Modernizing cookie signature crypto

[djc]

I think plain SHA1 is a little outdated by now. We should probably use HMAC-SHA256 (as used in JWS/JWA algorithm HS256, for example).

[lloyd]

+1 - I see no meaningful downside -

complexity - tiny cuz apr implements sha-256 and HMAC ain't hard compute cost - whatever size / network hit - whatever security - arguably better collision - better

@fmarier or @warner - care to weigh in here on SHA-1 vs SHA-256?

Related question, do we want to include the session start time inside the signed portion of the cookie? This could be a measure to prevent replay and could allow us to implement a time based upper bound on session length in the future.

[djc]

Session start time sounds good, but let's put that in a different issue?

[lloyd]

yep, the king of conflation goes to open a new one.

[fmarier]

I'd definitely go with SHA-256. SHA-1 is for legacy things, not for new code.

[djc]

While APR seems to have SHA256 code, it appears to be for internal use only. The sha2.h file is stupidly exposed by their Doxygen instance, but it's not part of an installed APR (in 1.4.8, the latest at this point). So we either add an openssl or nss dependency or copy their header file and pray for the best?

[lloyd]

Openssl/nss dependency could be a minefield.

Is there a tiny liberally licensed standalone implementation of SHA256? I seem to recall having beautiful one file implementation at one point.

On Sep 4, 2013, at 11:57 AM, Dirkjan Ochtman notifications@github.com wrote:

While APR seems to have SHA256 code, it appears to be for internal use only. The sha2.h file is stupidly exposed by their Doxygen instance, but it's not part of an installed APR (in 1.4.8, the latest at this point). So we either add an openssl or nss dependency or copy their header file and pray for the best?

— Reply to this email directly or view it on GitHub.

[djc]

This thing appears to be somewhat popular:

http://patux.net/crypto_programs/hash/sha-2/sha256.c.html

[djc]

On the other hand, is importing a somewhat random copy of a SHA256 implementation really better than just relying on OpenSSL/NSS that are probably installed anyway? IOW, why do you think that could be a minefield?

[lloyd]

Maybe I'm over-reacting. In projects in the past that I've contributed to that have relied on openssl there's been versioning issues.

How about this, you make the call, and we'll re-visit if there ends up being unforeseen consequences?

lloyd

On Sep 9, 2013, at 5:32 PM, Dirkjan Ochtman notifications@github.com wrote:

On the other hand, is importing a somewhat random copy of a SHA256 implementation really better than just relying on OpenSSL/NSS that are probably installed anyway? IOW, why do you think that could be a minefield?

— Reply to this email directly or view it on GitHub.

[djc]

WORKSFORME.

On Mon, Sep 9, 2013 at 4:40 PM, Lloyd Hilaiel notifications@github.comwrote:

Maybe I'm over-reacting. In projects in the past that I've contributed to that have relied on openssl there's been versioning issues.

How about this, you make the call, and we'll re-visit if there ends up being unforeseen consequences?

lloyd

On Sep 9, 2013, at 5:32 PM, Dirkjan Ochtman notifications@github.com wrote:

On the other hand, is importing a somewhat random copy of a SHA256 implementation really better than just relying on OpenSSL/NSS that are probably installed anyway? IOW, why do you think that could be a minefield?

— Reply to this email directly or view it on GitHub.

— Reply to this email directly or view it on GitHubhttps://github.com/mozilla/mod_authn_persona/issues/17#issuecomment-24081436 .

[fmarier]

How about NSS? It's got a much better license than OpenSSL...

[djc]

I mentioned that in my comment as well, but I would guess NSS has a much smaller install base on servers that run Apache, so it becomes more of a barrier to installation.

[fmarier]

True. We can just depend on the system's version of OpenSSL I guess (what most C projects do).

[djc]

Yes, I think that's the easiest solution. Given the amount of rebuilding I've seen on my source-based servers, I think OpenSSL API is pretty stable these days (particularly these hashing and HMAC parts).

[djc]

Trying to get it into APR.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55520 http://mail-archives.apache.org/mod_mbox/apr-dev/201310.mbox/%3CCAKmKYaCPsh13vJE7pAJmF55pUOqvT7_%3DzYkJ6eJ1TzZ5TXtJkQ%40mail.gmail.com%3E

[djc]

It looks like we can just copy the private sha2.h from APR into the project and then use the code as linked in to APR. How do you guys feel about doing that?

This came up in the discussion on including it in the public API. Even if they decide to do it, bundling sha2.h seems useful so that we don't have to rely on brand new APR.