Diffusion Phorge e45ffda55a9a

Move most remaining sha1() calls to HMAC
e45ffda55a9a
Actions

Description

Move most remaining sha1() calls to HMAC

Summary:

For context, see T547. This is the last (maybe?) in a series of diffs that

moves us off raw sha1() calls in order to make it easier to audit the codebase
for correct use of hash functions.

This breaks CSRF tokens. Any open forms will generate an error when

submitted, so maybe upgrade off-peak.

We now generate HMAC mail keys but accept MAC or HMAC. In a few months, we

can remove the MAC version.

The only remaining callsite is Conduit. We can't use HMAC since Arcanist

would need to know the key. {T550} provides a better solution to this, anyway.

Test Plan:

Verified CSRF tokens generate properly.
Manually changed CSRF to an incorrect value and got an error.
Verified mail generates with a new mail hash.
Verified Phabricator accepts both old and new mail hashes.
Verified Phabricator rejects bad mail hashes.
Checked user log, things look OK.

Reviewers: btrahan, jungejason, benmathews

Reviewed By: btrahan

CC: aran, epriestley, btrahan

Maniphest Tasks: T547

Differential Revision: 1237

Details

Provenance

epriestley	Authored on Dec 18 2011, 11:00 AM
themackabu	Pushed on Mar 25 2025, 8:07 PM

Parents

rP5f1b3937e5cb: Added Outlook boundaries for email parser

Branches

Unknown

Tags

Unknown

Event Timeline

Changes (13)

Path

Size

conf/

default.conf.php

src/

__phutil_library_map__.php

applications/

metamta/

storage/

receivedmail/

PhabricatorMetaMTAReceivedMail.php

__init__.php

people/

storage/

log/

PhabricatorUserLog.php

__init__.php

user/

PhabricatorUser.php

__init__.php

docs/

userguide/

diffusion.diviner

infrastructure/

util/

hash

	infrastructure/
	applications/

	util/	hash/	PhabricatorHash.php/
	differential/	constants/	revisionhash/


	DifferentialRevisionHash.php

	util/	hash/
	maniphest/	extensions/	base/

__init__.php

rPe45ffda55a9a

View Options

conf/default.conf.php

View Options

src/__phutil_library_map__.php

View Options

src/applications/metamta/storage/receivedmail/PhabricatorMetaMTAReceivedMail.php

View Options

src/applications/metamta/storage/receivedmail/init.php

View Options

src/applications/people/storage/log/PhabricatorUserLog.php

View Options

src/applications/people/storage/log/init.php

View Options

src/applications/people/storage/user/PhabricatorUser.php

View Options

src/applications/people/storage/user/init.php

View Options

src/docs/userguide/diffusion.diviner

View Options

src/infrastructure/util/hash/PhabricatorHash.php

View Options

src/infrastructure/util/hash/init.php

Move most remaining sha1() calls to HMACe45ffda55a9aActions

Description

Details

Event Timeline

Changes (13)

rPe45ffda55a9a

conf/default.conf.php

src/__phutil_library_map__.php

src/applications/metamta/storage/receivedmail/PhabricatorMetaMTAReceivedMail.php

src/applications/metamta/storage/receivedmail/__init__.php

src/applications/people/storage/log/PhabricatorUserLog.php

src/applications/people/storage/log/__init__.php

src/applications/people/storage/user/PhabricatorUser.php

src/applications/people/storage/user/__init__.php

src/docs/userguide/diffusion.diviner

src/infrastructure/util/hash/PhabricatorHash.php

src/infrastructure/util/hash/__init__.php

Move most remaining sha1() calls to HMAC
e45ffda55a9a
Actions

src/applications/metamta/storage/receivedmail/init.php

src/applications/people/storage/log/init.php

src/applications/people/storage/user/init.php

src/infrastructure/util/hash/init.php