summaryrefslogtreecommitdiff
path: root/src/sp_cookie_encryption.c (follow)
AgeCommit message (Collapse)Author
2017-12-19Rework a bit the order of operationjvoisin
- There is no need to generate the key if the cookie has no value - There is no need to generate the key if the cookie length is invalid - Use yoda condition
2017-12-19remove useless varslefevre
2017-12-19fix double decodingslefevre
2017-12-18Fix cookie encryptionxXx-caillou-xXx
Previously, when a cookie was set with the `httpOnly` flag, it was automatically encrypted, due to a logic flaw. This is now fixed and tested.
2017-11-27Improve our nonce's randomnessjvoisin
2017-11-24Implement anti csrf measuresxXx-caillou-xXx
This is done by using the "samesite" cookie attribute.
2017-10-11Cheat a bit with the coveragejvoisin
2017-10-02Add a warning if the env var is NULLjvoisin
2017-10-02First pass for #9jvoisin
2017-09-29Fix two cookie encryption issues found by @cfreal, and a bonus one (#18)jvoisin
* Fix a cookie encryption issue found by @cfreal - Use the base64-decoded payload length to allocate memory to decrypt it, instead of allocating the length of the undecoded one. This has no security impact, since the base64-encoded string is at least as large as the decoded one. Since we're using AEAD, there is no way to leak memory, since this would make the decryption fail.
2017-09-21Add travisjvoisin
2017-09-20Initial importSebastien Blot