M filters/gentoo-ldap-authentication.lua → filters/gentoo-ldap-authentication.lua

@@ -271,7 +271,7 @@ return nil
 	end
 
 	-- Lua hashes strings, so these comparisons are time invariant.
-	if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
+	if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
 		return nil
 	end
 
@@ -296,7 +296,7 @@ local salt = crypto.hex(crypto.rand.bytes(16))
 	value = url_encode(value)
 	field = url_encode(field)
 	authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
-	authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret)
+	authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, secret)
 	return authstr
 end
 

M filters/simple-authentication.lua → filters/simple-authentication.lua

@@ -231,7 +231,7 @@ return nil
 	end
 
 	-- Lua hashes strings, so these comparisons are time invariant.
-	if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
+	if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
 		return nil
 	end
 
@@ -256,7 +256,7 @@ local salt = crypto.hex(crypto.rand.bytes(16))
 	value = url_encode(value)
 	field = url_encode(field)
 	authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
-	authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret)
+	authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, secret)
 	return authstr
 end