mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 05:50:55 +01:00
Rename "PhabricatorHash::digest()" to "weakDigest()"
Summary: Ref T12509. This encourages code to move away from HMAC+SHA1 by making the method name more obviously undesirable. Test Plan: `grep`, browsed around. Reviewers: chad Reviewed By: chad Maniphest Tasks: T12509 Differential Revision: https://secure.phabricator.com/D17632
This commit is contained in:
parent
3a3626834e
commit
3d816e94df
20 changed files with 31 additions and 28 deletions
|
@ -14,7 +14,7 @@ foreach ($sessions as $session) {
|
||||||
$conn,
|
$conn,
|
||||||
'UPDATE %T SET sessionKey = %s WHERE userPHID = %s AND type = %s',
|
'UPDATE %T SET sessionKey = %s WHERE userPHID = %s AND type = %s',
|
||||||
PhabricatorUser::SESSION_TABLE,
|
PhabricatorUser::SESSION_TABLE,
|
||||||
PhabricatorHash::digest($session['sessionKey']),
|
PhabricatorHash::weakDigest($session['sessionKey']),
|
||||||
$session['userPHID'],
|
$session['userPHID'],
|
||||||
$session['type']);
|
$session['type']);
|
||||||
}
|
}
|
||||||
|
|
|
@ -194,7 +194,7 @@ abstract class PhabricatorAuthController extends PhabricatorController {
|
||||||
// hijacking registration sessions.
|
// hijacking registration sessions.
|
||||||
|
|
||||||
$actual = $account->getProperty('registrationKey');
|
$actual = $account->getProperty('registrationKey');
|
||||||
$expect = PhabricatorHash::digest($registration_key);
|
$expect = PhabricatorHash::weakDigest($registration_key);
|
||||||
if (!phutil_hashes_are_identical($actual, $expect)) {
|
if (!phutil_hashes_are_identical($actual, $expect)) {
|
||||||
$response = $this->renderError(
|
$response = $this->renderError(
|
||||||
pht(
|
pht(
|
||||||
|
|
|
@ -194,7 +194,7 @@ final class PhabricatorAuthLoginController
|
||||||
$registration_key = Filesystem::readRandomCharacters(32);
|
$registration_key = Filesystem::readRandomCharacters(32);
|
||||||
$account->setProperty(
|
$account->setProperty(
|
||||||
'registrationKey',
|
'registrationKey',
|
||||||
PhabricatorHash::digest($registration_key));
|
PhabricatorHash::weakDigest($registration_key));
|
||||||
|
|
||||||
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
|
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
|
||||||
$account->save();
|
$account->save();
|
||||||
|
|
|
@ -135,7 +135,7 @@ final class PhabricatorAuthOneTimeLoginController
|
||||||
->setTokenResource($target_user->getPHID())
|
->setTokenResource($target_user->getPHID())
|
||||||
->setTokenType($password_type)
|
->setTokenType($password_type)
|
||||||
->setTokenExpires(time() + phutil_units('1 hour in seconds'))
|
->setTokenExpires(time() + phutil_units('1 hour in seconds'))
|
||||||
->setTokenCode(PhabricatorHash::digest($key))
|
->setTokenCode(PhabricatorHash::weakDigest($key))
|
||||||
->save();
|
->save();
|
||||||
unset($unguarded);
|
unset($unguarded);
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,7 @@ final class PhabricatorAuthTerminateSessionController
|
||||||
$query->withIDs(array($id));
|
$query->withIDs(array($id));
|
||||||
}
|
}
|
||||||
|
|
||||||
$current_key = PhabricatorHash::digest(
|
$current_key = PhabricatorHash::weakDigest(
|
||||||
$request->getCookie(PhabricatorCookies::COOKIE_SESSION));
|
$request->getCookie(PhabricatorCookies::COOKIE_SESSION));
|
||||||
|
|
||||||
$sessions = $query->execute();
|
$sessions = $query->execute();
|
||||||
|
|
|
@ -110,7 +110,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
||||||
$session_table = new PhabricatorAuthSession();
|
$session_table = new PhabricatorAuthSession();
|
||||||
$user_table = new PhabricatorUser();
|
$user_table = new PhabricatorUser();
|
||||||
$conn_r = $session_table->establishConnection('r');
|
$conn_r = $session_table->establishConnection('r');
|
||||||
$session_key = PhabricatorHash::digest($session_token);
|
$session_key = PhabricatorHash::weakDigest($session_token);
|
||||||
|
|
||||||
$cache_parts = $this->getUserCacheQueryParts($conn_r);
|
$cache_parts = $this->getUserCacheQueryParts($conn_r);
|
||||||
list($cache_selects, $cache_joins, $cache_map, $types_map) = $cache_parts;
|
list($cache_selects, $cache_joins, $cache_map, $types_map) = $cache_parts;
|
||||||
|
@ -240,7 +240,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
||||||
// This has a side effect of validating the session type.
|
// This has a side effect of validating the session type.
|
||||||
$session_ttl = PhabricatorAuthSession::getSessionTypeTTL($session_type);
|
$session_ttl = PhabricatorAuthSession::getSessionTypeTTL($session_type);
|
||||||
|
|
||||||
$digest_key = PhabricatorHash::digest($session_key);
|
$digest_key = PhabricatorHash::weakDigest($session_key);
|
||||||
|
|
||||||
// Logging-in users don't have CSRF stuff yet, so we have to unguard this
|
// Logging-in users don't have CSRF stuff yet, so we have to unguard this
|
||||||
// write.
|
// write.
|
||||||
|
@ -306,7 +306,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
||||||
->execute();
|
->execute();
|
||||||
|
|
||||||
if ($except_session !== null) {
|
if ($except_session !== null) {
|
||||||
$except_session = PhabricatorHash::digest($except_session);
|
$except_session = PhabricatorHash::weakDigest($except_session);
|
||||||
}
|
}
|
||||||
|
|
||||||
foreach ($sessions as $key => $session) {
|
foreach ($sessions as $key => $session) {
|
||||||
|
@ -755,7 +755,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
||||||
$parts[] = $email->getVerificationCode();
|
$parts[] = $email->getVerificationCode();
|
||||||
}
|
}
|
||||||
|
|
||||||
return PhabricatorHash::digest(implode(':', $parts));
|
return PhabricatorHash::weakDigest(implode(':', $parts));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -39,7 +39,7 @@ final class PhabricatorTOTPAuthFactor extends PhabricatorAuthFactor {
|
||||||
->withTokenResources(array($user->getPHID()))
|
->withTokenResources(array($user->getPHID()))
|
||||||
->withTokenTypes(array($totp_token_type))
|
->withTokenTypes(array($totp_token_type))
|
||||||
->withExpired(false)
|
->withExpired(false)
|
||||||
->withTokenCodes(array(PhabricatorHash::digest($key)))
|
->withTokenCodes(array(PhabricatorHash::weakDigest($key)))
|
||||||
->executeOne();
|
->executeOne();
|
||||||
if (!$temporary_token) {
|
if (!$temporary_token) {
|
||||||
// If we don't have a matching token, regenerate the key below.
|
// If we don't have a matching token, regenerate the key below.
|
||||||
|
@ -58,7 +58,7 @@ final class PhabricatorTOTPAuthFactor extends PhabricatorAuthFactor {
|
||||||
->setTokenResource($user->getPHID())
|
->setTokenResource($user->getPHID())
|
||||||
->setTokenType($totp_token_type)
|
->setTokenType($totp_token_type)
|
||||||
->setTokenExpires(time() + phutil_units('1 hour in seconds'))
|
->setTokenExpires(time() + phutil_units('1 hour in seconds'))
|
||||||
->setTokenCode(PhabricatorHash::digest($key))
|
->setTokenCode(PhabricatorHash::weakDigest($key))
|
||||||
->save();
|
->save();
|
||||||
unset($unguarded);
|
unset($unguarded);
|
||||||
}
|
}
|
||||||
|
|
|
@ -474,7 +474,7 @@ abstract class PhabricatorAuthProvider extends Phobject {
|
||||||
true);
|
true);
|
||||||
}
|
}
|
||||||
|
|
||||||
return PhabricatorHash::digest($phcid);
|
return PhabricatorHash::weakDigest($phcid);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function verifyAuthCSRFCode(AphrontRequest $request, $actual) {
|
protected function verifyAuthCSRFCode(AphrontRequest $request, $actual) {
|
||||||
|
|
|
@ -85,7 +85,7 @@ final class PhabricatorAuthSessionQuery
|
||||||
if ($this->sessionKeys) {
|
if ($this->sessionKeys) {
|
||||||
$hashes = array();
|
$hashes = array();
|
||||||
foreach ($this->sessionKeys as $session_key) {
|
foreach ($this->sessionKeys as $session_key) {
|
||||||
$hashes[] = PhabricatorHash::digest($session_key);
|
$hashes[] = PhabricatorHash::weakDigest($session_key);
|
||||||
}
|
}
|
||||||
$where[] = qsprintf(
|
$where[] = qsprintf(
|
||||||
$conn_r,
|
$conn_r,
|
||||||
|
|
|
@ -98,7 +98,7 @@ abstract class PhabricatorController extends AphrontController {
|
||||||
|
|
||||||
|
|
||||||
if (!$user->isLoggedIn()) {
|
if (!$user->isLoggedIn()) {
|
||||||
$user->attachAlternateCSRFString(PhabricatorHash::digest($phsid));
|
$user->attachAlternateCSRFString(PhabricatorHash::weakDigest($phsid));
|
||||||
}
|
}
|
||||||
|
|
||||||
$request->setUser($user);
|
$request->setUser($user);
|
||||||
|
|
|
@ -14,7 +14,7 @@ abstract class CelerityResources extends Phobject {
|
||||||
|
|
||||||
public function getCelerityHash($data) {
|
public function getCelerityHash($data) {
|
||||||
$tail = PhabricatorEnv::getEnvConfig('celerity.resource-hash');
|
$tail = PhabricatorEnv::getEnvConfig('celerity.resource-hash');
|
||||||
$hash = PhabricatorHash::digest($data, $tail);
|
$hash = PhabricatorHash::weakDigest($data, $tail);
|
||||||
return substr($hash, 0, 8);
|
return substr($hash, 0, 8);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -107,7 +107,7 @@ final class PhabricatorPathSetupCheck extends PhabricatorSetupCheck {
|
||||||
|
|
||||||
if ($bad_paths) {
|
if ($bad_paths) {
|
||||||
foreach ($bad_paths as $path_part => $message) {
|
foreach ($bad_paths as $path_part => $message) {
|
||||||
$digest = substr(PhabricatorHash::digest($path_part), 0, 8);
|
$digest = substr(PhabricatorHash::weakDigest($path_part), 0, 8);
|
||||||
|
|
||||||
$this
|
$this
|
||||||
->newIssue('config.PATH.'.$digest)
|
->newIssue('config.PATH.'.$digest)
|
||||||
|
|
|
@ -652,7 +652,7 @@ final class DiffusionServeController extends DiffusionController {
|
||||||
}
|
}
|
||||||
|
|
||||||
$lfs_pass = $password->openEnvelope();
|
$lfs_pass = $password->openEnvelope();
|
||||||
$lfs_hash = PhabricatorHash::digest($lfs_pass);
|
$lfs_hash = PhabricatorHash::weakDigest($lfs_pass);
|
||||||
|
|
||||||
$token = id(new PhabricatorAuthTemporaryTokenQuery())
|
$token = id(new PhabricatorAuthTemporaryTokenQuery())
|
||||||
->setViewer(PhabricatorUser::getOmnipotentUser())
|
->setViewer(PhabricatorUser::getOmnipotentUser())
|
||||||
|
|
|
@ -22,7 +22,7 @@ final class DiffusionGitLFSTemporaryTokenType
|
||||||
|
|
||||||
$lfs_user = self::HTTP_USERNAME;
|
$lfs_user = self::HTTP_USERNAME;
|
||||||
$lfs_pass = Filesystem::readRandomCharacters(32);
|
$lfs_pass = Filesystem::readRandomCharacters(32);
|
||||||
$lfs_hash = PhabricatorHash::digest($lfs_pass);
|
$lfs_hash = PhabricatorHash::weakDigest($lfs_pass);
|
||||||
|
|
||||||
$ttl = PhabricatorTime::getNow() + phutil_units('1 day in seconds');
|
$ttl = PhabricatorTime::getNow() + phutil_units('1 day in seconds');
|
||||||
|
|
||||||
|
|
|
@ -102,7 +102,7 @@ final class PhabricatorChunkedFileStorageEngine
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function getChunkedHashForInput($input) {
|
public static function getChunkedHashForInput($input) {
|
||||||
$rehash = PhabricatorHash::digest($input);
|
$rehash = PhabricatorHash::weakDigest($input);
|
||||||
|
|
||||||
// Add a suffix to identify this as a chunk hash.
|
// Add a suffix to identify this as a chunk hash.
|
||||||
$rehash = substr($rehash, 0, -2).'-C';
|
$rehash = substr($rehash, 0, -2).'-C';
|
||||||
|
|
|
@ -201,7 +201,7 @@ abstract class PhabricatorObjectMailReceiver extends PhabricatorMailReceiver {
|
||||||
public static function computeMailHash($mail_key, $phid) {
|
public static function computeMailHash($mail_key, $phid) {
|
||||||
$global_mail_key = PhabricatorEnv::getEnvConfig('phabricator.mail-key');
|
$global_mail_key = PhabricatorEnv::getEnvConfig('phabricator.mail-key');
|
||||||
|
|
||||||
$hash = PhabricatorHash::digest($mail_key.$global_mail_key.$phid);
|
$hash = PhabricatorHash::weakDigest($mail_key.$global_mail_key.$phid);
|
||||||
return substr($hash, 0, 16);
|
return substr($hash, 0, 16);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -389,7 +389,7 @@ final class PhabricatorUser
|
||||||
// Generate a token hash to mitigate BREACH attacks against SSL. See
|
// Generate a token hash to mitigate BREACH attacks against SSL. See
|
||||||
// discussion in T3684.
|
// discussion in T3684.
|
||||||
$token = $this->getRawCSRFToken();
|
$token = $this->getRawCSRFToken();
|
||||||
$hash = PhabricatorHash::digest($token, $salt);
|
$hash = PhabricatorHash::weakDigest($token, $salt);
|
||||||
return self::CSRF_BREACH_PREFIX.$salt.substr(
|
return self::CSRF_BREACH_PREFIX.$salt.substr(
|
||||||
$hash, 0, self::CSRF_TOKEN_LENGTH);
|
$hash, 0, self::CSRF_TOKEN_LENGTH);
|
||||||
}
|
}
|
||||||
|
@ -435,7 +435,7 @@ final class PhabricatorUser
|
||||||
for ($ii = -$csrf_window; $ii <= 1; $ii++) {
|
for ($ii = -$csrf_window; $ii <= 1; $ii++) {
|
||||||
$valid = $this->getRawCSRFToken($ii);
|
$valid = $this->getRawCSRFToken($ii);
|
||||||
|
|
||||||
$digest = PhabricatorHash::digest($valid, $salt);
|
$digest = PhabricatorHash::weakDigest($valid, $salt);
|
||||||
$digest = substr($digest, 0, self::CSRF_TOKEN_LENGTH);
|
$digest = substr($digest, 0, self::CSRF_TOKEN_LENGTH);
|
||||||
if (phutil_hashes_are_identical($digest, $token)) {
|
if (phutil_hashes_are_identical($digest, $token)) {
|
||||||
return true;
|
return true;
|
||||||
|
@ -459,7 +459,7 @@ final class PhabricatorUser
|
||||||
$time_block = floor($epoch / $frequency);
|
$time_block = floor($epoch / $frequency);
|
||||||
$vec = $vec.$key.$time_block;
|
$vec = $vec.$key.$time_block;
|
||||||
|
|
||||||
return substr(PhabricatorHash::digest($vec), 0, $len);
|
return substr(PhabricatorHash::weakDigest($vec), 0, $len);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function getUserProfile() {
|
public function getUserProfile() {
|
||||||
|
|
|
@ -48,7 +48,7 @@ final class PhabricatorPasswordSettingsPanel extends PhabricatorSettingsPanel {
|
||||||
->setViewer($user)
|
->setViewer($user)
|
||||||
->withTokenResources(array($user->getPHID()))
|
->withTokenResources(array($user->getPHID()))
|
||||||
->withTokenTypes(array($password_type))
|
->withTokenTypes(array($password_type))
|
||||||
->withTokenCodes(array(PhabricatorHash::digest($key)))
|
->withTokenCodes(array(PhabricatorHash::weakDigest($key)))
|
||||||
->withExpired(false)
|
->withExpired(false)
|
||||||
->executeOne();
|
->executeOne();
|
||||||
}
|
}
|
||||||
|
|
|
@ -44,7 +44,7 @@ final class PhabricatorSessionsSettingsPanel extends PhabricatorSettingsPanel {
|
||||||
->withPHIDs($identity_phids)
|
->withPHIDs($identity_phids)
|
||||||
->execute();
|
->execute();
|
||||||
|
|
||||||
$current_key = PhabricatorHash::digest(
|
$current_key = PhabricatorHash::weakDigest(
|
||||||
$request->getCookie(PhabricatorCookies::COOKIE_SESSION));
|
$request->getCookie(PhabricatorCookies::COOKIE_SESSION));
|
||||||
|
|
||||||
$rows = array();
|
$rows = array();
|
||||||
|
|
|
@ -5,12 +5,15 @@ final class PhabricatorHash extends Phobject {
|
||||||
const INDEX_DIGEST_LENGTH = 12;
|
const INDEX_DIGEST_LENGTH = 12;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Digest a string for general use, including use which relates to security.
|
* Digest a string using HMAC+SHA1.
|
||||||
|
*
|
||||||
|
* Because a SHA1 collision is now known, this method should be considered
|
||||||
|
* weak. Callers should prefer @{method:digestWithNamedKey}.
|
||||||
*
|
*
|
||||||
* @param string Input string.
|
* @param string Input string.
|
||||||
* @return string 32-byte hexidecimal SHA1+HMAC hash.
|
* @return string 32-byte hexidecimal SHA1+HMAC hash.
|
||||||
*/
|
*/
|
||||||
public static function digest($string, $key = null) {
|
public static function weakDigest($string, $key = null) {
|
||||||
if ($key === null) {
|
if ($key === null) {
|
||||||
$key = PhabricatorEnv::getEnvConfig('security.hmac-key');
|
$key = PhabricatorEnv::getEnvConfig('security.hmac-key');
|
||||||
}
|
}
|
||||||
|
@ -37,7 +40,7 @@ final class PhabricatorHash extends Phobject {
|
||||||
}
|
}
|
||||||
|
|
||||||
for ($ii = 0; $ii < 1000; $ii++) {
|
for ($ii = 0; $ii < 1000; $ii++) {
|
||||||
$result = self::digest($result, $salt);
|
$result = self::weakDigest($result, $salt);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $result;
|
return $result;
|
||||||
|
|
Loading…
Reference in a new issue