Use sha256 consistently.

The generation and validation sides of Digest authentication were using different algorithms which results in broken digest authentication. Refs #11103
cakephp · Nov 22, 2017 · 07959ee · 07959ee
1 parent 357d617
commit 07959ee
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/src/Auth/DigestAuthenticate.php b/src/Auth/DigestAuthenticate.php
@@ -277,7 +277,7 @@ protected function validNonce($nonce)
         if ($expires < microtime(true)) {
             return false;
         }
-        $check = hash_hmac('sha1', $expires . ':' . $this->getConfig('secret'), $this->getConfig('secret'));
+        $check = hash_hmac('sha256', $expires . ':' . $this->getConfig('secret'), $this->getConfig('secret'));
 
         return hash_equals($check, $checksum);
     }

diff --git a/tests/TestCase/Auth/DigestAuthenticateTest.php b/tests/TestCase/Auth/DigestAuthenticateTest.php
@@ -515,7 +515,7 @@ protected function generateNonce($secret = null, $expires = 300, $time = null)
         $secret = $secret ?: Configure::read('Security.salt');
         $time = $time ?: microtime(true);
         $expiryTime = $time + $expires;
-        $signatureValue = hash_hmac('sha1', $expiryTime . ':' . $secret, $secret);
+        $signatureValue = hash_hmac('sha256', $expiryTime . ':' . $secret, $secret);
         $nonceValue = $expiryTime . ':' . $signatureValue;
 
         return base64_encode($nonceValue);