mirror of
https://we.phorge.it/source/phorge.git
synced 2025-01-10 23:01:04 +01:00
Rename "PhabricatorHash::digest()" to "weakDigest()"
Summary: Ref T12509. This encourages code to move away from HMAC+SHA1 by making the method name more obviously undesirable. Test Plan: `grep`, browsed around. Reviewers: chad Reviewed By: chad Maniphest Tasks: T12509 Differential Revision: https://secure.phabricator.com/D17632
This commit is contained in:
parent
3a3626834e
commit
3d816e94df
20 changed files with 31 additions and 28 deletions
|
@ -14,7 +14,7 @@ foreach ($sessions as $session) {
|
|||
$conn,
|
||||
'UPDATE %T SET sessionKey = %s WHERE userPHID = %s AND type = %s',
|
||||
PhabricatorUser::SESSION_TABLE,
|
||||
PhabricatorHash::digest($session['sessionKey']),
|
||||
PhabricatorHash::weakDigest($session['sessionKey']),
|
||||
$session['userPHID'],
|
||||
$session['type']);
|
||||
}
|
||||
|
|
|
@ -194,7 +194,7 @@ abstract class PhabricatorAuthController extends PhabricatorController {
|
|||
// hijacking registration sessions.
|
||||
|
||||
$actual = $account->getProperty('registrationKey');
|
||||
$expect = PhabricatorHash::digest($registration_key);
|
||||
$expect = PhabricatorHash::weakDigest($registration_key);
|
||||
if (!phutil_hashes_are_identical($actual, $expect)) {
|
||||
$response = $this->renderError(
|
||||
pht(
|
||||
|
|
|
@ -194,7 +194,7 @@ final class PhabricatorAuthLoginController
|
|||
$registration_key = Filesystem::readRandomCharacters(32);
|
||||
$account->setProperty(
|
||||
'registrationKey',
|
||||
PhabricatorHash::digest($registration_key));
|
||||
PhabricatorHash::weakDigest($registration_key));
|
||||
|
||||
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
|
||||
$account->save();
|
||||
|
|
|
@ -135,7 +135,7 @@ final class PhabricatorAuthOneTimeLoginController
|
|||
->setTokenResource($target_user->getPHID())
|
||||
->setTokenType($password_type)
|
||||
->setTokenExpires(time() + phutil_units('1 hour in seconds'))
|
||||
->setTokenCode(PhabricatorHash::digest($key))
|
||||
->setTokenCode(PhabricatorHash::weakDigest($key))
|
||||
->save();
|
||||
unset($unguarded);
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ final class PhabricatorAuthTerminateSessionController
|
|||
$query->withIDs(array($id));
|
||||
}
|
||||
|
||||
$current_key = PhabricatorHash::digest(
|
||||
$current_key = PhabricatorHash::weakDigest(
|
||||
$request->getCookie(PhabricatorCookies::COOKIE_SESSION));
|
||||
|
||||
$sessions = $query->execute();
|
||||
|
|
|
@ -110,7 +110,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
|||
$session_table = new PhabricatorAuthSession();
|
||||
$user_table = new PhabricatorUser();
|
||||
$conn_r = $session_table->establishConnection('r');
|
||||
$session_key = PhabricatorHash::digest($session_token);
|
||||
$session_key = PhabricatorHash::weakDigest($session_token);
|
||||
|
||||
$cache_parts = $this->getUserCacheQueryParts($conn_r);
|
||||
list($cache_selects, $cache_joins, $cache_map, $types_map) = $cache_parts;
|
||||
|
@ -240,7 +240,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
|||
// This has a side effect of validating the session type.
|
||||
$session_ttl = PhabricatorAuthSession::getSessionTypeTTL($session_type);
|
||||
|
||||
$digest_key = PhabricatorHash::digest($session_key);
|
||||
$digest_key = PhabricatorHash::weakDigest($session_key);
|
||||
|
||||
// Logging-in users don't have CSRF stuff yet, so we have to unguard this
|
||||
// write.
|
||||
|
@ -306,7 +306,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
|||
->execute();
|
||||
|
||||
if ($except_session !== null) {
|
||||
$except_session = PhabricatorHash::digest($except_session);
|
||||
$except_session = PhabricatorHash::weakDigest($except_session);
|
||||
}
|
||||
|
||||
foreach ($sessions as $key => $session) {
|
||||
|
@ -755,7 +755,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
|
|||
$parts[] = $email->getVerificationCode();
|
||||
}
|
||||
|
||||
return PhabricatorHash::digest(implode(':', $parts));
|
||||
return PhabricatorHash::weakDigest(implode(':', $parts));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -39,7 +39,7 @@ final class PhabricatorTOTPAuthFactor extends PhabricatorAuthFactor {
|
|||
->withTokenResources(array($user->getPHID()))
|
||||
->withTokenTypes(array($totp_token_type))
|
||||
->withExpired(false)
|
||||
->withTokenCodes(array(PhabricatorHash::digest($key)))
|
||||
->withTokenCodes(array(PhabricatorHash::weakDigest($key)))
|
||||
->executeOne();
|
||||
if (!$temporary_token) {
|
||||
// If we don't have a matching token, regenerate the key below.
|
||||
|
@ -58,7 +58,7 @@ final class PhabricatorTOTPAuthFactor extends PhabricatorAuthFactor {
|
|||
->setTokenResource($user->getPHID())
|
||||
->setTokenType($totp_token_type)
|
||||
->setTokenExpires(time() + phutil_units('1 hour in seconds'))
|
||||
->setTokenCode(PhabricatorHash::digest($key))
|
||||
->setTokenCode(PhabricatorHash::weakDigest($key))
|
||||
->save();
|
||||
unset($unguarded);
|
||||
}
|
||||
|
|
|
@ -474,7 +474,7 @@ abstract class PhabricatorAuthProvider extends Phobject {
|
|||
true);
|
||||
}
|
||||
|
||||
return PhabricatorHash::digest($phcid);
|
||||
return PhabricatorHash::weakDigest($phcid);
|
||||
}
|
||||
|
||||
protected function verifyAuthCSRFCode(AphrontRequest $request, $actual) {
|
||||
|
|
|
@ -85,7 +85,7 @@ final class PhabricatorAuthSessionQuery
|
|||
if ($this->sessionKeys) {
|
||||
$hashes = array();
|
||||
foreach ($this->sessionKeys as $session_key) {
|
||||
$hashes[] = PhabricatorHash::digest($session_key);
|
||||
$hashes[] = PhabricatorHash::weakDigest($session_key);
|
||||
}
|
||||
$where[] = qsprintf(
|
||||
$conn_r,
|
||||
|
|
|
@ -98,7 +98,7 @@ abstract class PhabricatorController extends AphrontController {
|
|||
|
||||
|
||||
if (!$user->isLoggedIn()) {
|
||||
$user->attachAlternateCSRFString(PhabricatorHash::digest($phsid));
|
||||
$user->attachAlternateCSRFString(PhabricatorHash::weakDigest($phsid));
|
||||
}
|
||||
|
||||
$request->setUser($user);
|
||||
|
|
|
@ -14,7 +14,7 @@ abstract class CelerityResources extends Phobject {
|
|||
|
||||
public function getCelerityHash($data) {
|
||||
$tail = PhabricatorEnv::getEnvConfig('celerity.resource-hash');
|
||||
$hash = PhabricatorHash::digest($data, $tail);
|
||||
$hash = PhabricatorHash::weakDigest($data, $tail);
|
||||
return substr($hash, 0, 8);
|
||||
}
|
||||
|
||||
|
|
|
@ -107,7 +107,7 @@ final class PhabricatorPathSetupCheck extends PhabricatorSetupCheck {
|
|||
|
||||
if ($bad_paths) {
|
||||
foreach ($bad_paths as $path_part => $message) {
|
||||
$digest = substr(PhabricatorHash::digest($path_part), 0, 8);
|
||||
$digest = substr(PhabricatorHash::weakDigest($path_part), 0, 8);
|
||||
|
||||
$this
|
||||
->newIssue('config.PATH.'.$digest)
|
||||
|
|
|
@ -652,7 +652,7 @@ final class DiffusionServeController extends DiffusionController {
|
|||
}
|
||||
|
||||
$lfs_pass = $password->openEnvelope();
|
||||
$lfs_hash = PhabricatorHash::digest($lfs_pass);
|
||||
$lfs_hash = PhabricatorHash::weakDigest($lfs_pass);
|
||||
|
||||
$token = id(new PhabricatorAuthTemporaryTokenQuery())
|
||||
->setViewer(PhabricatorUser::getOmnipotentUser())
|
||||
|
|
|
@ -22,7 +22,7 @@ final class DiffusionGitLFSTemporaryTokenType
|
|||
|
||||
$lfs_user = self::HTTP_USERNAME;
|
||||
$lfs_pass = Filesystem::readRandomCharacters(32);
|
||||
$lfs_hash = PhabricatorHash::digest($lfs_pass);
|
||||
$lfs_hash = PhabricatorHash::weakDigest($lfs_pass);
|
||||
|
||||
$ttl = PhabricatorTime::getNow() + phutil_units('1 day in seconds');
|
||||
|
||||
|
|
|
@ -102,7 +102,7 @@ final class PhabricatorChunkedFileStorageEngine
|
|||
}
|
||||
|
||||
public static function getChunkedHashForInput($input) {
|
||||
$rehash = PhabricatorHash::digest($input);
|
||||
$rehash = PhabricatorHash::weakDigest($input);
|
||||
|
||||
// Add a suffix to identify this as a chunk hash.
|
||||
$rehash = substr($rehash, 0, -2).'-C';
|
||||
|
|
|
@ -201,7 +201,7 @@ abstract class PhabricatorObjectMailReceiver extends PhabricatorMailReceiver {
|
|||
public static function computeMailHash($mail_key, $phid) {
|
||||
$global_mail_key = PhabricatorEnv::getEnvConfig('phabricator.mail-key');
|
||||
|
||||
$hash = PhabricatorHash::digest($mail_key.$global_mail_key.$phid);
|
||||
$hash = PhabricatorHash::weakDigest($mail_key.$global_mail_key.$phid);
|
||||
return substr($hash, 0, 16);
|
||||
}
|
||||
|
||||
|
|
|
@ -389,7 +389,7 @@ final class PhabricatorUser
|
|||
// Generate a token hash to mitigate BREACH attacks against SSL. See
|
||||
// discussion in T3684.
|
||||
$token = $this->getRawCSRFToken();
|
||||
$hash = PhabricatorHash::digest($token, $salt);
|
||||
$hash = PhabricatorHash::weakDigest($token, $salt);
|
||||
return self::CSRF_BREACH_PREFIX.$salt.substr(
|
||||
$hash, 0, self::CSRF_TOKEN_LENGTH);
|
||||
}
|
||||
|
@ -435,7 +435,7 @@ final class PhabricatorUser
|
|||
for ($ii = -$csrf_window; $ii <= 1; $ii++) {
|
||||
$valid = $this->getRawCSRFToken($ii);
|
||||
|
||||
$digest = PhabricatorHash::digest($valid, $salt);
|
||||
$digest = PhabricatorHash::weakDigest($valid, $salt);
|
||||
$digest = substr($digest, 0, self::CSRF_TOKEN_LENGTH);
|
||||
if (phutil_hashes_are_identical($digest, $token)) {
|
||||
return true;
|
||||
|
@ -459,7 +459,7 @@ final class PhabricatorUser
|
|||
$time_block = floor($epoch / $frequency);
|
||||
$vec = $vec.$key.$time_block;
|
||||
|
||||
return substr(PhabricatorHash::digest($vec), 0, $len);
|
||||
return substr(PhabricatorHash::weakDigest($vec), 0, $len);
|
||||
}
|
||||
|
||||
public function getUserProfile() {
|
||||
|
|
|
@ -48,7 +48,7 @@ final class PhabricatorPasswordSettingsPanel extends PhabricatorSettingsPanel {
|
|||
->setViewer($user)
|
||||
->withTokenResources(array($user->getPHID()))
|
||||
->withTokenTypes(array($password_type))
|
||||
->withTokenCodes(array(PhabricatorHash::digest($key)))
|
||||
->withTokenCodes(array(PhabricatorHash::weakDigest($key)))
|
||||
->withExpired(false)
|
||||
->executeOne();
|
||||
}
|
||||
|
|
|
@ -44,7 +44,7 @@ final class PhabricatorSessionsSettingsPanel extends PhabricatorSettingsPanel {
|
|||
->withPHIDs($identity_phids)
|
||||
->execute();
|
||||
|
||||
$current_key = PhabricatorHash::digest(
|
||||
$current_key = PhabricatorHash::weakDigest(
|
||||
$request->getCookie(PhabricatorCookies::COOKIE_SESSION));
|
||||
|
||||
$rows = array();
|
||||
|
|
|
@ -5,12 +5,15 @@ final class PhabricatorHash extends Phobject {
|
|||
const INDEX_DIGEST_LENGTH = 12;
|
||||
|
||||
/**
|
||||
* Digest a string for general use, including use which relates to security.
|
||||
* Digest a string using HMAC+SHA1.
|
||||
*
|
||||
* Because a SHA1 collision is now known, this method should be considered
|
||||
* weak. Callers should prefer @{method:digestWithNamedKey}.
|
||||
*
|
||||
* @param string Input string.
|
||||
* @return string 32-byte hexidecimal SHA1+HMAC hash.
|
||||
*/
|
||||
public static function digest($string, $key = null) {
|
||||
public static function weakDigest($string, $key = null) {
|
||||
if ($key === null) {
|
||||
$key = PhabricatorEnv::getEnvConfig('security.hmac-key');
|
||||
}
|
||||
|
@ -37,7 +40,7 @@ final class PhabricatorHash extends Phobject {
|
|||
}
|
||||
|
||||
for ($ii = 0; $ii < 1000; $ii++) {
|
||||
$result = self::digest($result, $salt);
|
||||
$result = self::weakDigest($result, $salt);
|
||||
}
|
||||
|
||||
return $result;
|
||||
|
|
Loading…
Reference in a new issue