2 files changed, 4 insertions, 4 deletions
diff --git a/filters/gentoo-ldap-authentication.lua b/filters/gentoo-ldap-authentication.lua
index 6d8eb3e..c1e382f 100644
--- a/filters/gentoo-ldap-authentication.lua
+++ b/filters/gentoo-ldap-authentication.lua
@@ -271,7 +271,7 @@ function validate_value(expected_field, cookie)
        end
        -- Lua hashes strings, so these comparisons are time invariant.
-        if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
+        if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
                return nil
        end
@@ -296,7 +296,7 @@ function secure_value(field, value, expiration)
        value = url_encode(value)
        field = url_encode(field)
        authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
-        authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret)
+        authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, secret)
        return authstr
 end
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index de34d09..596c041 100644
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -231,7 +231,7 @@ function validate_value(expected_field, cookie)
        end
        -- Lua hashes strings, so these comparisons are time invariant.
-        if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
+        if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
                return nil
        end
@@ -256,7 +256,7 @@ function secure_value(field, value, expiration)
        value = url_encode(value)
        field = url_encode(field)
        authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
-        authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret)
+        authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, secret)
        return authstr
 end

diff --git a/filters/gentoo-ldap-authentication.lua b/filters/gentoo-ldap-authentication.lua index 6d8eb3e..c1e382f 100644 --- a/filters/gentoo-ldap-authentication.lua +++ b/filters/gentoo-ldap-authentication.lua
@@ -271,7 +271,7 @@ function validate_value(expected_field, cookie)
271	end	271	end
272		272
273	-- Lua hashes strings, so these comparisons are time invariant.	273	-- Lua hashes strings, so these comparisons are time invariant.
274	if hmac ~= crypto.hmac.digest("sha1", field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt, secret) then	274	if hmac ~= crypto.hmac.digest("sha256", field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt, secret) then
275	return nil	275	return nil
276	end	276	end
277		277
@@ -296,7 +296,7 @@ function secure_value(field, value, expiration)
296	value = url_encode(value)	296	value = url_encode(value)
297	field = url_encode(field)	297	field = url_encode(field)
298	authstr = field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt	298	authstr = field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt
299	authstr = authstr .. "\|" .. crypto.hmac.digest("sha1", authstr, secret)	299	authstr = authstr .. "\|" .. crypto.hmac.digest("sha256", authstr, secret)
300	return authstr	300	return authstr
301	end	301	end
302		302


diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua index de34d09..596c041 100644 --- a/filters/simple-authentication.lua +++ b/filters/simple-authentication.lua
@@ -231,7 +231,7 @@ function validate_value(expected_field, cookie)
231	end	231	end
232		232
233	-- Lua hashes strings, so these comparisons are time invariant.	233	-- Lua hashes strings, so these comparisons are time invariant.
234	if hmac ~= crypto.hmac.digest("sha1", field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt, secret) then	234	if hmac ~= crypto.hmac.digest("sha256", field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt, secret) then
235	return nil	235	return nil
236	end	236	end
237		237
@@ -256,7 +256,7 @@ function secure_value(field, value, expiration)
256	value = url_encode(value)	256	value = url_encode(value)
257	field = url_encode(field)	257	field = url_encode(field)
258	authstr = field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt	258	authstr = field .. "\|" .. value .. "\|" .. tostring(expiration) .. "\|" .. salt
259	authstr = authstr .. "\|" .. crypto.hmac.digest("sha1", authstr, secret)	259	authstr = authstr .. "\|" .. crypto.hmac.digest("sha256", authstr, secret)
260	return authstr	260	return authstr
261	end	261	end
262		262