Switch from md5 to sha256 for UIDs and tokens

2020-01-15 11:20:48 +01:00
parent 6697a6c8c4
commit c99a1f53df
5 changed files with 13 additions and 12 deletions
--- a/3
+++ b/3
@@ -70,7 +70,8 @@
 # Htpasswd encryption method
 # Value: plain | sha1 | ssha | crypt | bcrypt | md5
 # Only bcrypt can be considered secure.
-# bcrypt and md5 require the passlib library to be installed.
+# bcrypt requires the passlib[bcrypt] module and md5 requires
+# the passlib module.
 #htpasswd_encryption = bcrypt

 # Incorrect authentication delay (seconds)
--- a/radicale/item/init.py
+++ b/radicale/item/init.py
@@ -25,7 +25,7 @@ Module for address books and calendar entries (see ``Item``).

 import math
 import sys
-from hashlib import md5
+from hashlib import sha256
 from random import getrandbits

 import vobject
@@ -183,7 +183,7 @@ def get_etag(text):
    Encoded as quoted-string (see RFC 2616).

    """
-    etag = md5()
+    etag = sha256()
    etag.update(text.encode("utf-8"))
    return '"%s"' % etag.hexdigest()

--- a/radicale/storage/init.py
+++ b/radicale/storage/init.py
@@ -25,7 +25,7 @@ Take a look at the class ``BaseCollection`` if you want to implement your own.

 import contextlib
 import json
-from hashlib import md5
+from hashlib import sha256

 import pkg_resources
 import vobject
@@ -79,7 +79,7 @@ class BaseCollection:
    @property
    def etag(self):
        """Encoded as quoted-string (see RFC 2616)."""
-        etag = md5()
+        etag = sha256()
        for item in self.get_all():
            etag.update((item.href + "/" + item.etag).encode("utf-8"))
        etag.update(json.dumps(self.get_meta(), sort_keys=True).encode())
--- a/radicale/storage/multifilesystem/cache.py
+++ b/radicale/storage/multifilesystem/cache.py
@@ -19,7 +19,7 @@
 import os
 import pickle
 import time
-from hashlib import md5
+from hashlib import sha256

 from radicale import pathutils, storage
 from radicale.log import logger
@@ -54,7 +54,7 @@ class CollectionCacheMixin:
            self._storage._sync_directory(folder)

    def _item_cache_hash(self, raw_text):
-        _hash = md5()
+        _hash = sha256()
        _hash.update(storage.CACHE_VERSION)
        _hash.update(raw_text)
        return _hash.hexdigest()
--- a/radicale/storage/multifilesystem/sync.py
+++ b/radicale/storage/multifilesystem/sync.py
@@ -19,7 +19,7 @@
 import itertools
 import os
 import pickle
-from hashlib import md5
+from hashlib import sha256

 from radicale.log import logger

@@ -27,10 +27,10 @@ from radicale.log import logger
 class CollectionSyncMixin:
    def sync(self, old_token=None):
        # The sync token has the form http://radicale.org/ns/sync/TOKEN_NAME
-        # where TOKEN_NAME is the md5 hash of all history etags of present and
-        # past items of the collection.
+        # where TOKEN_NAME is the sha256 hash of all history etags of present
+        # and past items of the collection.
        def check_token_name(token_name):
-            if len(token_name) != 32:
+            if len(token_name) != 64:
                return False
            for c in token_name:
                if c not in "0123456789abcdef":
@@ -47,7 +47,7 @@ class CollectionSyncMixin:
                raise ValueError("Malformed token: %r" % old_token)
        # Get the current state and sync-token of the collection.
        state = {}
-        token_name_hash = md5()
+        token_name_hash = sha256()
        # Find the history of all existing and deleted items
        for href, item in itertools.chain(
                ((item.href, item) for item in self.get_all()),