I'm confused about #723802: convert to sha-256 and hmac from md5 and sha1. I understand that md5() shouldn't be used in secure application but is *any* use of md5() not allowed to be NIST certified? All we're doing in XML sitemap is hashing the {xmlsitemap}.context array so we can easily lookup the correct record.

Comments

Anonymous’s picture

I think it is a bit of an overkill to use anything but md5 for a hash to identify files on the system. Where the governments get concerned are with the private data of individuals. Things like passwords and sensitive profile data. But the government can be unruly in its requests, so it will probably have to be documented well that md5 can be used for insensitive data, else the Drupal security team may force the issue.

I can see the use of pgp in encrypting the node data as well so that only those with the public key for the pgp would be able to read the node information. Especially when the we're talking about governments' uses of Drupal. But from what I gather in reading is that NIST is more concerned about cryptography in general in particular as it relates to FIPS. See http://www.nsrl.nist.gov/collision.html and http://csrc.nist.gov/publications/PubsFIPS.html.

Dave Reid’s picture

I'm wondering if I should just switch to something like hash('crc32') which should pass NIST standards and make it easier/shorter checksums.

Dave Reid’s picture

Nm, we're going to go with drupal_hash_base64 which will give us a 43-character hash. I'll expand the {xmlsitemap_sitemap}.context_hash schema field's length to 64.

Dave Reid’s picture

Priority: Normal » Major
Dave Reid’s picture

Status: Active » Fixed

BAM! We're now using drupal_hash_base64() in D7 and a backport of drupal_hash_base64() that uses hash('sha256', $data, TRUE) if it's available or sha1($data, TRUE).

http://drupal.org/cvs?commit=413716
http://drupal.org/cvs?commit=413780

gbrussel’s picture

Status: Fixed » Needs work

Updated to the 6.x-2.x-dev and received this error while attempting the database update:

Fatal error: Call to undefined function drupal_hash_base64() in /var/www/examplesite.com/html/sites/all/modules/xmlsitemap/xmlsitemap.module on line 475

Drupal 6.19
XML Sitemap 6.x-2.x-dev (Aug 30th)

It appears that hashing function is only available on D7. The function created in the latest snapshot is "xmlsitemap_drupal_hash_base64. Changing it to that function name lists more errors after doing a database update.

recoverable fatal error: Argument 1 passed to xmlsitemap_get_directory() must be an instance of stdClass, array given, called in /var/www/examplesite.com/html/sites/all/modules/xmlsitemap/xmlsitemap.module on line 393 and defined in /var/www/examplesite.com/html/sites/all/modules/xmlsitemap/xmlsitemap.module on line 761.
warning: rmdir(sites/default/files/xmlsitemap/) [function.rmdir]: Directory not empty in /var/www/examplesite.com/html/sites/all/modules/xmlsitemap/xmlsitemap.module on line 832.

I'm not sure what all that means or if it's related.

Dave Reid’s picture

Status: Needs work » Fixed

Thank you for the report, I fixed the fatal error: http://drupal.org/cvs?commit=414104 and http://drupal.org/cvs?commit=414108

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.