Avoid ambiguous encoding for HMAC input #1521
Merged
+1
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yawkat
requested review from
kwwall,
mackowski,
jmanico and
szh
as code owners
jmanico
approved these changes
Oct 24, 2024
mackowski
approved these changes
Nov 12, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When computing a HMAC of multiple inputs, it is important that the input encoding is unambiguous in order to avoid potential vulnerabilities when an attacker controls some of the input fields.
The old encoding was
sessionID + "!" + random. An attacker that has limited control over thesessionID(e.g. when the sessionID is actually a username) may forge a hmac for another user withsessionID = "alice"by setting their ownsessionID = "alice!eve". The server would then generatemessage = "alice!eve!random"andtoken = hmac("alice!eve!random") + "." + random. From this token, the attacker can create a tokenhmac("alice!eve!random") + ".eve!" + randomwhich is a valid CSRF token forsessionID = "alice".In practice, this is unlikely to be a problem. The session ID usually has a fixed format and is not attacker-controlled. Additionally, the attacker must know the original session ID, and bypass the CSRF token equality check. Nonetheless, as a defense in depth measure, the hmac in the example should use an unambiguous encoding. This PR adds the length of the sessionID and randomValue before their respective value to ensure this.