go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-12-13 23:35:50 +02:00
Code Issues Releases Activity

Migrate cookie signing to SHA256 from SHA1 (#524)

Browse Source 
Also, cleanup the code & make the specific
hashing algorithm chosen a function variable.

Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
This commit is contained in:
Nick Meves
2020-05-05 18:41:48 -07:00
committed by Henry Jenkins
parent 07df29db37
commit 9d626265e8
3 changed files with 37 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
pkg/encryption/cipher.go
View File

@@ -6,8 +6,10 @@ import (
"crypto/hmac"
"crypto/rand"
"crypto/sha1"
"crypto/sha256"
"encoding/base64"
"fmt"
"hash"
"io"
"net/http"
"strconv"
@@ -25,8 +27,7 @@ func Validate(cookie *http.Cookie, seed string, expiration time.Duration) (value
if len(parts) != 3 {
return
}
sig := cookieSignature(seed, cookie.Name, parts[0], parts[1])
if checkHmac(parts[2], sig) {
if checkSignature(parts[2], seed, cookie.Name, parts[0], parts[1]) {
ts, err := strconv.Atoi(parts[1])
if err != nil {
return
@@ -53,13 +54,13 @@ func Validate(cookie *http.Cookie, seed string, expiration time.Duration) (value
func SignedValue(seed string, key string, value string, now time.Time) string {
encodedValue := base64.URLEncoding.EncodeToString([]byte(value))
timeStr := fmt.Sprintf("%d", now.Unix())
sig := cookieSignature(seed, key, encodedValue, timeStr)
sig := cookieSignature(sha256.New, seed, key, encodedValue, timeStr)
cookieVal := fmt.Sprintf("%s|%s|%s", encodedValue, timeStr, sig)
return cookieVal
}
func cookieSignature(args ...string) string {
h := hmac.New(sha1.New, []byte(args[0]))
func cookieSignature(signer func() hash.Hash, args ...string) string {
h := hmac.New(signer, []byte(args[0]))
for _, arg := range args[1:] {
h.Write([]byte(arg))
}
@@ -68,6 +69,17 @@ func cookieSignature(args ...string) string {
return base64.URLEncoding.EncodeToString(b)
}
func checkSignature(signature string, args ...string) bool {
checkSig := cookieSignature(sha256.New, args...)
if checkHmac(signature, checkSig) {
return true
}
// TODO: After appropriate rollout window, remove support for SHA1
legacySig := cookieSignature(sha1.New, args...)
return checkHmac(signature, legacySig)
}
func checkHmac(input, expected string) bool {
inputMAC, err1 := base64.URLEncoding.DecodeString(input)
if err1 == nil {