From 71713081a2b79b0baa024742cdbb4af536f77f4b Mon Sep 17 00:00:00 2001 From: Dries Buytaert Date: Sat, 1 May 2010 08:12:23 +0000 Subject: - Patch #723802 by pwolanin, grendzy: convert to sha-256 and hmac from md5 and sha1. --- includes/actions.inc | 23 ++++++++---- includes/bootstrap.inc | 95 ++++++++++++++++++++++++++++++++++++++++++++--- includes/common.inc | 54 +++------------------------ includes/form.inc | 4 +- includes/install.core.inc | 2 +- includes/locale.inc | 2 +- includes/menu.inc | 8 ++-- includes/password.inc | 66 +++++++++++++++++++++----------- includes/session.inc | 7 +++- includes/update.inc | 2 +- 10 files changed, 170 insertions(+), 93 deletions(-) (limited to 'includes') diff --git a/includes/actions.inc b/includes/actions.inc index 8ca1e86c2..26788ed04 100644 --- a/includes/actions.inc +++ b/includes/actions.inc @@ -197,7 +197,7 @@ function actions_get_all_actions() { } /** - * Creates an associative array keyed by md5 hashes of function names or IDs. + * Creates an associative array keyed by hashes of function names or IDs. * * Hashes are used to prevent actual function names from going out into HTML * forms and coming back. @@ -207,14 +207,14 @@ function actions_get_all_actions() { * and associative arrays with keys 'label', 'type', etc. as values. * This is usually the output of actions_list() or actions_get_all_actions(). * @return - * An associative array whose keys are md5 hashes of the input array keys, and + * An associative array whose keys are hashes of the input array keys, and * whose corresponding values are associative arrays with components * 'callback', 'label', 'type', and 'configurable' from the input array. */ function actions_actions_map($actions) { $actions_map = array(); foreach ($actions as $callback => $array) { - $key = md5($callback); + $key = drupal_hash_base64($callback); $actions_map[$key]['callback'] = isset($array['callback']) ? $array['callback'] : $callback; $actions_map[$key]['label'] = $array['label']; $actions_map[$key]['type'] = $array['type']; @@ -224,12 +224,12 @@ function actions_actions_map($actions) { } /** - * Given an md5 hash of an action array key, returns the key (function or ID). + * Given a hash of an action array key, returns the key (function or ID). * * Faster than actions_actions_map() when you only need the function name or ID. * * @param $hash - * MD5 hash of a function name or action ID array key. The array key + * Hash of a function name or action ID array key. The array key * is a key into the return value of actions_list() (array key is the action * function name) or actions_get_all_actions() (array key is the action ID). * @return @@ -239,13 +239,20 @@ function actions_function_lookup($hash) { // Check for a function name match. $actions_list = actions_list(); foreach ($actions_list as $function => $array) { - if (md5($function) == $hash) { + if (drupal_hash_base64($function) == $hash) { return $function; } } - + $aid = FALSE; // Must be a configurable action; check database. - return db_query("SELECT aid FROM {actions} WHERE MD5(aid) = :hash AND parameters <> ''", array(':hash' => $hash))->fetchField(); + $result = db_query("SELECT aid FROM {actions} WHERE parameters <> ''")->fetchAll(PDO::FETCH_ASSOC); + foreach ($result as $row) { + if (drupal_hash_base64($row['aid']) == $hash) { + $aid = $row['aid']; + break; + } + } + return $aid; } /** diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index b1ed5ada2..3cc58e027 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -622,7 +622,7 @@ function drupal_settings_initialize() { ini_set('session.cookie_secure', TRUE); } $prefix = ini_get('session.cookie_secure') ? 'SSESS' : 'SESS'; - session_name($prefix . md5($session_name)); + session_name($prefix . substr(hash('sha256', $session_name), 0, 32)); } /** @@ -1697,6 +1697,91 @@ function drupal_block_denied($ip) { } } +/** + * Returns a string of highly randomized bytes (over the full 8-bit range). + * + * This function is better than simply calling mt_rand() or any other built-in + * PHP function because it can return a long string of bytes (compared to < 4 + * bytes normally from mt_rand()) and uses the best available pseudo-random source. + * + * @param $count + * The number of characters (bytes) to return in the string. + */ +function drupal_random_bytes($count) { + // $random_state does not use drupal_static as it stores random bytes. + static $random_state, $bytes; + // Initialize on the first call. The contents of $_SERVER includes a mix of + // user-specific and system information that varies a little with each page. + if (!isset($random_state)) { + $random_state = print_r($_SERVER, TRUE); + if (function_exists('getmypid')) { + // further initialize with the somewhat random PHP process ID. + $random_state .= getmypid(); + } + $bytes = ''; + } + if (strlen($bytes) < $count) { + // /dev/urandom is available on many *nix systems and is considered the + // best commonly available pseudo-random source. + if ($fh = @fopen('/dev/urandom', 'rb')) { + // PHP only performs buffered reads, so in reality it will always read + // at least 4096 bytes. Thus, it costs nothing extra to read and store + // that much so as to speed any additional invocations. + $bytes .= fread($fh, max(4096, $count)); + fclose($fh); + } + // If /dev/urandom is not available or returns no bytes, this loop will + // generate a good set of pseudo-random bytes on any system. + // Note that it may be important that our $random_state is passed + // through hash() prior to being rolled into $output, that the two hash() + // invocations are different, and that the extra input into the first one - + // the microtime() - is prepended rather than appended. This is to avoid + // directly leaking $random_state via the $output stream, which could + // allow for trivial prediction of further "random" numbers. + while (strlen($bytes) < $count) { + $random_state = hash('sha256', microtime() . mt_rand() . $random_state); + $bytes .= hash('sha256', mt_rand() . $random_state, TRUE); + } + } + $output = substr($bytes, 0, $count); + $bytes = substr($bytes, $count); + return $output; +} + +/** + * Calculate a base-64 encoded, URL-safe sha-256 hmac. + * + * @param $data + * String to be validated with the hmac. + * @param $key + * A secret string key. + * + * @return + * A base-64 encoded sha-256 hmac, with + replaced with -, / with _ and + * any = padding characters removed. + */ +function drupal_hmac_base64($data, $key) { + $hmac = base64_encode(hash_hmac('sha256', $data, $key, TRUE)); + // Modify the hmac so it's safe to use in URLs. + return strtr($hmac, array('+' => '-', '/' => '_', '=' => '')); +} + +/** + * Calculate a base-64 encoded, URL-safe sha-256 hash. + * + * @param $data + * String to be hashed. + * + * @return + * A base-64 encoded sha-256 hash, with + replaced with -, / with _ and + * any = padding characters removed. + */ +function drupal_hash_base64($data) { + $hash = base64_encode(hash('sha256', $data, TRUE)); + // Modify the hash so it's safe to use in URLs. + return strtr($hash, array('+' => '-', '/' => '_', '=' => '')); +} + /** * Generates a default anonymous $user object. * @@ -2024,9 +2109,9 @@ function drupal_valid_test_ua($user_agent) { // the database is not yet initialized and we can't access any Drupal variables. // The file properties add more entropy not easily accessible to others. $filepath = DRUPAL_ROOT . '/includes/bootstrap.inc'; - $key = sha1(serialize($databases) . filectime($filepath) . fileinode($filepath), TRUE); + $key = serialize($databases) . filectime($filepath) . fileinode($filepath); // The HMAC must match. - return $hmac == base64_encode(hash_hmac('sha1', $check_string, $key, TRUE)); + return $hmac == drupal_hmac_base64($check_string, $key); } /** @@ -2041,12 +2126,12 @@ function drupal_generate_test_ua($prefix) { // check the HMAC before the database is initialized. filectime() // and fileinode() are not easily determined from remote. $filepath = DRUPAL_ROOT . '/includes/bootstrap.inc'; - $key = sha1(serialize($databases) . filectime($filepath) . fileinode($filepath), TRUE); + $key = serialize($databases) . filectime($filepath) . fileinode($filepath); } // Generate a moderately secure HMAC based on the database credentials. $salt = uniqid('', TRUE); $check_string = $prefix . ';' . time() . ';' . $salt; - return $check_string . ';' . base64_encode(hash_hmac('sha1', $check_string, $key, TRUE)); + return $check_string . ';' . drupal_hmac_base64($check_string, $key); } /** diff --git a/includes/common.inc b/includes/common.inc index 454a4240d..e99b2319c 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -2895,7 +2895,7 @@ function drupal_aggregate_css(&$css_groups) { if ($group['preprocess'] && $preprocess_css) { // Prefix filename to prevent blocking by firewalls which reject files // starting with "ad*". - $filename = 'css_' . md5(serialize($group['items'])) . '.css'; + $filename = 'css_' . drupal_hash_base64(serialize($group['items'])) . '.css'; $css_groups[$key]['data'] = drupal_build_css_cache($group['items'], $filename); } break; @@ -3767,7 +3767,7 @@ function drupal_get_js($scope = 'header', $javascript = NULL) { // Prefix filename to prevent blocking by firewalls which reject files // starting with "ad*". foreach ($files as $key => $file_set) { - $filename = 'js_' . md5(serialize($file_set)) . '.js'; + $filename = 'js_' . drupal_hash_base64(serialize($file_set)) . '.js'; $uri = drupal_build_js_cache($file_set, $filename); // Only include the file if was written successfully. Errors are logged // using watchdog. @@ -4340,45 +4340,6 @@ function drupal_json_output($var = NULL) { } } -/** - * Returns a string of highly randomized bytes (over the full 8-bit range). - * - * This function is better than simply calling mt_rand() or any other built-in - * PHP function because it can return a long string of bytes (compared to < 4 - * bytes normally from mt_rand()) and uses the best available pseudo-random source. - * - * @param $count - * The number of characters (bytes) to return in the string. - */ -function drupal_random_bytes($count) { - // $random_state does not use drupal_static as it stores random bytes. - static $random_state; - // We initialize with the somewhat random PHP process ID on the first call. - if (empty($random_state)) { - $random_state = getmypid(); - } - $output = ''; - // /dev/urandom is available on many *nix systems and is considered the best - // commonly available pseudo-random source. - if ($fh = @fopen('/dev/urandom', 'rb')) { - $output = fread($fh, $count); - fclose($fh); - } - // If /dev/urandom is not available or returns no bytes, this loop will - // generate a good set of pseudo-random bytes on any system. - // Note that it may be important that our $random_state is passed - // through md5() prior to being rolled into $output, that the two md5() - // invocations are different, and that the extra input into the first one - - // the microtime() - is prepended rather than appended. This is to avoid - // directly leaking $random_state via the $output stream, which could - // allow for trivial prediction of further "random" numbers. - while (strlen($output) < $count) { - $random_state = md5(microtime() . mt_rand() . $random_state); - $output .= md5(mt_rand() . $random_state, TRUE); - } - return substr($output, 0, $count); -} - /** * Get a salt useful for hardening against SQL injection. * @@ -4389,7 +4350,7 @@ function drupal_get_hash_salt() { global $drupal_hash_salt, $databases; // If the $drupal_hash_salt variable is empty, a hash of the serialized // database credentials is used as a fallback salt. - return empty($drupal_hash_salt) ? sha1(serialize($databases)) : $drupal_hash_salt; + return empty($drupal_hash_salt) ? hash('sha256', serialize($databases)) : $drupal_hash_salt; } /** @@ -4400,7 +4361,7 @@ function drupal_get_hash_salt() { */ function drupal_get_private_key() { if (!($key = variable_get('drupal_private_key', 0))) { - $key = md5(drupal_random_bytes(64)); + $key = drupal_hash_base64(drupal_random_bytes(55)); variable_set('drupal_private_key', $key); } return $key; @@ -4413,10 +4374,7 @@ function drupal_get_private_key() { * An additional value to base the token on. */ function drupal_get_token($value = '') { - $private_key = drupal_get_private_key(); - // A single md5() is vulnerable to length-extension attacks, so use it twice. - // @todo: add md5 and sha1 hmac functions to core. - return md5(drupal_get_hash_salt() . md5(session_id() . $value . $private_key)); + return drupal_hmac_base64($value, session_id() . drupal_get_private_key() . drupal_get_hash_salt()); } /** @@ -5247,7 +5205,7 @@ function drupal_render_cache_set(&$markup, $elements) { function drupal_render_cache_by_query($query, $function, $expire = CACHE_TEMPORARY, $granularity = NULL) { $cache_keys = array_merge(array($function), drupal_render_cid_parts($granularity)); $query->preExecute(); - $cache_keys[] = md5(serialize(array((string) $query, $query->getArguments()))); + $cache_keys[] = hash('sha256', serialize(array((string) $query, $query->getArguments()))); return array( '#query' => $query, '#pre_render' => array($function . '_pre_render'), diff --git a/includes/form.inc b/includes/form.inc index cd039d647..92574d202 100644 --- a/includes/form.inc +++ b/includes/form.inc @@ -203,7 +203,7 @@ function drupal_build_form($form_id, &$form_state) { } $form = drupal_retrieve_form($form_id, $form_state); - $form_build_id = 'form-' . md5(uniqid(mt_rand(), TRUE)); + $form_build_id = 'form-' . drupal_hash_base64(uniqid(mt_rand(), TRUE) . mt_rand()); $form['#build_id'] = $form_build_id; // Fix the form method, if it is 'get' in $form_state, but not in $form. @@ -331,7 +331,7 @@ function drupal_rebuild_form($form_id, &$form_state, $old_form = NULL) { // Otherwise, a new #build_id is generated, to not clobber the previous // build's data in the form cache; also allowing the user to go back to an // earlier build, make changes, and re-submit. - $form['#build_id'] = isset($old_form['#build_id']) ? $old_form['#build_id'] : 'form-' . md5(mt_rand()); + $form['#build_id'] = isset($old_form['#build_id']) ? $old_form['#build_id'] : 'form-' . drupal_hash_base64(uniqid(mt_rand(), TRUE) . mt_rand()); // #action defaults to request_uri(), but in case of AJAX and other partial // rebuilds, the form is submitted to an alternate URL, and the original diff --git a/includes/install.core.inc b/includes/install.core.inc index 04b2fda29..5569208f8 100644 --- a/includes/install.core.inc +++ b/includes/install.core.inc @@ -1011,7 +1011,7 @@ function install_settings_form_submit($form, &$form_state) { 'required' => TRUE, ); $settings['drupal_hash_salt'] = array( - 'value' => sha1(drupal_random_bytes(64)), + 'value' => drupal_hash_base64(drupal_random_bytes(55)), 'required' => TRUE, ); drupal_rewrite_settings($settings); diff --git a/includes/locale.inc b/includes/locale.inc index 543ebc48a..39908ce8a 100644 --- a/includes/locale.inc +++ b/includes/locale.inc @@ -1680,7 +1680,7 @@ function _locale_rebuild_js($langcode = NULL) { } $data .= "'strings': " . drupal_json_encode($translations) . " };"; - $data_hash = md5($data); + $data_hash = drupal_hash_base64($data); } // Construct the filepath where JS translation files are stored. diff --git a/includes/menu.inc b/includes/menu.inc index 8c2255067..f2e33002b 100644 --- a/includes/menu.inc +++ b/includes/menu.inc @@ -407,9 +407,9 @@ function menu_get_item($path = NULL, $router_item = NULL) { $parts = array_slice($original_map, 0, MENU_MAX_PARTS); $ancestors = menu_get_ancestors($parts); - // Since there is no limit to the length of $path, but the cids are - // restricted to 255 characters, use md5() to keep it short yet unique. - $cid = 'menu_item:' . md5($path); + // Since there is no limit to the length of $path, use a hash to keep it + // short yet unique. + $cid = 'menu_item:' . hash('sha256', $path); if ($cached = cache_get($cid, 'cache_menu')) { $router_item = $cached->data; } @@ -1238,7 +1238,7 @@ function menu_tree_page_data($menu_name, $max_depth = NULL) { * Helper function - compute the real cache ID for menu tree data. */ function _menu_tree_cid($menu_name, $data) { - return 'links:' . $menu_name . ':tree-data:' . $GLOBALS['language']->language . ':' . md5(serialize($data)); + return 'links:' . $menu_name . ':tree-data:' . $GLOBALS['language']->language . ':' . hash('sha256', serialize($data)); } /** diff --git a/includes/password.inc b/includes/password.inc index e82842634..553cae996 100644 --- a/includes/password.inc +++ b/includes/password.inc @@ -16,8 +16,8 @@ /** * The standard log2 number of iterations for password stretching. This should - * increase by 1 at least every other Drupal version in order to counteract - * increases in the speed and power of computers available to crack the hashes. + * increase by 1 every Drupal version in order to counteract increases in the + * speed and power of computers available to crack the hashes. */ define('DRUPAL_HASH_COUNT', 14); @@ -31,6 +31,11 @@ define('DRUPAL_MIN_HASH_COUNT', 7); */ define('DRUPAL_MAX_HASH_COUNT', 30); +/** + * The expected (and maximum) number of characters in a hashed password. + */ +define('DRUPAL_HASH_LENGTH', 55); + /** * Returns a string for mapping an int to the corresponding base 64 character. */ @@ -49,7 +54,7 @@ function _password_itoa64() { * @return * Encoded string */ -function _password_base64_encode($input, $count) { +function _password_base64_encode($input, $count) { $output = ''; $i = 0; $itoa64 = _password_itoa64(); @@ -93,7 +98,7 @@ function _password_base64_encode($input, $count) { * A 12 character string containing the iteration count and a random salt. */ function _password_generate_salt($count_log2) { - $output = '$P$'; + $output = '$S$'; // Minimum log2 iterations is DRUPAL_MIN_HASH_COUNT. $count_log2 = max($count_log2, DRUPAL_MIN_HASH_COUNT); // Maximum log2 iterations is DRUPAL_MAX_HASH_COUNT. @@ -113,19 +118,23 @@ function _password_generate_salt($count_log2) { * for an attacker to try to break the hash by brute-force computation of the * hashes of a large number of plain-text words or strings to find a match. * + * @param $algo + * The string name of a hashing algorithm usable by hash(), like 'sha256'. * @param $password * The plain-text password to hash. * @param $setting - * An existing hash or the output of _password_generate_salt(). + * An existing hash or the output of _password_generate_salt(). Must be + * at least 12 characters (the settings and salt). * * @return * A string containing the hashed password (and salt) or FALSE on failure. + * The return string will be truncated at DRUPAL_HASH_LENGTH characters max. */ -function _password_crypt($password, $setting) { +function _password_crypt($algo, $password, $setting) { // The first 12 characters of an existing hash are its setting string. $setting = substr($setting, 0, 12); - if (substr($setting, 0, 3) != '$P$') { + if ($setting[0] != '$' || $setting[2] != '$') { return FALSE; } $count_log2 = _password_get_count_log2($setting); @@ -139,22 +148,21 @@ function _password_crypt($password, $setting) { return FALSE; } - // We must use md5() or sha1() here since they are the only cryptographic - // primitives always available in PHP 5. To implement our own low-level - // cryptographic function in PHP would result in much worse performance and - // consequently in lower iteration counts and hashes that are quicker to crack - // (by non-PHP code). - + // Convert the base 2 logrithm into an integer. $count = 1 << $count_log2; - $hash = md5($salt . $password, TRUE); + // We rely on the hash() function being available in PHP 5.2+. + $hash = hash($algo, $salt . $password, TRUE); do { - $hash = md5($hash . $password, TRUE); + $hash = hash($algo, $hash . $password, TRUE); } while (--$count); - $output = $setting . _password_base64_encode($hash, 16); + $len = strlen($hash); + $output = $setting . _password_base64_encode($hash, $len); // _password_base64_encode() of a 16 byte MD5 will always be 22 characters. - return (strlen($output) == 34) ? $output : FALSE; + // _password_base64_encode() of a 64 byte sha512 will always be 86 characters. + $expected = 12 + ceil((8 * $len) / 6); + return (strlen($output) == $expected) ? substr($output, 0, DRUPAL_HASH_LENGTH) : FALSE; } /** @@ -182,7 +190,7 @@ function user_hash_password($password, $count_log2 = 0) { // Use the standard iteration count. $count_log2 = variable_get('password_count_log2', DRUPAL_HASH_COUNT); } - return _password_crypt($password, _password_generate_salt($count_log2)); + return _password_crypt('sha512', $password, _password_generate_salt($count_log2)); } /** @@ -201,7 +209,7 @@ function user_hash_password($password, $count_log2 = 0) { * TRUE or FALSE. */ function user_check_password($password, $account) { - if (substr($account->pass, 0, 3) == 'U$P') { + if (substr($account->pass, 0, 2) == 'U$') { // This may be an updated password from user_update_7000(). Such hashes // have 'U' added as the first character and need an extra md5(). $stored_hash = substr($account->pass, 1); @@ -210,7 +218,23 @@ function user_check_password($password, $account) { else { $stored_hash = $account->pass; } - $hash = _password_crypt($password, $stored_hash); + + $type = substr($stored_hash, 0, 3); + switch ($type) { + case '$S$': + // A normal Drupal 7 password using sha512. + $hash = _password_crypt('sha512', $password, $stored_hash); + break; + case '$H$': + // phpBB3 uses "$H$" for the same thing as "$P$". + case '$P$': + // A phpass password generated using md5. This is an + // imported password or from an earlier Drupal version. + $hash = _password_crypt('md5', $password, $stored_hash); + break; + default: + return FALSE; + } return ($hash && $stored_hash == $hash); } @@ -234,7 +258,7 @@ function user_check_password($password, $account) { */ function user_needs_new_hash($account) { // Check whether this was an updated password. - if ((substr($account->pass, 0, 3) != '$P$') || (strlen($account->pass) != 34)) { + if ((substr($account->pass, 0, 3) != '$S$') || (strlen($account->pass) != DRUPAL_HASH_LENGTH)) { return TRUE; } // Check whether the iteration count used differs from the standard number. diff --git a/includes/session.inc b/includes/session.inc index 7dec4464d..67c52e6ef 100644 --- a/includes/session.inc +++ b/includes/session.inc @@ -206,7 +206,10 @@ function drupal_session_initialize() { // processes (like drupal_get_token()) needs to know the future // session ID in advance. $user = drupal_anonymous_user(); - session_id(md5(uniqid('', TRUE))); + // Less random sessions (which are much faster to generate) are used for + // anonymous users than are generated in drupal_session_regenerate() when + // a user becomes authenticated. + session_id(drupal_hash_base64(uniqid(mt_rand(), TRUE))); } date_default_timezone_set(drupal_get_user_timezone()); } @@ -284,7 +287,7 @@ function drupal_session_regenerate() { if ($is_https && variable_get('https', FALSE)) { $insecure_session_name = substr(session_name(), 1); $params = session_get_cookie_params(); - $session_id = md5(uniqid(mt_rand(), TRUE)); + $session_id = drupal_hash_base64(uniqid(mt_rand(), TRUE) . drupal_random_bytes(55)); setcookie($insecure_session_name, $session_id, REQUEST_TIME + $params['lifetime'], $params['path'], $params['domain'], FALSE, $params['httponly']); $_COOKIE[$insecure_session_name] = $session_id; } diff --git a/includes/update.inc b/includes/update.inc index 424054584..317ffa577 100644 --- a/includes/update.inc +++ b/includes/update.inc @@ -294,7 +294,7 @@ function update_fix_d7_requirements() { global $update_rewrite_settings, $db_url; if (!empty($update_rewrite_settings)) { $databases = update_parse_db_url($db_url); - $salt = sha1(drupal_random_bytes(64)); + $salt = drupal_hash_base64(drupal_random_bytes(55)); file_put_contents(conf_path() . '/settings.php', "\n" . '$databases = ' . var_export($databases, TRUE) . ";\n\$drupal_hash_salt = '$salt';", FILE_APPEND); } if (drupal_get_installed_schema_version('system') < 7000 && !variable_get('update_d7_requirements', FALSE)) { -- cgit v1.2.3