is way better than the previous situation
local pipe = io.popen("python /usr/share/ssowat/hmac_sha512.py '" ..key.. "' '" ..message.. "'")
local hash = pipe:read()
pipe:close()
return hash
end
-- Convert a table of arguments to an URI string -- Convert a table of arguments to an URI string
function uri_args_string(args) function uri_args_string(args)
if not args then if not args then
@ -110,8 +126,8 @@ function set_auth_cookie(user, domain)
session_key = random_string() session_key = random_string()
cache:add("session_"..user, session_key, conf["session_max_timeout"]) cache:add("session_"..user, session_key, conf["session_max_timeout"])
end end
local hash = ngx.md5(srvkey.. local hash = hmac_sha512(srvkey,
"|" ..ngx.var.remote_addr.. ngx.var.remote_addr..
"|"..user.. "|"..user..
"|"..expire.. "|"..expire..
"|"..session_key) "|"..session_key)
@ -179,8 +195,8 @@ function is_logged_in()
-- Check cache -- Check cache
if cache:get(user.."-password") then if cache:get(user.."-password") then
authUser = user authUser = user
local hash = ngx.md5(srvkey.. local hash = hmac_sha512(srvkey,
"|"..ngx.var.remote_addr.. ngx.var.remote_addr..
"|"..authUser.. "|"..authUser..
"|"..expireTime.. "|"..expireTime..
"|"..session_key) "|"..session_key)

10
hmac_sha512.py Normal file
View file

@ -0,0 +1,10 @@
import sys
import hashlib
import hmac
key = sys.argv[1]
message = sys.argv[2]
result = hmac.new(key, digestmod=hashlib.sha512)
result.update(message)
print result.hexdigest()