From c3b5b5f648d953307672a4b30e9222787668f708 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Sat, 14 Jul 2018 03:32:00 +0200
Subject: auth-filters: do not use HMAC-SHA1

Though SHA1 is broken, HMAC-SHA1 is still fine. But let's not push our
luck; SHA256 is more sensible anyway.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 filters/gentoo-ldap-authentication.lua | 4 ++--
 filters/simple-authentication.lua      | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'filters')

diff --git a/filters/gentoo-ldap-authentication.lua b/filters/gentoo-ldap-authentication.lua
index 6d8eb3e..c1e382f 100644
--- a/filters/gentoo-ldap-authentication.lua
+++ b/filters/gentoo-ldap-authentication.lua
@@ -271,7 +271,7 @@ function validate_value(expected_field, cookie)
 	end
 
 	-- Lua hashes strings, so these comparisons are time invariant.
-	if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
+	if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
 		return nil
 	end
 
@@ -296,7 +296,7 @@ function secure_value(field, value, expiration)
 	value = url_encode(value)
 	field = url_encode(field)
 	authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
-	authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret)
+	authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, secret)
 	return authstr
 end
 
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index de34d09..596c041 100644
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -231,7 +231,7 @@ function validate_value(expected_field, cookie)
 	end
 
 	-- Lua hashes strings, so these comparisons are time invariant.
-	if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
+	if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
 		return nil
 	end
 
@@ -256,7 +256,7 @@ function secure_value(field, value, expiration)
 	value = url_encode(value)
 	field = url_encode(field)
 	authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
-	authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret)
+	authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, secret)
 	return authstr
 end
 
-- 
cgit 1.4.1

/div><div class='content'><table class='list nowrap'><tr class='nohover'><th></th><th class='left'>Commit message (<a href='/catgirl/log/ui.c?h=2.2a&amp;id=bfa106b9a0475348926ce6002234f22ed5fe1977&amp;ofs=100&amp;showmsg=1&amp;follow=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2020-02-12 00:48:43 -0500'>2020-02-12</span></td><td><a href='/catgirl/commit/url.c?h=2.2a&amp;id=d73085eaa93a0217a679556f7a37a80421877b69&amp;follow=1'>Allow for arguments to open/copy utilities</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-12 00:17:28 -0500'>2020-02-12</span></td><td><a href='/catgirl/commit/handle.c?h=2.2a&amp;id=3a325d3914e75bd079ad8df31ca4f39197519386&amp;follow=1'>Handle RPL_AWAY</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 23:01:38 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/ui.c?h=2.2a&amp;id=8d873c71ede2ac1c0da4139d6fb9daf5d8c83f1e&amp;follow=1'>Support monochromatic terminals</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 22:43:25 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/scripts/chroot-man.sh?h=2.2a&amp;id=fea344b7df8983c491da53a8ffbab87617ae2a23&amp;follow=1'>Add .gz to chroot-man script</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 22:39:29 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/command.c?h=2.2a&amp;id=10ae7bedbd1dac946ee97c3fb27676cde2237621&amp;follow=1'>Add -R restricted flag</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 22:28:39 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/scripts/sshd_config?h=2.2a&amp;id=252428f97aa6a8f4e5b612757ce96d2d0d37e2f3&amp;follow=1'>Add chroot target</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 21:56:29 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/ui.c?h=2.2a&amp;id=907d4b4605a212a645fc78420a29fa34ed9c0642&amp;follow=1'>Exit focus and paste modes on err exit</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 19:43:55 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/chat.c?h=2.2a&amp;id=62472ab18349a4f16e7afb5b3301a20644fef207&amp;follow=1'>Add startup GPLv3 note and URL</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 19:03:39 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/configure?h=2.2a&amp;id=90c59ecba4c1c74d619eb42f9b4f2c4d2acf198d&amp;follow=1'>Make sure -D_GNU_SOURCE ends up in CFLAGS on Linux</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 18:33:19 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/README.7?h=2.2a&amp;id=e73328a1fc96ffbee52fe9b231b6293439ea1fd6&amp;follow=1'>Add note about setting PKG_CONFIG_PATH</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 18:23:04 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/handle.c?h=2.2a&amp;id=7c171b8affd8c27aac8cb9206318314b4041a56c&amp;follow=1'>Rename query ID on nick change</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 18:18:48 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/ui.c?h=2.2a&amp;id=7783d89448293030aae4cc678e567a70e130c054&amp;follow=1'>Call completeClear when closing a window</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 18:15:25 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/handle.c?h=2.2a&amp;id=6a5ebb0babde3afab973c1aebe3c4bfb33101d62&amp;follow=1'>Don't insert color codes for non-mentions</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 18:08:05 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/handle.c?h=2.2a&amp;id=4d532ec738259a146319183df8a244423563e755&amp;follow=1'>Take first two words in colorMentions</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 18:01:50 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/ui.c?h=2.2a&amp;id=c9590bab061fcaa3e11a94eea8c34026a6c7a880&amp;follow=1'>Use time_t for save signature</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 17:52:55 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/ui.c?h=2.2a&amp;id=cc80fae758c392807dc0cea6ab2e7f78804b6712&amp;follow=1'>Set self.nick to * initially</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 17:43:36 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/ui.c?h=2.2a&amp;id=277186329921ba34630b7a2492e1792133a02c67&amp;follow=1'>Define ColorCap instead of hardcoding 100</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 17:41:06 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/chat.h?h=2.2a&amp;id=af87b4e68d14ff5a3155c1f9c2ce1fa7d536c278&amp;follow=1'>Move hash to top of chat.h</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 17:40:08 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/handle.c?h=2.2a&amp;id=83a8952cf5fa7e1e8147d322d80bdecbe0a1a217&amp;follow=1'>Move base64 out of chat.h</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 17:37:18 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/xdg.c?h=2.2a&amp;id=a50596c5c575d23fa92cace9eef3813dff36b175&amp;follow=1'>Move XDG_SUBDIR out of chat.h</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 04:00:25 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/handle.c?h=2.2a&amp;id=ac4876718f268326f34ad4fc58a9811f7a869949&amp;follow=1'>Fix whois idle unit calculation</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 03:48:50 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/ui.c?h=2.2a&amp;id=86fac7caadfbefa6f044314d440deefb480133d7&amp;follow=1'>Cast towupper to wchar_t</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 03:47:30 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/ui.c?h=2.2a&amp;id=b855ec62100efb8fa80ff68150f0789af180482a&amp;follow=1'>Cast set but unused variables to void</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 03:45:26 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/chat.h?h=2.2a&amp;id=d91f588288f22acf20736e03c22a51c2521ec89d&amp;follow=1'>Declare strlcat</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 03:42:06 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/ui.c?h=2.2a&amp;id=2404e15e72dcf12395f914bc933faeaaa6e8be33&amp;follow=1'>Check if VDSUSP exists</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 03:40:33 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/complete.c?h=2.2a&amp;id=40892a7415bb02c5463fe56dc79ad44724c770e9&amp;follow=1'>Fix completeReplace iteration</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 03:09:51 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/configure?h=2.2a&amp;id=172cd57099e06c8901770542fa61dd3e13d5c832&amp;follow=1'>Use pkg(8) to configure on FreeBSD</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 02:45:39 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/url.c?h=2.2a&amp;id=15ff2a470eb4eb291d3a7271c08b130839828720&amp;follow=1'>Remove legacy code</a></td><td>June McEnroe</td></tr>
<tr><td><span title='2020-02-11 02:41:20 -0500'>2020-02-11</span></td><td><a href='/catgirl/commit/README.7?h=2.2a&amp;id=1bb60065c36c97d9dcad853c0c79a836ceed24e3&amp;follow=1'>Add INSTALLING section to README</a></td><td>June McEnroe