Attempt to fix address checking when IPv6 addresses are used. - SIDP-235
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 15 Oct 2008 20:18:56 +0000 (20:18 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 15 Oct 2008 20:18:56 +0000 (20:18 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/branches/REL_2@2784 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java
src/main/java/edu/internet2/middleware/shibboleth/idp/session/IdPSessionFilter.java

index cae30a6..21d9b68 100644 (file)
@@ -226,12 +226,12 @@ public class AuthenticationEngine extends HttpServlet {
             HttpServletResponse httpResponse) {
         LOG.debug("Returning control to profile handler at: {}", loginContext.getProfileHandlerURL());
         httpRequest.setAttribute(LoginContext.LOGIN_CONTEXT_KEY, loginContext);
-        
+
         // Cleanup this cookie
         Cookie lcKeyCookie = new Cookie(LOGIN_CONTEXT_KEY_NAME, "");
         lcKeyCookie.setMaxAge(0);
         httpResponse.addCookie(lcKeyCookie);
-        
+
         forwardRequest(loginContext.getProfileHandlerURL(), httpRequest, httpResponse);
     }
 
@@ -713,23 +713,25 @@ public class AuthenticationEngine extends HttpServlet {
             Session userSession) {
         httpRequest.setAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE, userSession);
 
-        String remoteAddress = httpRequest.getRemoteAddr();
-        String sessionId = userSession.getSessionID();
-        
+        byte[] remoteAddress = httpRequest.getRemoteAddr().getBytes();
+        byte[] sessionId = userSession.getSessionID().getBytes();
+
         String signature = null;
         SecretKey signingKey = userSession.getSessionSecretKey();
         try {
             Mac mac = Mac.getInstance("HmacSHA256");
             mac.init(signingKey);
-            mac.update(remoteAddress.getBytes());
-            mac.update(sessionId.getBytes());
+            mac.update(remoteAddress);
+            mac.update(sessionId);
             signature = Base64.encodeBytes(mac.doFinal());
         } catch (GeneralSecurityException e) {
             LOG.error("Unable to compute signature over session cookie material", e);
         }
 
         LOG.debug("Adding IdP session cookie to HTTP response");
-        Cookie sessionCookie = new Cookie(IDP_SESSION_COOKIE_NAME, remoteAddress + "|" + sessionId + "|" + signature);
+        Cookie sessionCookie = new Cookie(IDP_SESSION_COOKIE_NAME, Base64.encodeBytes(remoteAddress,
+                Base64.DONT_BREAK_LINES)
+                + "|" + Base64.encodeBytes(sessionId, Base64.DONT_BREAK_LINES) + "|" + signature);
 
         String contextPath = httpRequest.getContextPath();
         if (DatatypeHelper.isEmpty(contextPath)) {
index 27cd93e..a8e9ff9 100644 (file)
@@ -18,6 +18,7 @@ package edu.internet2.middleware.shibboleth.idp.session;
 
 import java.io.IOException;
 import java.security.GeneralSecurityException;
+import java.util.Arrays;
 
 import javax.crypto.Mac;
 import javax.crypto.SecretKey;
@@ -133,27 +134,32 @@ public class IdPSessionFilter implements Filter {
         // index 1: session ID
         // index 2: Base64(HMAC(index 0 + index 1))
         String[] valueComponents = sessionCookie.getValue().split("\\|");
+        byte[] remoteAddressBytes = Base64.decode(valueComponents[0]);
+        byte[] sessionIdBytes = Base64.decode(valueComponents[1]);
+        byte[] signatureBytes = Base64.decode(valueComponents[2]);
 
         if (consistentAddress) {
-            if (!httpRequest.getRemoteAddr().equals(valueComponents[0])) {
+            String remoteAddress = new String(remoteAddressBytes);
+            if (!httpRequest.getRemoteAddr().equals(remoteAddress)) {
                 log.error("Client sent a cookie from addres {} but the cookie was issued to address {}", httpRequest
-                        .getRemoteAddr(), valueComponents[0]);
+                        .getRemoteAddr(), remoteAddress);
                 return null;
             }
         }
 
-        Session userSession = sessionManager.getSession(valueComponents[1]);
+        String sessionId = new String(sessionIdBytes);
+        Session userSession = sessionManager.getSession(sessionId);
 
         if (userSession != null) {
             SecretKey signingKey = userSession.getSessionSecretKey();
             try {
                 Mac mac = Mac.getInstance("HmacSHA256");
                 mac.init(signingKey);
-                mac.update(valueComponents[0].getBytes());
-                mac.update(valueComponents[1].getBytes());
+                mac.update(remoteAddressBytes);
+                mac.update(sessionIdBytes);
                 byte[] signature = mac.doFinal();
 
-                if (!DatatypeHelper.safeEquals(valueComponents[2], Base64.encodeBytes(signature))) {
+                if (!Arrays.equals(signature, signatureBytes)) {
                     log.error("Session cookie signature did not match, the session cookie has been tampered with");
                     return null;
                 }