diff options
author | James Feist <james.feist@linux.intel.com> | 2020-04-16 01:46:44 +0300 |
---|---|---|
committer | James Feist <james.feist@linux.intel.com> | 2020-04-17 21:05:51 +0300 |
commit | a68a8045387e60771e69c53eaa1e4283eab517e4 (patch) | |
tree | 31e7a4534cdadf42d0686687efe698c5e722e1ce /include/sessions.hpp | |
parent | 7af9151495a18c805b45764b4bba6302ec214efb (diff) | |
download | bmcweb-a68a8045387e60771e69c53eaa1e4283eab517e4.tar.xz |
Use CPRNG for session secrets generation
std::random_device is not a cryptographically secure
algorithm. Switch to RAND_bytes instead.
Tested: Login and logout works as expected
Change-Id: If24fa6c3a0652c011bc50ae611b180f342d68433
Signed-off-by: James Feist <james.feist@linux.intel.com>
Diffstat (limited to 'include/sessions.hpp')
-rw-r--r-- | include/sessions.hpp | 63 |
1 files changed, 59 insertions, 4 deletions
diff --git a/include/sessions.hpp b/include/sessions.hpp index 8ff903a439..c2fcf319d7 100644 --- a/include/sessions.hpp +++ b/include/sessions.hpp @@ -1,5 +1,7 @@ #pragma once +#include <openssl/rand.h> + #include <boost/container/flat_map.hpp> #include <boost/uuid/uuid.hpp> #include <boost/uuid/uuid_generators.hpp> @@ -147,6 +149,45 @@ struct AuthConfigMethods class Middleware; +struct OpenSSLGenerator +{ + + uint8_t operator()(void) + { + uint8_t index = 0; + int rc = RAND_bytes(&index, sizeof(index)); + if (rc != opensslSuccess) + { + std::cerr << "Cannot get random number\n"; + err = true; + } + + return index; + }; + + uint8_t max() + { + return std::numeric_limits<uint8_t>::max(); + } + uint8_t min() + { + return std::numeric_limits<uint8_t>::min(); + } + + bool error() + { + return err; + } + + // all generators require this variable + using result_type = uint8_t; + + private: + // RAND_bytes() returns 1 on success, 0 otherwise. -1 if bad function + static constexpr int opensslSuccess = 1; + bool err = false; +}; + class SessionStore { public: @@ -166,23 +207,38 @@ class SessionStore std::string sessionToken; sessionToken.resize(sessionTokenSize, '0'); std::uniform_int_distribution<size_t> dist(0, alphanum.size() - 1); + + OpenSSLGenerator gen; + for (size_t i = 0; i < sessionToken.size(); ++i) { - sessionToken[i] = alphanum[dist(rd)]; + sessionToken[i] = alphanum[dist(gen)]; + if (gen.error()) + { + return nullptr; + } } // Only need csrf tokens for cookie based auth, token doesn't matter std::string csrfToken; csrfToken.resize(sessionTokenSize, '0'); for (size_t i = 0; i < csrfToken.size(); ++i) { - csrfToken[i] = alphanum[dist(rd)]; + csrfToken[i] = alphanum[dist(gen)]; + if (gen.error()) + { + return nullptr; + } } std::string uniqueId; uniqueId.resize(10, '0'); for (size_t i = 0; i < uniqueId.size(); ++i) { - uniqueId[i] = alphanum[dist(rd)]; + uniqueId[i] = alphanum[dist(gen)]; + if (gen.error()) + { + return nullptr; + } } auto session = std::make_shared<UserSession>(UserSession{ @@ -324,7 +380,6 @@ class SessionStore std::hash<std::string>, crow::utility::ConstantTimeCompare> authTokens; - std::random_device rd; bool needWrite{false}; std::chrono::minutes timeoutInMinutes; AuthConfigMethods authMethodsConfig; |