From b2c69e25eb7ed3a1fd9ba085ba1dd6047979de8d Mon Sep 17 00:00:00 2001
From: Evan Gibler <20933572+egibs@users.noreply.github.com>
Date: Tue, 25 Mar 2025 15:12:37 -0500
Subject: [PATCH] feat: update HashNonce to use crypto/sha256 (#2967)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 CHANGELOG.md            |  1 +
 pkg/encryption/nonce.go | 17 ++++++++---------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a87bad36..54518f75 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -36,6 +36,7 @@
 - [#2977](https://github.com/oauth2-proxy/oauth2-proxy/pull/2977) Update golang.org/x/net to v0.36.0 to address CVE-2025-22870 (@dsymonds)
 - [#2982](https://github.com/oauth2-proxy/oauth2-proxy/pull/2982) chore(deps): remove go:generate tool from go.mod (@dolmen)
 - [#3011](https://github.com/oauth2-proxy/oauth2-proxy/pull/3011) chore(deps): update golang dependencies and pin to latest golang v1.23.x release (@tuunit)
+- [#2967](https://github.com/oauth2-proxy/oauth2-proxy/pull/2967) Update HashNonce to use crypto/sha256 (@egibs)
 
 # V7.8.1
 
diff --git a/pkg/encryption/nonce.go b/pkg/encryption/nonce.go
index b0ce68d4..67cf4465 100644
--- a/pkg/encryption/nonce.go
+++ b/pkg/encryption/nonce.go
@@ -3,9 +3,8 @@ package encryption
 import (
 	"crypto/hmac"
 	"crypto/rand"
+	"crypto/sha256"
 	"encoding/base64"
-
-	"golang.org/x/crypto/blake2b"
 )
 
 // Nonce generates a random n-byte slice
@@ -18,16 +17,16 @@ func Nonce(length int) ([]byte, error) {
 	return b, nil
 }
 
-// HashNonce returns the BLAKE2b 256-bit hash of a nonce
-// NOTE: Error checking (G104) is purposefully skipped:
-// - `blake2b.New256` has no error path with a nil signing key
-// - `hash.Hash` interface's `Write` has an error signature, but
-//   `blake2b.digest.Write` does not use it.
-/* #nosec G104 */
+// HashNonce returns the SHA256 hash of a nonce
 func HashNonce(nonce []byte) string {
-	hasher, _ := blake2b.New256(nil)
+	if nonce == nil {
+		return ""
+	}
+
+	hasher := sha256.New()
 	hasher.Write(nonce)
 	sum := hasher.Sum(nil)
+
 	return base64.RawURLEncoding.EncodeToString(sum)
 }