feat: update HashNonce to use crypto/sha256 (#2967)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

CHANGELOG.md

@@ -36,6 +36,7 @@
 - [#2977](https://github.com/oauth2-proxy/oauth2-proxy/pull/2977) Update golang.org/x/net to v0.36.0 to address CVE-2025-22870 (@dsymonds)
 - [#2982](https://github.com/oauth2-proxy/oauth2-proxy/pull/2982) chore(deps): remove go:generate tool from go.mod (@dolmen)
 - [#3011](https://github.com/oauth2-proxy/oauth2-proxy/pull/3011) chore(deps): update golang dependencies and pin to latest golang v1.23.x release (@tuunit)
+- [#2967](https://github.com/oauth2-proxy/oauth2-proxy/pull/2967) Update HashNonce to use crypto/sha256 (@egibs)
 
 # V7.8.1
 

pkg/encryption/nonce.go

@@ -3,9 +3,8 @@ package encryption
 import (
 	"crypto/hmac"
 	"crypto/rand"
+	"crypto/sha256"
 	"encoding/base64"
-
-	"golang.org/x/crypto/blake2b"
 )
 
 // Nonce generates a random n-byte slice
@@ -18,16 +17,16 @@ func Nonce(length int) ([]byte, error) {
 	return b, nil
 }
 
-// HashNonce returns the BLAKE2b 256-bit hash of a nonce
+// HashNonce returns the SHA256 hash of a nonce
-// NOTE: Error checking (G104) is purposefully skipped:
-// - `blake2b.New256` has no error path with a nil signing key
-// - `hash.Hash` interface's `Write` has an error signature, but
-//   `blake2b.digest.Write` does not use it.
-/* #nosec G104 */
 func HashNonce(nonce []byte) string {
-	hasher, _ := blake2b.New256(nil)
+	if nonce == nil {
+		return ""
+	}
+
+	hasher := sha256.New()
 	hasher.Write(nonce)
 	sum := hasher.Sum(nil)
+
 	return base64.RawURLEncoding.EncodeToString(sum)
 }