Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I'm confused about #723802: convert to sha-256 and hmac from md5 and sha1. I understand that md5() shouldn't be used in secure application but is *any* use of md5() not allowed to be NIST certified? All we're doing in XML sitemap is hashing the {xmlsitemap}.context array so we can easily lookup the correct record.
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedI think it is a bit of an overkill to use anything but md5 for a hash to identify files on the system. Where the governments get concerned are with the private data of individuals. Things like passwords and sensitive profile data. But the government can be unruly in its requests, so it will probably have to be documented well that md5 can be used for insensitive data, else the Drupal security team may force the issue.
I can see the use of pgp in encrypting the node data as well so that only those with the public key for the pgp would be able to read the node information. Especially when the we're talking about governments' uses of Drupal. But from what I gather in reading is that NIST is more concerned about cryptography in general in particular as it relates to FIPS. See http://www.nsrl.nist.gov/collision.html and http://csrc.nist.gov/publications/PubsFIPS.html.
Comment #2
Dave ReidI'm wondering if I should just switch to something like hash('crc32') which should pass NIST standards and make it easier/shorter checksums.
Comment #3
Dave ReidNm, we're going to go with drupal_hash_base64 which will give us a 43-character hash. I'll expand the {xmlsitemap_sitemap}.context_hash schema field's length to 64.
Comment #4
Dave ReidComment #5
Dave ReidBAM! We're now using drupal_hash_base64() in D7 and a backport of drupal_hash_base64() that uses hash('sha256', $data, TRUE) if it's available or sha1($data, TRUE).
http://drupal.org/cvs?commit=413716
http://drupal.org/cvs?commit=413780
Comment #6
gbrussel CreditAttribution: gbrussel commentedUpdated to the 6.x-2.x-dev and received this error while attempting the database update:
Fatal error: Call to undefined function drupal_hash_base64() in /var/www/examplesite.com/html/sites/all/modules/xmlsitemap/xmlsitemap.module on line 475
Drupal 6.19
XML Sitemap 6.x-2.x-dev (Aug 30th)
It appears that hashing function is only available on D7. The function created in the latest snapshot is "xmlsitemap_drupal_hash_base64. Changing it to that function name lists more errors after doing a database update.
I'm not sure what all that means or if it's related.
Comment #7
Dave ReidThank you for the report, I fixed the fatal error: http://drupal.org/cvs?commit=414104 and http://drupal.org/cvs?commit=414108