[pve-devel] [PATCH v3 common 2/2] use hmac_sha256 instead of sha1 for csrf token

[Oguz Bektas]

now generates & verifies with hmac_sha1. also left the old digest format
for backwards compatibility during verification, to be removed at some
later time.

Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
---
v2 -> v3:
* break down long line into if-else block

 src/PVE/Ticket.pm | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Ticket.pm b/src/PVE/Ticket.pm
index 5935ba5..d5d0041 100644
--- a/src/PVE/Ticket.pm
+++ b/src/PVE/Ticket.pm
@@ -20,7 +20,7 @@ sub assemble_csrf_prevention_token {
 
     my $timestamp = sprintf("%08X", time());
 
-    my $digest = Digest::SHA::sha1_base64("$timestamp:$username", $secret);
+    my $digest = Digest::SHA::hmac_sha256_base64("$timestamp:$username", $secret);
 
     return "$timestamp:$digest";
 }
@@ -33,7 +33,13 @@ sub verify_csrf_prevention_token {
 	my $timestamp = $1;
 	my $ttime = hex($timestamp);
 
-	my $digest = Digest::SHA::sha1_base64("$timestamp:$username", $secret);
+	my $digest;
+	if (length($sig) == 27) {
+	    # detected sha1 csrf token from older proxy, switching to fallback. FIXME: remove with 7.0
+	    $digest = Digest::SHA::sha1_base64("$timestamp:$username", "$secret");
+	} else {
+	    $digest = Digest::SHA::hmac_sha256_base64("$timestamp:$username", "$secret");
+	}
 
 	my $age = time() - $ttime;
 	return 1 if ($digest eq $sig) && ($age > $min_age) &&
-- 
2.11.0