public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #575 from grnhse/deprecate-sha1 

Stop accepting legacy SHA1 signed cookies
This commit is contained in:
Joel Speed 2020-09-24 18:36:52 +01:00 committed by GitHub
parent 55a941b76e 56f199a24f
commit 93870ec0ff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 7 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@ -4,12 +4,16 @@
## Important Notes ## Important Notes
- [#575](https://github.com/oauth2-proxy/oauth2-proxy/pull/575) Sessions from v5.1.1 or earlier will no longer validate since they were not signed with SHA1.
- Sessions from v6.0.0 or later had a graceful conversion to SHA256 that resulted in no reauthentication
- Upgrading from v5.1.1 or earlier will result in a reauthentication
- [#616](https://github.com/oauth2-proxy/oauth2-proxy/pull/616) Ensure you have configured oauth2-proxy to use the `groups` scope. The user may be logged out initially as they may not currently have the `groups` claim however after going back through login process wil be authenticated. - [#616](https://github.com/oauth2-proxy/oauth2-proxy/pull/616) Ensure you have configured oauth2-proxy to use the `groups` scope. The user may be logged out initially as they may not currently have the `groups` claim however after going back through login process wil be authenticated.
## Breaking Changes ## Breaking Changes
## Changes since v6.1.1 ## Changes since v6.1.1
- [#575](https://github.com/oauth2-proxy/oauth2-proxy/pull/575) Stop accepting legacy SHA1 signed cookies (@NickMeves)
- [#764](https://github.com/oauth2-proxy/oauth2-proxy/pull/764) Document bcrypt encryption for htpasswd (and hide SHA) (@lentzi90) - [#764](https://github.com/oauth2-proxy/oauth2-proxy/pull/764) Document bcrypt encryption for htpasswd (and hide SHA) (@lentzi90)
- [#616](https://github.com/oauth2-proxy/oauth2-proxy/pull/616) Add support to ensure user belongs in required groups when using the OIDC provider (@stefansedich) - [#616](https://github.com/oauth2-proxy/oauth2-proxy/pull/616) Add support to ensure user belongs in required groups when using the OIDC provider (@stefansedich)

13
pkg/encryption/utils.go
View File

@ -2,8 +2,6 @@ package encryption
import ( import (
"crypto/hmac" "crypto/hmac"
// TODO (@NickMeves): Remove SHA1 signed cookie support in V7
"crypto/sha1" // #nosec G505
"crypto/sha256" "crypto/sha256"
"encoding/base64" "encoding/base64"
"fmt" "fmt"
@ -95,16 +93,7 @@ func checkSignature(signature string, args ...string) bool {
if err != nil { if err != nil {
return false return false
} }
if checkHmac(signature, checkSig) { return checkHmac(signature, checkSig)
return true
}
// TODO (@NickMeves): Remove SHA1 signed cookie support in V7
legacySig, err := cookieSignature(sha1.New, args...)
if err != nil {
return false
}
return checkHmac(signature, legacySig)
} }
func checkHmac(input, expected string) bool { func checkHmac(input, expected string) bool {

4
pkg/encryption/utils_test.go
View File

@ -94,8 +94,8 @@ func TestSignAndValidate(t *testing.T) {
assert.NoError(t, err) assert.NoError(t, err)
assert.True(t, checkSignature(sha256sig, seed, key, value, epoch)) assert.True(t, checkSignature(sha256sig, seed, key, value, epoch))
// This should be switched to False after fully deprecating SHA1 // We don't validate legacy SHA1 signatures anymore
assert.True(t, checkSignature(sha1sig, seed, key, value, epoch)) assert.False(t, checkSignature(sha1sig, seed, key, value, epoch))
assert.False(t, checkSignature(sha256sig, seed, key, "tampered", epoch)) assert.False(t, checkSignature(sha256sig, seed, key, "tampered", epoch))
assert.False(t, checkSignature(sha1sig, seed, key, "tampered", epoch)) assert.False(t, checkSignature(sha1sig, seed, key, "tampered", epoch))