aboutsummaryrefslogtreecommitdiffstats
path: root/filters
diff options
context:
space:
mode:
authorJason A. Donenfeld2018-07-14 03:32:00 +0200
committerJason A. Donenfeld2018-07-14 03:33:56 +0200
commitc3b5b5f648d953307672a4b30e9222787668f708 (patch)
tree6b2179805885fe812fddc8d54d8e8fd5ee4f6292 /filters
parentc132ef2462b3c5223c77eb68fa372edde85cfb6b (diff)
downloadcgit-c3b5b5f648d953307672a4b30e9222787668f708.tar.gz
cgit-c3b5b5f648d953307672a4b30e9222787668f708.tar.bz2
cgit-c3b5b5f648d953307672a4b30e9222787668f708.zip
auth-filters: do not use HMAC-SHA1
Though SHA1 is broken, HMAC-SHA1 is still fine. But let's not push our luck; SHA256 is more sensible anyway. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'filters')
-rw-r--r--filters/gentoo-ldap-authentication.lua4
-rw-r--r--filters/simple-authentication.lua4
2 files changed, 4 insertions, 4 deletions
diff --git a/filters/gentoo-ldap-authentication.lua b/filters/gentoo-ldap-authentication.lua
index 6d8eb3e..c1e382f 100644
--- a/filters/gentoo-ldap-authentication.lua
+++ b/filters/gentoo-ldap-authentication.lua
@@ -271,7 +271,7 @@ function validate_value(expected_field, cookie)
271 end 271 end
272 272
273 -- Lua hashes strings, so these comparisons are time invariant. 273 -- Lua hashes strings, so these comparisons are time invariant.
274 if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then 274 if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
275 return nil 275 return nil
276 end 276 end
277 277
@@ -296,7 +296,7 @@ function secure_value(field, value, expiration)
296 value = url_encode(value) 296 value = url_encode(value)
297 field = url_encode(field) 297 field = url_encode(field)
298 authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt 298 authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
299 authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret) 299 authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, secret)
300 return authstr 300 return authstr
301end 301end
302 302
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index de34d09..596c041 100644
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -231,7 +231,7 @@ function validate_value(expected_field, cookie)
231 end 231 end
232 232
233 -- Lua hashes strings, so these comparisons are time invariant. 233 -- Lua hashes strings, so these comparisons are time invariant.
234 if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then 234 if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
235 return nil 235 return nil
236 end 236 end
237 237
@@ -256,7 +256,7 @@ function secure_value(field, value, expiration)
256 value = url_encode(value) 256 value = url_encode(value)
257 field = url_encode(field) 257 field = url_encode(field)
258 authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt 258 authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
259 authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret) 259 authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, secret)
260 return authstr 260 return authstr
261end 261end
262 262