diff --git a/internal/api/middleware/audit.go b/internal/api/middleware/audit.go index 722eabb..aa222de 100644 --- a/internal/api/middleware/audit.go +++ b/internal/api/middleware/audit.go @@ -109,7 +109,15 @@ func (a *AuditMiddleware) Middleware(next http.Handler) http.Handler { body, err := io.ReadAll(r.Body) if err == nil && len(body) > 0 { hasher.Write(body) - bodyHash = hex.EncodeToString(hasher.Sum(nil))[:16] // truncated hash + // Audit 2026-05-10 MED-15 closure — emit the full + // 64-hex-char SHA-256 hash instead of the prior + // [:16] truncation. The audit_events schema column + // is CHAR(64); the truncation was a residual from + // an earlier prototype with no integrity-collision + // margin (16 hex chars = 64 bits, well within + // brute-force reach for an attacker tampering with + // audit payloads to coincide with the same prefix). + bodyHash = hex.EncodeToString(hasher.Sum(nil)) // Restore the body for downstream handlers r.Body = io.NopCloser(strings.NewReader(string(body))) } diff --git a/internal/api/middleware/audit_test.go b/internal/api/middleware/audit_test.go index e4e703d..beb3185 100644 --- a/internal/api/middleware/audit_test.go +++ b/internal/api/middleware/audit_test.go @@ -228,9 +228,13 @@ func TestAuditLog_HashesRequestBody(t *testing.T) { if len(calls) != 1 { t.Fatalf("expected 1 audit call, got %d", len(calls)) } - // Body hash should be a 16-char hex string (truncated SHA-256) - if len(calls[0].BodyHash) != 16 { - t.Errorf("expected 16-char body hash, got %q (len=%d)", calls[0].BodyHash, len(calls[0].BodyHash)) + // Audit 2026-05-10 MED-15 closure — body hash is now the full + // 64-char hex SHA-256 (was [:16] truncated). The body_hash schema + // column is CHAR(64); the truncation was an integrity-collision + // hole that allowed an attacker to craft tampered audit payloads + // matching the 16-hex prefix. + if len(calls[0].BodyHash) != 64 { + t.Errorf("expected 64-char SHA-256 body hash, got %q (len=%d)", calls[0].BodyHash, len(calls[0].BodyHash)) } if calls[0].Status != 201 { t.Errorf("expected status 201, got %d", calls[0].Status) diff --git a/internal/auth/session/service.go b/internal/auth/session/service.go index 3dd518d..2707cf1 100644 --- a/internal/auth/session/service.go +++ b/internal/auth/session/service.go @@ -840,6 +840,18 @@ func computeHMAC(sessionID, signingKeyID string, hmacKey []byte) []byte { // parts plus the decoded HMAC. Any format/version/decode failure // returns an error; the caller maps to ErrSessionInvalidCookie without // surfacing which check failed (no information leak). +// maxCookieSegmentLen caps any single segment of a parsed cookie at +// 4 KiB — well above the wire shape of any legitimate certctl cookie +// (id1 prefix `ses-` or `pl-` + 22 base64 chars; sk-id ~30 chars; HMAC +// base64 of 32 bytes = 43 chars; v1 version tag = 2 chars). Audit +// 2026-05-10 Nit-4 closure — pre-fix, an attacker could send a 10MB +// cookie segment to amplify HMAC compute cost; the constant-time +// compare on the back end would chew through the input regardless of +// outcome. The cap is loose enough that no legitimate client trips +// it, but tight enough to bound the work an attacker can extract per +// failed request. +const maxCookieSegmentLen = 4096 + func parseCookie(cookieValue string) (sessionID, signingKeyID string, hmacBytes []byte, err error) { if cookieValue == "" { return "", "", nil, errors.New("empty cookie") @@ -848,6 +860,12 @@ func parseCookie(cookieValue string) (sessionID, signingKeyID string, hmacBytes if len(parts) != 4 { return "", "", nil, errors.New("expected 4 segments") } + // Audit 2026-05-10 Nit-4 — per-segment length cap. + for i, seg := range parts { + if len(seg) > maxCookieSegmentLen { + return "", "", nil, fmt.Errorf("cookie segment %d exceeds %d-byte cap", i, maxCookieSegmentLen) + } + } if parts[0] != sessiondomain.CookieFormatVersion { return "", "", nil, errors.New("unsupported version prefix") }