Skip to content
Permalink
Browse files

Use sha256 consistently.

The generation and validation sides of Digest authentication were using
different algorithms which results in broken digest authentication.

Refs #11103
  • Loading branch information...
markstory committed Nov 22, 2017
1 parent 357d617 commit 07959ee08e8cabe0f1b8ac99d1ae9bf784441730
Showing with 2 additions and 2 deletions.
  1. +1 −1 src/Auth/DigestAuthenticate.php
  2. +1 −1 tests/TestCase/Auth/DigestAuthenticateTest.php
@@ -277,7 +277,7 @@ protected function validNonce($nonce)
if ($expires < microtime(true)) {
return false;
}
$check = hash_hmac('sha1', $expires . ':' . $this->getConfig('secret'), $this->getConfig('secret'));
$check = hash_hmac('sha256', $expires . ':' . $this->getConfig('secret'), $this->getConfig('secret'));
return hash_equals($check, $checksum);
}
@@ -515,7 +515,7 @@ protected function generateNonce($secret = null, $expires = 300, $time = null)
$secret = $secret ?: Configure::read('Security.salt');
$time = $time ?: microtime(true);
$expiryTime = $time + $expires;
$signatureValue = hash_hmac('sha1', $expiryTime . ':' . $secret, $secret);
$signatureValue = hash_hmac('sha256', $expiryTime . ':' . $secret, $secret);
$nonceValue = $expiryTime . ':' . $signatureValue;
return base64_encode($nonceValue);

0 comments on commit 07959ee

Please sign in to comment.
You can’t perform that action at this time.