Possible length extension attack in line:
https://cgit.drupalcode.org/drupalauth4ssp/tree/drupalauth4ssp.module#n69

See https://en.wikipedia.org/wiki/Length_extension_attack .

CommentFileSizeAuthor
#4 drupalauth4ssp-3020308-4.patch1.5 KBrosk0

Comments

tmuras created an issue. See original summary.

daggerhart’s picture

daggerhart commented
Assigned: Unassigned » daggerhart

I'll take a look at this and see what we can do to mitigate.

tom.camp’s picture

tom.camp commented

Daggerhart, has there been any progress here?

rosk0’s picture

rosk0
he/him
Primary language Russian
Location Wellington
commented
Version: 7.x-1.x-dev » 8.x-1.x-dev
Assigned: daggerhart » Unassigned
Status: Active » Needs review
Issue tags: +Needs manual testing
StatusFileSize
new drupalauth4ssp-3020308-4.patch1.5 KB
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

Looks good to me, is consistent with how core does things.

Only observation would be - is it worth also using core's hash salt for the salt, so you have the ssp config salt, the private key and the hash salt being used?

  • RoSk0 committed cecbad9 on 8.x-1.x 
    Issue #3020308 by RoSk0, larowlan, plach: Avoid length extension attack

RoSk0 credited plach.

rosk0’s picture

rosk0
he/him
Primary language Russian
Location Wellington
commented
Status: Needs review » Fixed

Thanks @larowlan! Unfortunately I noticed your message too late so created a child for your suggestion, not sure if it will make a huge difference though, we still need to access SSP config to get a cookie name.

Crediting @plach for manual testing confirmed here https://github.com/drupalauth/simplesamlphp-module-drupalauth/pull/51#is...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.