From 1ba6a84e4366ff8d4ad12af39d7c3e8ab0ba474b Mon Sep 17 00:00:00 2001 From: Aaron Schulz Date: Thu, 22 Nov 2012 19:35:15 -0800 Subject: [PATCH] [LockManager] Use proper hmac function for LSLockManager. Change-Id: If4a3d25a61bcc7cf26beb32abf3d4cc655ca4c55 --- includes/filebackend/lockmanager/LSLockManager.php | 2 +- maintenance/locking/LockServerDaemon.php | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/includes/filebackend/lockmanager/LSLockManager.php b/includes/filebackend/lockmanager/LSLockManager.php index 894281828c..3de6183768 100644 --- a/includes/filebackend/lockmanager/LSLockManager.php +++ b/includes/filebackend/lockmanager/LSLockManager.php @@ -169,7 +169,7 @@ class LSLockManager extends QuorumLockManager { $authKey = $this->lockServers[$lockSrv]['authKey']; // Build of the command as a flat string... $values = implode( '|', $values ); - $key = sha1( $this->session . $action . $type . $values . $authKey ); + $key = hash_hmac( 'sha1', "{$this->session}\n{$action}\n{$type}\n{$values}", $authKey ); // Send out the command... if ( fwrite( $conn, "{$this->session}:$key:$action:$type:$values\n" ) === false ) { return false; diff --git a/maintenance/locking/LockServerDaemon.php b/maintenance/locking/LockServerDaemon.php index c5916657b4..435898994a 100644 --- a/maintenance/locking/LockServerDaemon.php +++ b/maintenance/locking/LockServerDaemon.php @@ -242,7 +242,9 @@ class LockServerDaemon { $m = explode( ':', $data ); // if ( count( $m ) == 5 ) { list( $session, $key, $command, $type, $values ) = $m; - if ( sha1( $session . $command . $type . $values . $this->authKey ) !== $key ) { + $goodKey = hash_hmac( 'sha1', + "{$session}\n{$command}\n{$type}\n{$values}", $this->authKey ); + if ( $goodKey !== $key ) { return 'BAD_KEY'; } elseif ( strlen( $session ) !== 32 ) { return 'BAD_SESSION'; -- 2.20.1