Switch to Signature Canonicalization version 2

duosecurity · Aug 20, 2024 · 51f6fe5 · 51f6fe5
1 parent 91513cd
commit 51f6fe5
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/lib/https.c b/lib/https.c
@@ -660,14 +660,18 @@ https_send(struct https_request *req, const char *method, const char *uri,
     BIO *b64;
     HMAC_CTX *hmac;
     unsigned char MD[SHA512_DIGEST_LENGTH];
-    char *qs, *p;
+    char *qs, *p, date[128];
     int i, n, is_get;
+    time_t t;
 
     req->done = 0;
 
+    t = time(NULL);
+    strftime(date, sizeof date, "%a, %d %b %Y %T %z", localtime(&t));
+
     /* Generate query string and canonical request to sign */
     if ((qs = _argv_to_qs(argc, argv)) == NULL ||
-        (asprintf(&p, "%s\n%s\n%s\n%s", method, req->host, uri, qs)) < 0) {
+        (asprintf(&p, "%s\n%s\n%s\n%s\n%s", date, method, req->host, uri, qs)) < 0) {
         free(qs);
         ctx.errstr = strerror(errno);
         return (HTTPS_ERR_LIB);
@@ -688,6 +692,7 @@ https_send(struct https_request *req, const char *method, const char *uri,
                "User-Agent: %s\r\n",
                useragent);
     /* Add signature */
+    BIO_printf(req->cbio, "X-Duo-Date: %s\r\n", date);
     BIO_puts(req->cbio, "Authorization: Basic ");
 
     if ((hmac = HMAC_CTX_new()) == NULL) {

diff --git a/tests/mockduo.py b/tests/mockduo.py
@@ -66,7 +66,13 @@ def _verify_sig(self):
         if ikey != IKEY:
             return False
 
-        canon = [self.method, self.headers["Host"].split(":")[0].lower(), self.path]
+        # first look for x-duo-date header
+        datestring = self.headers.get("x-duo-date")
+        if datestring is None:
+            # if it doesn't exist, try looking for Date header
+            datestring = self.headers.get("Date")
+
+        canon = [datestring, self.method, self.headers["Host"].split(":")[0].lower(), self.path]
         l = []
         for k in sorted(self.args.keys()):
             l.append(