Rename "PhabricatorHash::digest()" to "weakDigest()"

+1 -1

resources/sql/patches/20130530.sessionhash.php

··· 14 14 $conn, 15 15 'UPDATE %T SET sessionKey = %s WHERE userPHID = %s AND type = %s', 16 16 PhabricatorUser::SESSION_TABLE, 17 - PhabricatorHash::digest($session['sessionKey']), 17 + PhabricatorHash::weakDigest($session['sessionKey']), 18 18 $session['userPHID'], 19 19 $session['type']); 20 20 }

+1 -1

src/applications/auth/controller/PhabricatorAuthController.php

··· 194 194 // hijacking registration sessions. 195 195 196 196 $actual = $account->getProperty('registrationKey'); 197 - $expect = PhabricatorHash::digest($registration_key); 197 + $expect = PhabricatorHash::weakDigest($registration_key); 198 198 if (!phutil_hashes_are_identical($actual, $expect)) { 199 199 $response = $this->renderError( 200 200 pht(

+1 -1

src/applications/auth/controller/PhabricatorAuthLoginController.php

··· 194 194 $registration_key = Filesystem::readRandomCharacters(32); 195 195 $account->setProperty( 196 196 'registrationKey', 197 - PhabricatorHash::digest($registration_key)); 197 + PhabricatorHash::weakDigest($registration_key)); 198 198 199 199 $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); 200 200 $account->save();

+1 -1

src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php

··· 135 135 ->setTokenResource($target_user->getPHID()) 136 136 ->setTokenType($password_type) 137 137 ->setTokenExpires(time() + phutil_units('1 hour in seconds')) 138 - ->setTokenCode(PhabricatorHash::digest($key)) 138 + ->setTokenCode(PhabricatorHash::weakDigest($key)) 139 139 ->save(); 140 140 unset($unguarded); 141 141

+1 -1

src/applications/auth/controller/PhabricatorAuthTerminateSessionController.php

··· 16 16 $query->withIDs(array($id)); 17 17 } 18 18 19 - $current_key = PhabricatorHash::digest( 19 + $current_key = PhabricatorHash::weakDigest( 20 20 $request->getCookie(PhabricatorCookies::COOKIE_SESSION)); 21 21 22 22 $sessions = $query->execute();

+4 -4

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

··· 110 110 $session_table = new PhabricatorAuthSession(); 111 111 $user_table = new PhabricatorUser(); 112 112 $conn_r = $session_table->establishConnection('r'); 113 - $session_key = PhabricatorHash::digest($session_token); 113 + $session_key = PhabricatorHash::weakDigest($session_token); 114 114 115 115 $cache_parts = $this->getUserCacheQueryParts($conn_r); 116 116 list($cache_selects, $cache_joins, $cache_map, $types_map) = $cache_parts; ··· 240 240 // This has a side effect of validating the session type. 241 241 $session_ttl = PhabricatorAuthSession::getSessionTypeTTL($session_type); 242 242 243 - $digest_key = PhabricatorHash::digest($session_key); 243 + $digest_key = PhabricatorHash::weakDigest($session_key); 244 244 245 245 // Logging-in users don't have CSRF stuff yet, so we have to unguard this 246 246 // write. ··· 306 306 ->execute(); 307 307 308 308 if ($except_session !== null) { 309 - $except_session = PhabricatorHash::digest($except_session); 309 + $except_session = PhabricatorHash::weakDigest($except_session); 310 310 } 311 311 312 312 foreach ($sessions as $key => $session) { ··· 755 755 $parts[] = $email->getVerificationCode(); 756 756 } 757 757 758 - return PhabricatorHash::digest(implode(':', $parts)); 758 + return PhabricatorHash::weakDigest(implode(':', $parts)); 759 759 } 760 760 761 761

+2 -2

src/applications/auth/factor/PhabricatorTOTPAuthFactor.php

··· 39 39 ->withTokenResources(array($user->getPHID())) 40 40 ->withTokenTypes(array($totp_token_type)) 41 41 ->withExpired(false) 42 - ->withTokenCodes(array(PhabricatorHash::digest($key))) 42 + ->withTokenCodes(array(PhabricatorHash::weakDigest($key))) 43 43 ->executeOne(); 44 44 if (!$temporary_token) { 45 45 // If we don't have a matching token, regenerate the key below. ··· 58 58 ->setTokenResource($user->getPHID()) 59 59 ->setTokenType($totp_token_type) 60 60 ->setTokenExpires(time() + phutil_units('1 hour in seconds')) 61 - ->setTokenCode(PhabricatorHash::digest($key)) 61 + ->setTokenCode(PhabricatorHash::weakDigest($key)) 62 62 ->save(); 63 63 unset($unguarded); 64 64 }

+1 -1

src/applications/auth/provider/PhabricatorAuthProvider.php

··· 474 474 true); 475 475 } 476 476 477 - return PhabricatorHash::digest($phcid); 477 + return PhabricatorHash::weakDigest($phcid); 478 478 } 479 479 480 480 protected function verifyAuthCSRFCode(AphrontRequest $request, $actual) {

+1 -1

src/applications/auth/query/PhabricatorAuthSessionQuery.php

··· 85 85 if ($this->sessionKeys) { 86 86 $hashes = array(); 87 87 foreach ($this->sessionKeys as $session_key) { 88 - $hashes[] = PhabricatorHash::digest($session_key); 88 + $hashes[] = PhabricatorHash::weakDigest($session_key); 89 89 } 90 90 $where[] = qsprintf( 91 91 $conn_r,

+1 -1

src/applications/base/controller/PhabricatorController.php

··· 98 98 99 99 100 100 if (!$user->isLoggedIn()) { 101 - $user->attachAlternateCSRFString(PhabricatorHash::digest($phsid)); 101 + $user->attachAlternateCSRFString(PhabricatorHash::weakDigest($phsid)); 102 102 } 103 103 104 104 $request->setUser($user);

+1 -1

src/applications/celerity/resources/CelerityResources.php

··· 14 14 15 15 public function getCelerityHash($data) { 16 16 $tail = PhabricatorEnv::getEnvConfig('celerity.resource-hash'); 17 - $hash = PhabricatorHash::digest($data, $tail); 17 + $hash = PhabricatorHash::weakDigest($data, $tail); 18 18 return substr($hash, 0, 8); 19 19 } 20 20

+1 -1

src/applications/config/check/PhabricatorPathSetupCheck.php

··· 107 107 108 108 if ($bad_paths) { 109 109 foreach ($bad_paths as $path_part => $message) { 110 - $digest = substr(PhabricatorHash::digest($path_part), 0, 8); 110 + $digest = substr(PhabricatorHash::weakDigest($path_part), 0, 8); 111 111 112 112 $this 113 113 ->newIssue('config.PATH.'.$digest)

+1 -1

src/applications/diffusion/controller/DiffusionServeController.php

··· 652 652 } 653 653 654 654 $lfs_pass = $password->openEnvelope(); 655 - $lfs_hash = PhabricatorHash::digest($lfs_pass); 655 + $lfs_hash = PhabricatorHash::weakDigest($lfs_pass); 656 656 657 657 $token = id(new PhabricatorAuthTemporaryTokenQuery()) 658 658 ->setViewer(PhabricatorUser::getOmnipotentUser())

+1 -1

src/applications/diffusion/gitlfs/DiffusionGitLFSTemporaryTokenType.php

··· 22 22 23 23 $lfs_user = self::HTTP_USERNAME; 24 24 $lfs_pass = Filesystem::readRandomCharacters(32); 25 - $lfs_hash = PhabricatorHash::digest($lfs_pass); 25 + $lfs_hash = PhabricatorHash::weakDigest($lfs_pass); 26 26 27 27 $ttl = PhabricatorTime::getNow() + phutil_units('1 day in seconds'); 28 28

+1 -1

src/applications/files/engine/PhabricatorChunkedFileStorageEngine.php

··· 102 102 } 103 103 104 104 public static function getChunkedHashForInput($input) { 105 - $rehash = PhabricatorHash::digest($input); 105 + $rehash = PhabricatorHash::weakDigest($input); 106 106 107 107 // Add a suffix to identify this as a chunk hash. 108 108 $rehash = substr($rehash, 0, -2).'-C';

+1 -1

src/applications/metamta/receiver/PhabricatorObjectMailReceiver.php

··· 201 201 public static function computeMailHash($mail_key, $phid) { 202 202 $global_mail_key = PhabricatorEnv::getEnvConfig('phabricator.mail-key'); 203 203 204 - $hash = PhabricatorHash::digest($mail_key.$global_mail_key.$phid); 204 + $hash = PhabricatorHash::weakDigest($mail_key.$global_mail_key.$phid); 205 205 return substr($hash, 0, 16); 206 206 } 207 207

+3 -3

src/applications/people/storage/PhabricatorUser.php

··· 389 389 // Generate a token hash to mitigate BREACH attacks against SSL. See 390 390 // discussion in T3684. 391 391 $token = $this->getRawCSRFToken(); 392 - $hash = PhabricatorHash::digest($token, $salt); 392 + $hash = PhabricatorHash::weakDigest($token, $salt); 393 393 return self::CSRF_BREACH_PREFIX.$salt.substr( 394 394 $hash, 0, self::CSRF_TOKEN_LENGTH); 395 395 } ··· 435 435 for ($ii = -$csrf_window; $ii <= 1; $ii++) { 436 436 $valid = $this->getRawCSRFToken($ii); 437 437 438 - $digest = PhabricatorHash::digest($valid, $salt); 438 + $digest = PhabricatorHash::weakDigest($valid, $salt); 439 439 $digest = substr($digest, 0, self::CSRF_TOKEN_LENGTH); 440 440 if (phutil_hashes_are_identical($digest, $token)) { 441 441 return true; ··· 459 459 $time_block = floor($epoch / $frequency); 460 460 $vec = $vec.$key.$time_block; 461 461 462 - return substr(PhabricatorHash::digest($vec), 0, $len); 462 + return substr(PhabricatorHash::weakDigest($vec), 0, $len); 463 463 } 464 464 465 465 public function getUserProfile() {

+1 -1

src/applications/settings/panel/PhabricatorPasswordSettingsPanel.php

··· 48 48 ->setViewer($user) 49 49 ->withTokenResources(array($user->getPHID())) 50 50 ->withTokenTypes(array($password_type)) 51 - ->withTokenCodes(array(PhabricatorHash::digest($key))) 51 + ->withTokenCodes(array(PhabricatorHash::weakDigest($key))) 52 52 ->withExpired(false) 53 53 ->executeOne(); 54 54 }

+1 -1

src/applications/settings/panel/PhabricatorSessionsSettingsPanel.php

··· 44 44 ->withPHIDs($identity_phids) 45 45 ->execute(); 46 46 47 - $current_key = PhabricatorHash::digest( 47 + $current_key = PhabricatorHash::weakDigest( 48 48 $request->getCookie(PhabricatorCookies::COOKIE_SESSION)); 49 49 50 50 $rows = array();

+6 -3

src/infrastructure/util/PhabricatorHash.php

··· 5 5 const INDEX_DIGEST_LENGTH = 12; 6 6 7 7 /** 8 - * Digest a string for general use, including use which relates to security. 8 + * Digest a string using HMAC+SHA1. 9 + * 10 + * Because a SHA1 collision is now known, this method should be considered 11 + * weak. Callers should prefer @{method:digestWithNamedKey}. 9 12 * 10 13 * @param string Input string. 11 14 * @return string 32-byte hexidecimal SHA1+HMAC hash. 12 15 */ 13 - public static function digest($string, $key = null) { 16 + public static function weakDigest($string, $key = null) { 14 17 if ($key === null) { 15 18 $key = PhabricatorEnv::getEnvConfig('security.hmac-key'); 16 19 } ··· 37 40 } 38 41 39 42 for ($ii = 0; $ii < 1000; $ii++) { 40 - $result = self::digest($result, $salt); 43 + $result = self::weakDigest($result, $salt); 41 44 } 42 45 43 46 return $result;

Configure Feed

Configure Feed