Re: [pve-devel] [PATCH common 2/2] use hmac_sha256 instead of sha1 for csrf token

Tue, 18 Jun 2019 05:09:23 -0700 

hi

On Mon, Jun 17, 2019 at 03:49:14PM +0200, Thomas Lamprecht wrote:
> On 6/17/19 2:15 PM, Oguz Bektas wrote:
> > now generates & verifies with hmac_sha1. also left the old digest format
> > for backwards compatibility during verification, to be removed at some
> > later time.
> > 
> > Signed-off-by: Oguz Bektas <o.bek...@proxmox.com>
> > ---
> >  src/PVE/Ticket.pm | 7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> > 
> > diff --git a/src/PVE/Ticket.pm b/src/PVE/Ticket.pm
> > index 5935ba5..629ec11 100644
> > --- a/src/PVE/Ticket.pm
> > +++ b/src/PVE/Ticket.pm
> > @@ -20,7 +20,7 @@ sub assemble_csrf_prevention_token {
> >  
> >      my $timestamp = sprintf("%08X", time());
> >  
> > -    my $digest = Digest::SHA::sha1_base64("$timestamp:$username", $secret);
> > +    my $digest = Digest::SHA::hmac_sha256_base64("$timestamp:$username", 
> > $secret);
> >  
> >      return "$timestamp:$digest";
> >  }
> > @@ -33,10 +33,13 @@ sub verify_csrf_prevention_token {
> >     my $timestamp = $1;
> >     my $ttime = hex($timestamp);
> >  
> > +   my $hmac_digest = 
> > Digest::SHA::hmac_sha256_base64("$timestamp:$username", $secret);
> > +
> > +   # fallback
> >     my $digest = Digest::SHA::sha1_base64("$timestamp:$username", $secret);
> 
> maybe we could use the length if $sig to determine which one we
> probably need to check? Else one _always_ computes both, which isn't
> ideal...
ok, i'll send a v2 with that
> 
> We then could also back port this one to stable-5 so that we ensure
> less problems on upgrade, e.g., if one does an upgrade of Node B but
> is connected (proxied) through Node A, or the like.
alright
> 
> >  
> >     my $age = time() - $ttime;
> > -   return 1 if ($digest eq $sig) && ($age > $min_age) &&
> > +   return 1 if (($digest eq $sig) or ($hmac_digest eq $sig)) && ($age > 
> > $min_age) &&
> >         ($age < $max_age);
> >      }
> >  
> > 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to