1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 05:50:55 +01:00

Rename "PhabricatorHash::digest()" to "weakDigest()"

Summary: Ref T12509. This encourages code to move away from HMAC+SHA1 by making the method name more obviously undesirable.

Test Plan: `grep`, browsed around.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T12509

Differential Revision: https://secure.phabricator.com/D17632
This commit is contained in:
epriestley 2017-04-06 10:08:46 -07:00
parent 3a3626834e
commit 3d816e94df
20 changed files with 31 additions and 28 deletions

View file

@ -14,7 +14,7 @@ foreach ($sessions as $session) {
$conn, $conn,
'UPDATE %T SET sessionKey = %s WHERE userPHID = %s AND type = %s', 'UPDATE %T SET sessionKey = %s WHERE userPHID = %s AND type = %s',
PhabricatorUser::SESSION_TABLE, PhabricatorUser::SESSION_TABLE,
PhabricatorHash::digest($session['sessionKey']), PhabricatorHash::weakDigest($session['sessionKey']),
$session['userPHID'], $session['userPHID'],
$session['type']); $session['type']);
} }

View file

@ -194,7 +194,7 @@ abstract class PhabricatorAuthController extends PhabricatorController {
// hijacking registration sessions. // hijacking registration sessions.
$actual = $account->getProperty('registrationKey'); $actual = $account->getProperty('registrationKey');
$expect = PhabricatorHash::digest($registration_key); $expect = PhabricatorHash::weakDigest($registration_key);
if (!phutil_hashes_are_identical($actual, $expect)) { if (!phutil_hashes_are_identical($actual, $expect)) {
$response = $this->renderError( $response = $this->renderError(
pht( pht(

View file

@ -194,7 +194,7 @@ final class PhabricatorAuthLoginController
$registration_key = Filesystem::readRandomCharacters(32); $registration_key = Filesystem::readRandomCharacters(32);
$account->setProperty( $account->setProperty(
'registrationKey', 'registrationKey',
PhabricatorHash::digest($registration_key)); PhabricatorHash::weakDigest($registration_key));
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$account->save(); $account->save();

View file

@ -135,7 +135,7 @@ final class PhabricatorAuthOneTimeLoginController
->setTokenResource($target_user->getPHID()) ->setTokenResource($target_user->getPHID())
->setTokenType($password_type) ->setTokenType($password_type)
->setTokenExpires(time() + phutil_units('1 hour in seconds')) ->setTokenExpires(time() + phutil_units('1 hour in seconds'))
->setTokenCode(PhabricatorHash::digest($key)) ->setTokenCode(PhabricatorHash::weakDigest($key))
->save(); ->save();
unset($unguarded); unset($unguarded);

View file

@ -16,7 +16,7 @@ final class PhabricatorAuthTerminateSessionController
$query->withIDs(array($id)); $query->withIDs(array($id));
} }
$current_key = PhabricatorHash::digest( $current_key = PhabricatorHash::weakDigest(
$request->getCookie(PhabricatorCookies::COOKIE_SESSION)); $request->getCookie(PhabricatorCookies::COOKIE_SESSION));
$sessions = $query->execute(); $sessions = $query->execute();

View file

@ -110,7 +110,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
$session_table = new PhabricatorAuthSession(); $session_table = new PhabricatorAuthSession();
$user_table = new PhabricatorUser(); $user_table = new PhabricatorUser();
$conn_r = $session_table->establishConnection('r'); $conn_r = $session_table->establishConnection('r');
$session_key = PhabricatorHash::digest($session_token); $session_key = PhabricatorHash::weakDigest($session_token);
$cache_parts = $this->getUserCacheQueryParts($conn_r); $cache_parts = $this->getUserCacheQueryParts($conn_r);
list($cache_selects, $cache_joins, $cache_map, $types_map) = $cache_parts; list($cache_selects, $cache_joins, $cache_map, $types_map) = $cache_parts;
@ -240,7 +240,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
// This has a side effect of validating the session type. // This has a side effect of validating the session type.
$session_ttl = PhabricatorAuthSession::getSessionTypeTTL($session_type); $session_ttl = PhabricatorAuthSession::getSessionTypeTTL($session_type);
$digest_key = PhabricatorHash::digest($session_key); $digest_key = PhabricatorHash::weakDigest($session_key);
// Logging-in users don't have CSRF stuff yet, so we have to unguard this // Logging-in users don't have CSRF stuff yet, so we have to unguard this
// write. // write.
@ -306,7 +306,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
->execute(); ->execute();
if ($except_session !== null) { if ($except_session !== null) {
$except_session = PhabricatorHash::digest($except_session); $except_session = PhabricatorHash::weakDigest($except_session);
} }
foreach ($sessions as $key => $session) { foreach ($sessions as $key => $session) {
@ -755,7 +755,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
$parts[] = $email->getVerificationCode(); $parts[] = $email->getVerificationCode();
} }
return PhabricatorHash::digest(implode(':', $parts)); return PhabricatorHash::weakDigest(implode(':', $parts));
} }

View file

@ -39,7 +39,7 @@ final class PhabricatorTOTPAuthFactor extends PhabricatorAuthFactor {
->withTokenResources(array($user->getPHID())) ->withTokenResources(array($user->getPHID()))
->withTokenTypes(array($totp_token_type)) ->withTokenTypes(array($totp_token_type))
->withExpired(false) ->withExpired(false)
->withTokenCodes(array(PhabricatorHash::digest($key))) ->withTokenCodes(array(PhabricatorHash::weakDigest($key)))
->executeOne(); ->executeOne();
if (!$temporary_token) { if (!$temporary_token) {
// If we don't have a matching token, regenerate the key below. // If we don't have a matching token, regenerate the key below.
@ -58,7 +58,7 @@ final class PhabricatorTOTPAuthFactor extends PhabricatorAuthFactor {
->setTokenResource($user->getPHID()) ->setTokenResource($user->getPHID())
->setTokenType($totp_token_type) ->setTokenType($totp_token_type)
->setTokenExpires(time() + phutil_units('1 hour in seconds')) ->setTokenExpires(time() + phutil_units('1 hour in seconds'))
->setTokenCode(PhabricatorHash::digest($key)) ->setTokenCode(PhabricatorHash::weakDigest($key))
->save(); ->save();
unset($unguarded); unset($unguarded);
} }

View file

@ -474,7 +474,7 @@ abstract class PhabricatorAuthProvider extends Phobject {
true); true);
} }
return PhabricatorHash::digest($phcid); return PhabricatorHash::weakDigest($phcid);
} }
protected function verifyAuthCSRFCode(AphrontRequest $request, $actual) { protected function verifyAuthCSRFCode(AphrontRequest $request, $actual) {

View file

@ -85,7 +85,7 @@ final class PhabricatorAuthSessionQuery
if ($this->sessionKeys) { if ($this->sessionKeys) {
$hashes = array(); $hashes = array();
foreach ($this->sessionKeys as $session_key) { foreach ($this->sessionKeys as $session_key) {
$hashes[] = PhabricatorHash::digest($session_key); $hashes[] = PhabricatorHash::weakDigest($session_key);
} }
$where[] = qsprintf( $where[] = qsprintf(
$conn_r, $conn_r,

View file

@ -98,7 +98,7 @@ abstract class PhabricatorController extends AphrontController {
if (!$user->isLoggedIn()) { if (!$user->isLoggedIn()) {
$user->attachAlternateCSRFString(PhabricatorHash::digest($phsid)); $user->attachAlternateCSRFString(PhabricatorHash::weakDigest($phsid));
} }
$request->setUser($user); $request->setUser($user);

View file

@ -14,7 +14,7 @@ abstract class CelerityResources extends Phobject {
public function getCelerityHash($data) { public function getCelerityHash($data) {
$tail = PhabricatorEnv::getEnvConfig('celerity.resource-hash'); $tail = PhabricatorEnv::getEnvConfig('celerity.resource-hash');
$hash = PhabricatorHash::digest($data, $tail); $hash = PhabricatorHash::weakDigest($data, $tail);
return substr($hash, 0, 8); return substr($hash, 0, 8);
} }

View file

@ -107,7 +107,7 @@ final class PhabricatorPathSetupCheck extends PhabricatorSetupCheck {
if ($bad_paths) { if ($bad_paths) {
foreach ($bad_paths as $path_part => $message) { foreach ($bad_paths as $path_part => $message) {
$digest = substr(PhabricatorHash::digest($path_part), 0, 8); $digest = substr(PhabricatorHash::weakDigest($path_part), 0, 8);
$this $this
->newIssue('config.PATH.'.$digest) ->newIssue('config.PATH.'.$digest)

View file

@ -652,7 +652,7 @@ final class DiffusionServeController extends DiffusionController {
} }
$lfs_pass = $password->openEnvelope(); $lfs_pass = $password->openEnvelope();
$lfs_hash = PhabricatorHash::digest($lfs_pass); $lfs_hash = PhabricatorHash::weakDigest($lfs_pass);
$token = id(new PhabricatorAuthTemporaryTokenQuery()) $token = id(new PhabricatorAuthTemporaryTokenQuery())
->setViewer(PhabricatorUser::getOmnipotentUser()) ->setViewer(PhabricatorUser::getOmnipotentUser())

View file

@ -22,7 +22,7 @@ final class DiffusionGitLFSTemporaryTokenType
$lfs_user = self::HTTP_USERNAME; $lfs_user = self::HTTP_USERNAME;
$lfs_pass = Filesystem::readRandomCharacters(32); $lfs_pass = Filesystem::readRandomCharacters(32);
$lfs_hash = PhabricatorHash::digest($lfs_pass); $lfs_hash = PhabricatorHash::weakDigest($lfs_pass);
$ttl = PhabricatorTime::getNow() + phutil_units('1 day in seconds'); $ttl = PhabricatorTime::getNow() + phutil_units('1 day in seconds');

View file

@ -102,7 +102,7 @@ final class PhabricatorChunkedFileStorageEngine
} }
public static function getChunkedHashForInput($input) { public static function getChunkedHashForInput($input) {
$rehash = PhabricatorHash::digest($input); $rehash = PhabricatorHash::weakDigest($input);
// Add a suffix to identify this as a chunk hash. // Add a suffix to identify this as a chunk hash.
$rehash = substr($rehash, 0, -2).'-C'; $rehash = substr($rehash, 0, -2).'-C';

View file

@ -201,7 +201,7 @@ abstract class PhabricatorObjectMailReceiver extends PhabricatorMailReceiver {
public static function computeMailHash($mail_key, $phid) { public static function computeMailHash($mail_key, $phid) {
$global_mail_key = PhabricatorEnv::getEnvConfig('phabricator.mail-key'); $global_mail_key = PhabricatorEnv::getEnvConfig('phabricator.mail-key');
$hash = PhabricatorHash::digest($mail_key.$global_mail_key.$phid); $hash = PhabricatorHash::weakDigest($mail_key.$global_mail_key.$phid);
return substr($hash, 0, 16); return substr($hash, 0, 16);
} }

View file

@ -389,7 +389,7 @@ final class PhabricatorUser
// Generate a token hash to mitigate BREACH attacks against SSL. See // Generate a token hash to mitigate BREACH attacks against SSL. See
// discussion in T3684. // discussion in T3684.
$token = $this->getRawCSRFToken(); $token = $this->getRawCSRFToken();
$hash = PhabricatorHash::digest($token, $salt); $hash = PhabricatorHash::weakDigest($token, $salt);
return self::CSRF_BREACH_PREFIX.$salt.substr( return self::CSRF_BREACH_PREFIX.$salt.substr(
$hash, 0, self::CSRF_TOKEN_LENGTH); $hash, 0, self::CSRF_TOKEN_LENGTH);
} }
@ -435,7 +435,7 @@ final class PhabricatorUser
for ($ii = -$csrf_window; $ii <= 1; $ii++) { for ($ii = -$csrf_window; $ii <= 1; $ii++) {
$valid = $this->getRawCSRFToken($ii); $valid = $this->getRawCSRFToken($ii);
$digest = PhabricatorHash::digest($valid, $salt); $digest = PhabricatorHash::weakDigest($valid, $salt);
$digest = substr($digest, 0, self::CSRF_TOKEN_LENGTH); $digest = substr($digest, 0, self::CSRF_TOKEN_LENGTH);
if (phutil_hashes_are_identical($digest, $token)) { if (phutil_hashes_are_identical($digest, $token)) {
return true; return true;
@ -459,7 +459,7 @@ final class PhabricatorUser
$time_block = floor($epoch / $frequency); $time_block = floor($epoch / $frequency);
$vec = $vec.$key.$time_block; $vec = $vec.$key.$time_block;
return substr(PhabricatorHash::digest($vec), 0, $len); return substr(PhabricatorHash::weakDigest($vec), 0, $len);
} }
public function getUserProfile() { public function getUserProfile() {

View file

@ -48,7 +48,7 @@ final class PhabricatorPasswordSettingsPanel extends PhabricatorSettingsPanel {
->setViewer($user) ->setViewer($user)
->withTokenResources(array($user->getPHID())) ->withTokenResources(array($user->getPHID()))
->withTokenTypes(array($password_type)) ->withTokenTypes(array($password_type))
->withTokenCodes(array(PhabricatorHash::digest($key))) ->withTokenCodes(array(PhabricatorHash::weakDigest($key)))
->withExpired(false) ->withExpired(false)
->executeOne(); ->executeOne();
} }

View file

@ -44,7 +44,7 @@ final class PhabricatorSessionsSettingsPanel extends PhabricatorSettingsPanel {
->withPHIDs($identity_phids) ->withPHIDs($identity_phids)
->execute(); ->execute();
$current_key = PhabricatorHash::digest( $current_key = PhabricatorHash::weakDigest(
$request->getCookie(PhabricatorCookies::COOKIE_SESSION)); $request->getCookie(PhabricatorCookies::COOKIE_SESSION));
$rows = array(); $rows = array();

View file

@ -5,12 +5,15 @@ final class PhabricatorHash extends Phobject {
const INDEX_DIGEST_LENGTH = 12; const INDEX_DIGEST_LENGTH = 12;
/** /**
* Digest a string for general use, including use which relates to security. * Digest a string using HMAC+SHA1.
*
* Because a SHA1 collision is now known, this method should be considered
* weak. Callers should prefer @{method:digestWithNamedKey}.
* *
* @param string Input string. * @param string Input string.
* @return string 32-byte hexidecimal SHA1+HMAC hash. * @return string 32-byte hexidecimal SHA1+HMAC hash.
*/ */
public static function digest($string, $key = null) { public static function weakDigest($string, $key = null) {
if ($key === null) { if ($key === null) {
$key = PhabricatorEnv::getEnvConfig('security.hmac-key'); $key = PhabricatorEnv::getEnvConfig('security.hmac-key');
} }
@ -37,7 +40,7 @@ final class PhabricatorHash extends Phobject {
} }
for ($ii = 0; $ii < 1000; $ii++) { for ($ii = 0; $ii < 1000; $ii++) {
$result = self::digest($result, $salt); $result = self::weakDigest($result, $salt);
} }
return $result; return $result;