From 6ad5d062dbc30a2a40c0cb3982be342b55d9a463 Mon Sep 17 00:00:00 2001 From: dbuechel Date: Wed, 19 Feb 2020 15:21:34 +0100 Subject: [PATCH] SEBWIN-309, SEBWIN-358: Corrected usage of salt value for browser exam key. --- SafeExamBrowser.Browser/Handlers/ResourceHandler.cs | 11 +++++++---- .../DataMapping/BrowserDataMapper.cs | 3 +-- SafeExamBrowser.Settings/Browser/BrowserSettings.cs | 2 +- SebWindowsConfig/Utilities/SEBProtectionController.cs | 6 +++--- 4 files changed, 12 insertions(+), 10 deletions(-) diff --git a/SafeExamBrowser.Browser/Handlers/ResourceHandler.cs b/SafeExamBrowser.Browser/Handlers/ResourceHandler.cs index 8d457bac..d2a5ae6b 100644 --- a/SafeExamBrowser.Browser/Handlers/ResourceHandler.cs +++ b/SafeExamBrowser.Browser/Handlers/ResourceHandler.cs @@ -130,12 +130,15 @@ namespace SafeExamBrowser.Browser.Handlers private string ComputeBrowserExamKey() { - var hash = algorithm.ComputeHash(Encoding.UTF8.GetBytes(settings.ExamKeySalt + appConfig.CodeSignatureHash + appConfig.ProgramBuildVersion + settings.ConfigurationKey)); - var key = BitConverter.ToString(hash).ToLower().Replace("-", string.Empty); + using (var algorithm = new HMACSHA256(settings.ExamKeySalt)) + { + var hash = algorithm.ComputeHash(Encoding.UTF8.GetBytes(appConfig.CodeSignatureHash + appConfig.ProgramBuildVersion + settings.ConfigurationKey)); + var key = BitConverter.ToString(hash).ToLower().Replace("-", string.Empty); - browserExamKey = key; + browserExamKey = key; - return browserExamKey; + return browserExamKey; + } } private bool IsMailtoUrl(string url) diff --git a/SafeExamBrowser.Configuration/ConfigurationData/DataMapping/BrowserDataMapper.cs b/SafeExamBrowser.Configuration/ConfigurationData/DataMapping/BrowserDataMapper.cs index 0681b1e6..7208a1d0 100644 --- a/SafeExamBrowser.Configuration/ConfigurationData/DataMapping/BrowserDataMapper.cs +++ b/SafeExamBrowser.Configuration/ConfigurationData/DataMapping/BrowserDataMapper.cs @@ -6,7 +6,6 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -using System; using System.Collections.Generic; using SafeExamBrowser.Settings; using SafeExamBrowser.Settings.Browser; @@ -281,7 +280,7 @@ namespace SafeExamBrowser.Configuration.ConfigurationData.DataMapping { if (value is byte[] salt) { - settings.Browser.ExamKeySalt = BitConverter.ToString(salt).ToLower().Replace("-", string.Empty); + settings.Browser.ExamKeySalt = salt; } } diff --git a/SafeExamBrowser.Settings/Browser/BrowserSettings.cs b/SafeExamBrowser.Settings/Browser/BrowserSettings.cs index c79b2e09..9b247e87 100644 --- a/SafeExamBrowser.Settings/Browser/BrowserSettings.cs +++ b/SafeExamBrowser.Settings/Browser/BrowserSettings.cs @@ -94,7 +94,7 @@ namespace SafeExamBrowser.Settings.Browser /// /// The salt value for the calculation of the exam key which is used for integrity checks with server applications (see also ). /// - public string ExamKeySalt { get; set; } + public byte[] ExamKeySalt { get; set; } /// /// The settings to be used for the browser request filter. diff --git a/SebWindowsConfig/Utilities/SEBProtectionController.cs b/SebWindowsConfig/Utilities/SEBProtectionController.cs index 6ac06ed3..4f60f7ea 100644 --- a/SebWindowsConfig/Utilities/SEBProtectionController.cs +++ b/SebWindowsConfig/Utilities/SEBProtectionController.cs @@ -574,14 +574,14 @@ namespace SebWindowsConfig.Utilities { var executable = Assembly.GetExecutingAssembly(); var certificate = executable.Modules.First().GetSignerCertificate(); - var salt = BitConverter.ToString((byte[])SEBSettings.settingsCurrent[SEBSettings.KeyExamKeySalt]).ToLower().Replace("-", string.Empty); + var salt = (byte[]) SEBSettings.settingsCurrent[SEBSettings.KeyExamKeySalt]; var signature = certificate?.GetCertHashString(); var version = FileVersionInfo.GetVersionInfo(executable.Location).FileVersion; var configurationKey = ComputeConfigurationKey(); - using (var algorithm = new SHA256Managed()) + using (var algorithm = new HMACSHA256(salt)) { - var hash = algorithm.ComputeHash(Encoding.UTF8.GetBytes(salt + signature + version + configurationKey)); + var hash = algorithm.ComputeHash(Encoding.UTF8.GetBytes(signature + version + configurationKey)); var key = BitConverter.ToString(hash).ToLower().Replace("-", string.Empty); return key;