From c3b5b5f648d953307672a4b30e9222787668f708 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Sat, 14 Jul 2018 03:32:00 +0200 Subject: auth-filters: do not use HMAC-SHA1 Though SHA1 is broken, HMAC-SHA1 is still fine. But let's not push our luck; SHA256 is more sensible anyway. Signed-off-by: Jason A. Donenfeld --- filters/gentoo-ldap-authentication.lua | 4 ++-- filters/simple-authentication.lua | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/filters/gentoo-ldap-authentication.lua b/filters/gentoo-ldap-authentication.lua index 6d8eb3e..c1e382f 100644 --- a/filters/gentoo-ldap-authentication.lua +++ b/filters/gentoo-ldap-authentication.lua @@ -271,7 +271,7 @@ function validate_value(expected_field, cookie) end -- Lua hashes strings, so these comparisons are time invariant. - if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then + if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then return nil end @@ -296,7 +296,7 @@ function secure_value(field, value, expiration) value = url_encode(value) field = url_encode(field) authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt - authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret) + authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, secret) return authstr end diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua index de34d09..596c041 100644 --- a/filters/simple-authentication.lua +++ b/filters/simple-authentication.lua @@ -231,7 +231,7 @@ function validate_value(expected_field, cookie) end -- Lua hashes strings, so these comparisons are time invariant. - if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then + if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then return nil end @@ -256,7 +256,7 @@ function secure_value(field, value, expiration) value = url_encode(value) field = url_encode(field) authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt - authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret) + authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, secret) return authstr end -- cgit 1.4.1 ww/photo.causal.agency/2024-07-09/000005110026.txt (unfollow)
Commit message (Collapse)Author
2025-04-18Add camera template foldersJune McEnroe
2025-04-13Add A Half-Built GardenJune McEnroe
Good one.
2025-04-13Also hide lens for trips if it hasn't changedJune McEnroe
2025-04-12Don't list lens in trips if fixedJune McEnroe
2025-04-12Allow setting exposures when loading filmJune McEnroe
2025-04-08Those were supposed to be en-dashes...June McEnroe
2025-04-08Generate pages per rollJune McEnroe
2025-04-08Add metadata from many rolls of filmJune McEnroe
2025-03-25Add emoji for lens, replace all f/'sJune McEnroe
2024-12-29Add photos from December 28June McEnroe
2024-12-29Fancify the manual lens textJune McEnroe
2024-12-28Update film preset list with what I expect to keep shootingJune McEnroe
2024-12-28Add the past few months of rolls of filmJune McEnroe
2024-11-13Add Tea with the Black DragonJune McEnroe
I found this in a box on the side of the road being thrown own. It's decent pulp but nothing special. Not even as racist as I expected it to be. Also as one might guess, the author using their initials is a woman, so I only broke one of my rules when it comes to book selection.
2024-11-05Add a bunch of photosJune McEnroe
2024-10-12Publish "film review"June McEnroe
2024-10-12Add photos from October 6June McEnroe
2024-10-12Add photos from October 5June McEnroe
2024-10-09Add photos from October 1June McEnroe
Ok the first 3 are from September 29 but I didn't want to spoil the black and white roll.
2024-10-07Add photos from September 29June McEnroe
2024-10-07Add photos from September 28June McEnroe
2024-10-07Add photos from September 22June McEnroe
2024-09-25Add photos from September 15June McEnroe
2024-09-24Add photos from September 14June McEnroe
2024-09-24Add photos from September 12June McEnroe
2024-09-24Add photos from September 7June McEnroe
2024-09-24Allow not having descriptionsJune McEnroe
I'm sorry, I can't keep writing descriptions. It makes posting photos take too long, I often don't know the words for what I'm looking at, and a good description is an entirely different work of art than the photo I took, and I'm just a photographer. It's visual art.
2024-09-23Automatically select the last used lens for a bodyJune McEnroe
2024-09-19Add photos from September 5June McEnroe
Had to prefix the folder number onto these file names manually because they must have come out of a different scanner or something.
2024-09-15Add some more film stocks to the listJune McEnroe
2024-09-13Add photos from September 2June McEnroe
2024-09-13Add Fomapan 200 to films listJune McEnroe
2024-09-10Add August 29 picnic photosJune McEnroe
2024-09-08Apply some bold to trips renderingJune McEnroe
This seems easier to visually scan. The only other thing I'd like is a nicer date rendering but JavaScript is useless for that.
2024-09-08Render trips hopefully more efficientlyJune McEnroe
2024-09-08Allow removing bodies and lensesJune McEnroe
2024-09-08Limit body width so it looks less silly on desktopJune McEnroe
2024-09-07Handle no film being loadedJune McEnroe
2024-09-07Fancy up the text a littleJune McEnroe