X-Git-Url: https://gitweb.ps.run/ps-cgit/blobdiff_plain/7511f4b4df521656d422010b06e2b5b96b21eb84..c4d23d02ec5a26d09d389dcf7b8928ecd5798ccc:/filters/gentoo-ldap-authentication.lua?ds=inline

diff --git a/filters/gentoo-ldap-authentication.lua b/filters/gentoo-ldap-authentication.lua
index fce5632..3b6564b 100644
--- a/filters/gentoo-ldap-authentication.lua
+++ b/filters/gentoo-ldap-authentication.lua
@@ -4,7 +4,7 @@
 -- 	luacrypto >= 0.3
 -- 	<http://mkottman.github.io/luacrypto/>
 -- 	lualdap >= 1.2
--- 	<http://git.zx2c4.com/lualdap/about/>
+-- 	<https://git.zx2c4.com/lualdap/about/>
 --
 
 
@@ -106,7 +106,7 @@ local lualdap = require("lualdap")
 
 function gentoo_ldap_user_groups(username, password)
 	-- Ensure the user is alphanumeric
-	if username:match("%W") then
+	if username == nil or username:match("%W") then
 		return nil
 	end
 
@@ -271,7 +271,7 @@ function validate_value(expected_field, cookie)
 	end
 
 	-- Lua hashes strings, so these comparisons are time invariant.
-	if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
+	if hmac ~= crypto.hmac.digest("sha256", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
 		return nil
 	end
 
@@ -296,7 +296,7 @@ function secure_value(field, value, expiration)
 	value = url_encode(value)
 	field = url_encode(field)
 	authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
-	authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret)
+	authstr = authstr .. "|" .. crypto.hmac.digest("sha256", authstr, secret)
 	return authstr
 end