Use hmac for digest nonces #11103

ceeram · 2017-08-25T19:06:01Z

Use hmac for digest nonces

codecov-io · 2017-08-25T20:26:14Z

Codecov Report

Merging #11103 into master will increase coverage by <.01%.
The diff coverage is 100%.

@@             Coverage Diff              @@
##             master   #11103      +/-   ##
============================================
+ Coverage     94.88%   94.88%   +<.01%     
- Complexity    12841    12865      +24     
============================================
  Files           437      437              
  Lines         32742    32792      +50     
============================================
+ Hits          31067    31116      +49     
- Misses         1675     1676       +1

Impacted Files	Coverage Δ	Complexity Δ
src/Auth/DigestAuthenticate.php	`100% <100%> (ø)`	`32 <0> (ø)`	⬇️
src/View/Helper/TextHelper.php	`98.49% <0%> (-0.32%)`	`48% <0%> (+24%)`

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update adbbef6...82ac898. Read the comment docs.

markstory · 2017-08-25T20:48:14Z

src/Auth/DigestAuthenticate.php

    {
        $expiryTime = microtime(true) + $this->getConfig('nonceLifetime');
-        $signatureValue = md5($expiryTime . ':' . $this->getConfig('secret'));
+        $signatureValue = hash_hmac('sha256', $expiryTime . ':' . $this->getConfig('secret'), Security::getSalt());


Don't you have to change the validation of the nonce as well?

yes it should, will take care of that

There is also a generateNonce method in the test case that is still using md5() as well.

updated both

timalive · 2017-11-22T12:16:10Z

tests/TestCase/Auth/DigestAuthenticateTest.php

        $time = $time ?: microtime(true);
        $expiryTime = $time + $expires;
-        $signatureValue = md5($expiryTime . ':' . $secret);
+        $signatureValue = hash_hmac('sha1', $expiryTime . ':' . $secret, $secret);


Is this just me, or shouldn't this be sha256? seems to be causing some trouble for me.

Are you suggesting sha256 for the stronger algorithm?

no, due to inconsistency with the validNonce function

I totally missed that 😊. I'll get it fixed.

great! Thanks. Had me pulling my hair out.

timalive · 2017-11-22T12:16:41Z

src/Auth/DigestAuthenticate.php

        if ($expires < microtime(true)) {
            return false;
        }
+        $check = hash_hmac('sha1', $expires . ':' . $this->getConfig('secret'), $this->getConfig('secret'));


Is this just me, or shouldn't this be sha256? seems to be causing some trouble for me.

The generation and validation sides of Digest authentication were using different algorithms which results in broken digest authentication. Refs #11103

ceeram self-assigned this Aug 25, 2017

markstory added this to the 3.5.1 milestone Aug 25, 2017

markstory reviewed Aug 25, 2017

View reviewed changes

Use hmac for digest nonces

82ac898

ceeram force-pushed the digest-nonce-hmac branch from a0a3dd1 to 82ac898 Compare August 26, 2017 07:41

markstory self-assigned this Aug 26, 2017

markstory merged commit 588de49 into master Aug 28, 2017

markstory mentioned this pull request Aug 28, 2017

Updating DigestAuthenticator to match CakePHP core updates. cakephp/authentication#136

Merged

dereuromark deleted the digest-nonce-hmac branch October 23, 2017 15:29

timalive reviewed Nov 22, 2017

View reviewed changes

markstory added a commit that referenced this pull request Nov 22, 2017

Use sha256 consistently.

07959ee

The generation and validation sides of Digest authentication were using different algorithms which results in broken digest authentication. Refs #11103

markstory mentioned this pull request Nov 22, 2017

Use sha256 consistently. #11453

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Use hmac for digest nonces #11103

Use hmac for digest nonces #11103

Uh oh!

ceeram commented Aug 25, 2017

Uh oh!

codecov-io commented Aug 25, 2017 •

edited

Loading

Uh oh!

markstory Aug 25, 2017

Uh oh!

ceeram Aug 25, 2017

Uh oh!

markstory Aug 25, 2017

Uh oh!

ceeram Aug 26, 2017

Uh oh!

timalive Nov 22, 2017

Uh oh!

markstory Nov 22, 2017

Uh oh!

timalive Nov 22, 2017

Uh oh!

markstory Nov 22, 2017

Uh oh!

timalive Nov 22, 2017

Uh oh!

timalive Nov 22, 2017

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Use hmac for digest nonces #11103

Use hmac for digest nonces #11103

Uh oh!

Conversation

ceeram commented Aug 25, 2017

Uh oh!

codecov-io commented Aug 25, 2017 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

codecov-io commented Aug 25, 2017 •

edited

Loading