diff options
Diffstat (limited to 'filters/simple-authentication.lua')
| -rw-r--r-- | filters/simple-authentication.lua | 4 |
1 files changed, 2 insertions, 2 deletions
| diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua index de34d09..596c041 100644 --- a/filters/simple-authentication.lua +++ b/filters/simple-authentication.lua | |||
| @@ -231,7 +231,7 @@ function validate_value(expected_field, cookie) | |||
| 231 | end | 231 | end |
| 232 | 232 | ||
| 233 | -- Lua hashes strings, so these comparisons are time invariant. | 233 | -- Lua hashes strings, so these comparisons are time invariant. |
| 234 | if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then | 234 | if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then |
| 235 | return nil | 235 | return nil |
| 236 | end | 236 | end |
| 237 | 237 | ||
| @@ -256,7 +256,7 @@ function secure_value(field, value, expiration) | |||
| 256 | value = url_encode(value) | 256 | value = url_encode(value) |
| 257 | field = url_encode(field) | 257 | field = url_encode(field) |
| 258 | authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt | 258 | authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt |
| 259 | authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret) | 259 | authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, secret) |
| 260 | return authstr | 260 | return authstr |
| 261 | end | 261 | end |
| 262 | 262 | ||