Use sha256 consistently.

markstory · markstory · commit 07959ee08e8c · 2017-11-22T08:26:17.000-05:00
The generation and validation sides of Digest authentication were using different algorithms which results in broken digest authentication. Refs #11103
diff --git a/src/Auth/DigestAuthenticate.php b/src/Auth/DigestAuthenticate.php
@@ -277,7 +277,7 @@ protected function validNonce($nonce)
         if ($expires < microtime(true)) {
             return false;
         }
-        $check = hash_hmac('sha1', $expires . ':' . $this->getConfig('secret'), $this->getConfig('secret'));
+        $check = hash_hmac('sha256', $expires . ':' . $this->getConfig('secret'), $this->getConfig('secret'));
 
         return hash_equals($check, $checksum);
     }
diff --git a/tests/TestCase/Auth/DigestAuthenticateTest.php b/tests/TestCase/Auth/DigestAuthenticateTest.php
@@ -515,7 +515,7 @@ protected function generateNonce($secret = null, $expires = 300, $time = null)
         $secret = $secret ?: Configure::read('Security.salt');
         $time = $time ?: microtime(true);
         $expiryTime = $time + $expires;
-        $signatureValue = hash_hmac('sha1', $expiryTime . ':' . $secret, $secret);
+        $signatureValue = hash_hmac('sha256', $expiryTime . ':' . $secret, $secret);
         $nonceValue = $expiryTime . ':' . $signatureValue;
 
         return base64_encode($nonceValue);

Original file line number	Diff line number	Diff line change
`@@ -277,7 +277,7 @@ protected function validNonce($nonce)`
`277`	`277`	`if ($expires < microtime(true)) {`
`278`	`278`	`return false;`
`279`	`279`	`}`
`280`		`- $check = hash_hmac('sha1', $expires . ':' . $this->getConfig('secret'), $this->getConfig('secret'));`
	`280`	`+ $check = hash_hmac('sha256', $expires . ':' . $this->getConfig('secret'), $this->getConfig('secret'));`
`281`	`281`
`282`	`282`	`return hash_equals($check, $checksum);`
`283`	`283`	`}`