- Patch #723802 by pwolanin, grendzy: convert to sha-256 and hmac from md5 and sha1.

71713081 · Dries · 2a2f4cc0 · 71713081 · 71713081 · 71713081
Commit 71713081 authored May 01, 2010 by Dries
37 changed files
--- a/includes/actions.inc
+++ b/includes/actions.inc
@@ -197,7 +197,7 @@ function actions_get_all_actions() {
 }

 /**
- * Creates an associative array keyed by md5 hashes of function names or IDs.
+ * Creates an associative array keyed by hashes of function names or IDs.
 *
 * Hashes are used to prevent actual function names from going out into HTML
 * forms and coming back.
@@ -207,14 +207,14 @@ function actions_get_all_actions() {
 *   and associative arrays with keys 'label', 'type', etc. as values.
 *   This is usually the output of actions_list() or actions_get_all_actions().
 * @return
- *   An associative array whose keys are md5 hashes of the input array keys, and
+ *   An associative array whose keys are hashes of the input array keys, and
 *   whose corresponding values are associative arrays with components
 *   'callback', 'label', 'type', and 'configurable' from the input array.
 */
 function actions_actions_map($actions) {
  $actions_map = array();
  foreach ($actions as $callback => $array) {
-    $key = md5($callback);
+    $key = drupal_hash_base64($callback);
    $actions_map[$key]['callback']     = isset($array['callback']) ? $array['callback'] : $callback;
    $actions_map[$key]['label']        = $array['label'];
    $actions_map[$key]['type']         = $array['type'];
@@ -224,12 +224,12 @@ function actions_actions_map($actions) {
 }

 /**
- * Given an md5 hash of an action array key, returns the key (function or ID).
+ * Given a hash of an action array key, returns the key (function or ID).
 *
 * Faster than actions_actions_map() when you only need the function name or ID.
 *
 * @param $hash
- *   MD5 hash of a function name or action ID array key. The array key
+ *   Hash of a function name or action ID array key. The array key
 *   is a key into the return value of actions_list() (array key is the action
 *   function name) or actions_get_all_actions() (array key is the action ID).
 * @return
@@ -239,13 +239,20 @@ function actions_function_lookup($hash) {
  // Check for a function name match.
  $actions_list = actions_list();
  foreach ($actions_list as $function => $array) {
-    if (md5($function) == $hash) {
+    if (drupal_hash_base64($function) == $hash) {
      return $function;
    }
  }
-
+  $aid = FALSE;
  // Must be a configurable action; check database.
-  return db_query("SELECT aid FROM {actions} WHERE MD5(aid) = :hash AND parameters <> ''", array(':hash' => $hash))->fetchField();
+  $result = db_query("SELECT aid FROM {actions} WHERE parameters <> ''")->fetchAll(PDO::FETCH_ASSOC);
+  foreach ($result as $row) {
+    if (drupal_hash_base64($row['aid']) == $hash) {
+      $aid = $row['aid'];
+      break;
+    }
+  }
+  return $aid;
 }

 /**

--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -622,7 +622,7 @@ function drupal_settings_initialize() {
    ini_set('session.cookie_secure', TRUE);
  }
  $prefix = ini_get('session.cookie_secure') ? 'SSESS' : 'SESS';
-  session_name($prefix . md5($session_name));
+  session_name($prefix . substr(hash('sha256', $session_name), 0, 32));
 }

 /**
@@ -1697,6 +1697,91 @@ function drupal_block_denied($ip) {
  }
 }

+/**
+ * Returns a string of highly randomized bytes (over the full 8-bit range).
+ *
+ * This function is better than simply calling mt_rand() or any other built-in
+ * PHP function because it can return a long string of bytes (compared to < 4
+ * bytes normally from mt_rand()) and uses the best available pseudo-random source.
+ *
+ * @param $count
+ *   The number of characters (bytes) to return in the string.
+ */
+function drupal_random_bytes($count)  {
+  // $random_state does not use drupal_static as it stores random bytes.
+  static $random_state, $bytes;
+  // Initialize on the first call. The contents of $_SERVER includes a mix of
+  // user-specific and system information that varies a little with each page.
+  if (!isset($random_state)) {
+    $random_state = print_r($_SERVER, TRUE);
+    if (function_exists('getmypid')) {
+      // further initialize with the somewhat random PHP process ID.
+      $random_state .= getmypid();
+    }
+    $bytes = '';
+  }
+  if (strlen($bytes) < $count) {
+    // /dev/urandom is available on many *nix systems and is considered the
+    // best commonly available pseudo-random source.
+    if ($fh = @fopen('/dev/urandom', 'rb')) {
+      // PHP only performs buffered reads, so in reality it will always read
+      // at least 4096 bytes. Thus, it costs nothing extra to read and store
+      // that much so as to speed any additional invocations.
+      $bytes .= fread($fh, max(4096, $count));
+      fclose($fh);
+    }
+    // If /dev/urandom is not available or returns no bytes, this loop will
+    // generate a good set of pseudo-random bytes on any system.
+    // Note that it may be important that our $random_state is passed
+    // through hash() prior to being rolled into $output, that the two hash()
+    // invocations are different, and that the extra input into the first one -
+    // the microtime() - is prepended rather than appended. This is to avoid
+    // directly leaking $random_state via the $output stream, which could
+    // allow for trivial prediction of further "random" numbers.
+    while (strlen($bytes) < $count) {
+      $random_state = hash('sha256', microtime() . mt_rand() . $random_state);
+      $bytes .= hash('sha256', mt_rand() . $random_state, TRUE);
+    }
+  }
+  $output = substr($bytes, 0, $count);
+  $bytes = substr($bytes, $count);
+  return $output;
+}
+
+/**
+ * Calculate a base-64 encoded, URL-safe sha-256 hmac.
+ *
+ * @param $data
+ *   String to be validated with the hmac.
+ * @param $key
+ *   A secret string key.
+ *
+ * @return
+ *   A base-64 encoded sha-256 hmac, with + replaced with -, / with _ and
+ *   any = padding characters removed.
+ */
+function drupal_hmac_base64($data, $key) {
+  $hmac = base64_encode(hash_hmac('sha256', $data, $key, TRUE));
+  // Modify the hmac so it's safe to use in URLs.
+  return strtr($hmac, array('+' => '-', '/' => '_', '=' => ''));
+}
+
+/**
+ * Calculate a base-64 encoded, URL-safe sha-256 hash.
+ *
+ * @param $data
+ *   String to be hashed.
+ *
+ * @return
+ *   A base-64 encoded sha-256 hash, with + replaced with -, / with _ and
+ *   any = padding characters removed.
+ */
+function drupal_hash_base64($data) {
+  $hash = base64_encode(hash('sha256', $data, TRUE));
+  // Modify the hash so it's safe to use in URLs.
+  return strtr($hash, array('+' => '-', '/' => '_', '=' => ''));
+}
+
 /**
 * Generates a default anonymous $user object.
 *
@@ -2024,9 +2109,9 @@ function drupal_valid_test_ua($user_agent) {
  // the database is not yet initialized and we can't access any Drupal variables.
  // The file properties add more entropy not easily accessible to others.
  $filepath = DRUPAL_ROOT . '/includes/bootstrap.inc';
-  $key = sha1(serialize($databases) . filectime($filepath) . fileinode($filepath), TRUE);
+  $key = serialize($databases) . filectime($filepath) . fileinode($filepath);
  // The HMAC must match.
-  return $hmac == base64_encode(hash_hmac('sha1', $check_string, $key, TRUE));
+  return $hmac == drupal_hmac_base64($check_string, $key);
 }

 /**
@@ -2041,12 +2126,12 @@ function drupal_generate_test_ua($prefix) {
    // check the HMAC before the database is initialized. filectime()
    // and fileinode() are not easily determined from remote.
    $filepath = DRUPAL_ROOT . '/includes/bootstrap.inc';
-    $key = sha1(serialize($databases) . filectime($filepath) . fileinode($filepath), TRUE);
+    $key = serialize($databases) . filectime($filepath) . fileinode($filepath);
  }
   // Generate a moderately secure HMAC based on the database credentials.
   $salt = uniqid('', TRUE);
   $check_string = $prefix . ';' . time() . ';' . $salt;
-   return  $check_string . ';' . base64_encode(hash_hmac('sha1', $check_string, $key, TRUE));
+   return  $check_string . ';' . drupal_hmac_base64($check_string, $key);
 }

 /**

--- a/includes/common.inc
+++ b/includes/common.inc
@@ -2895,7 +2895,7 @@ function drupal_aggregate_css(&$css_groups) {
        if ($group['preprocess'] && $preprocess_css) {
          // Prefix filename to prevent blocking by firewalls which reject files
          // starting with "ad*".
-          $filename = 'css_' . md5(serialize($group['items'])) . '.css';
+          $filename = 'css_' . drupal_hash_base64(serialize($group['items'])) . '.css';
          $css_groups[$key]['data'] = drupal_build_css_cache($group['items'], $filename);
        }
        break;
@@ -3767,7 +3767,7 @@ function drupal_get_js($scope = 'header', $javascript = NULL) {
    // Prefix filename to prevent blocking by firewalls which reject files
    // starting with "ad*".
    foreach ($files as $key => $file_set) {
-      $filename = 'js_' . md5(serialize($file_set)) . '.js';
+      $filename = 'js_' . drupal_hash_base64(serialize($file_set)) . '.js';
      $uri = drupal_build_js_cache($file_set, $filename);
      // Only include the file if was written successfully. Errors are logged
      // using watchdog.
@@ -4340,45 +4340,6 @@ function drupal_json_output($var = NULL) {
  }
 }

-/**
- * Returns a string of highly randomized bytes (over the full 8-bit range).
- *
- * This function is better than simply calling mt_rand() or any other built-in
- * PHP function because it can return a long string of bytes (compared to < 4
- * bytes normally from mt_rand()) and uses the best available pseudo-random source.
- *
- * @param $count
- *   The number of characters (bytes) to return in the string.
- */
-function drupal_random_bytes($count)  {
-  // $random_state does not use drupal_static as it stores random bytes.
-  static $random_state;
-  // We initialize with the somewhat random PHP process ID on the first call.
-  if (empty($random_state)) {
-    $random_state = getmypid();
-  }
-  $output = '';
-  // /dev/urandom is available on many *nix systems and is considered the best
-  // commonly available pseudo-random source.
-  if ($fh = @fopen('/dev/urandom', 'rb')) {
-    $output = fread($fh, $count);
-    fclose($fh);
-  }
-  // If /dev/urandom is not available or returns no bytes, this loop will
-  // generate a good set of pseudo-random bytes on any system.
-  // Note that it may be important that our $random_state is passed
-  // through md5() prior to being rolled into $output, that the two md5()
-  // invocations are different, and that the extra input into the first one -
-  // the microtime() - is prepended rather than appended. This is to avoid
-  // directly leaking $random_state via the $output stream, which could
-  // allow for trivial prediction of further "random" numbers.
-  while (strlen($output) < $count) {
-    $random_state = md5(microtime() . mt_rand() . $random_state);
-    $output .= md5(mt_rand() . $random_state, TRUE);
-  }
-  return substr($output, 0, $count);
-}
-
 /**
 * Get a salt useful for hardening against SQL injection.
 *
@@ -4389,7 +4350,7 @@ function drupal_get_hash_salt() {
  global $drupal_hash_salt, $databases;
  // If the $drupal_hash_salt variable is empty, a hash of the serialized
  // database credentials is used as a fallback salt.
-  return empty($drupal_hash_salt) ? sha1(serialize($databases)) : $drupal_hash_salt;
+  return empty($drupal_hash_salt) ? hash('sha256', serialize($databases)) : $drupal_hash_salt;
 }

 /**
@@ -4400,7 +4361,7 @@ function drupal_get_hash_salt() {
 */
 function drupal_get_private_key() {
  if (!($key = variable_get('drupal_private_key', 0))) {
-    $key = md5(drupal_random_bytes(64));
+    $key = drupal_hash_base64(drupal_random_bytes(55));
    variable_set('drupal_private_key', $key);
  }
  return $key;
@@ -4413,10 +4374,7 @@ function drupal_get_private_key() {
 *   An additional value to base the token on.
 */
 function drupal_get_token($value = '') {
-  $private_key = drupal_get_private_key();
-  // A single md5() is vulnerable to length-extension attacks, so use it twice.
-  // @todo:  add md5 and sha1 hmac functions to core.
-  return md5(drupal_get_hash_salt() . md5(session_id() . $value . $private_key));
+  return drupal_hmac_base64($value, session_id() . drupal_get_private_key() . drupal_get_hash_salt());
 }

 /**
@@ -5247,7 +5205,7 @@ function drupal_render_cache_set(&$markup, $elements) {
 function drupal_render_cache_by_query($query, $function, $expire = CACHE_TEMPORARY, $granularity = NULL) {
  $cache_keys = array_merge(array($function), drupal_render_cid_parts($granularity));
  $query->preExecute();
-  $cache_keys[] = md5(serialize(array((string) $query, $query->getArguments())));
+  $cache_keys[] = hash('sha256', serialize(array((string) $query, $query->getArguments())));
  return array(
    '#query' => $query,
    '#pre_render' => array($function . '_pre_render'),

--- a/includes/form.inc
+++ b/includes/form.inc
@@ -203,7 +203,7 @@ function drupal_build_form($form_id, &$form_state) {
      }

      $form = drupal_retrieve_form($form_id, $form_state);
-      $form_build_id = 'form-' . md5(uniqid(mt_rand(), TRUE));
+      $form_build_id = 'form-' . drupal_hash_base64(uniqid(mt_rand(), TRUE) . mt_rand());
      $form['#build_id'] = $form_build_id;

      // Fix the form method, if it is 'get' in $form_state, but not in $form.
@@ -331,7 +331,7 @@ function drupal_rebuild_form($form_id, &$form_state, $old_form = NULL) {
  // Otherwise, a new #build_id is generated, to not clobber the previous
  // build's data in the form cache; also allowing the user to go back to an
  // earlier build, make changes, and re-submit.
-  $form['#build_id'] = isset($old_form['#build_id']) ? $old_form['#build_id'] : 'form-' . md5(mt_rand());
+  $form['#build_id'] = isset($old_form['#build_id']) ? $old_form['#build_id'] : 'form-' . drupal_hash_base64(uniqid(mt_rand(), TRUE) . mt_rand());

  // #action defaults to request_uri(), but in case of AJAX and other partial
  // rebuilds, the form is submitted to an alternate URL, and the original

--- a/includes/install.core.inc
+++ b/includes/install.core.inc
@@ -1011,7 +1011,7 @@ function install_settings_form_submit($form, &$form_state) {
    'required' => TRUE,
  );
  $settings['drupal_hash_salt'] = array(
-    'value'    => sha1(drupal_random_bytes(64)),
+    'value'    => drupal_hash_base64(drupal_random_bytes(55)),
    'required' => TRUE,
  );
  drupal_rewrite_settings($settings);

--- a/includes/locale.inc
+++ b/includes/locale.inc
@@ -1680,7 +1680,7 @@ function _locale_rebuild_js($langcode = NULL) {
    }

    $data .= "'strings': " . drupal_json_encode($translations) . " };";
-    $data_hash = md5($data);
+    $data_hash = drupal_hash_base64($data);
  }

  // Construct the filepath where JS translation files are stored.

--- a/includes/menu.inc
+++ b/includes/menu.inc
@@ -407,9 +407,9 @@ function menu_get_item($path = NULL, $router_item = NULL) {
    $parts = array_slice($original_map, 0, MENU_MAX_PARTS);
    $ancestors = menu_get_ancestors($parts);

-    // Since there is no limit to the length of $path, but the cids are
-    // restricted to 255 characters, use md5() to keep it short yet unique.
-    $cid = 'menu_item:' . md5($path);
+    // Since there is no limit to the length of $path, use a hash to keep it
+    // short yet unique.
+    $cid = 'menu_item:' . hash('sha256', $path);
    if ($cached = cache_get($cid, 'cache_menu')) {
      $router_item = $cached->data;
    }
@@ -1238,7 +1238,7 @@ function menu_tree_page_data($menu_name, $max_depth = NULL) {
 * Helper function - compute the real cache ID for menu tree data.
 */
 function _menu_tree_cid($menu_name, $data) {
-  return 'links:' . $menu_name . ':tree-data:' . $GLOBALS['language']->language . ':' . md5(serialize($data));
+  return 'links:' . $menu_name . ':tree-data:' . $GLOBALS['language']->language . ':' . hash('sha256', serialize($data));
 }

 /**

--- a/includes/password.inc
+++ b/includes/password.inc
@@ -16,8 +16,8 @@

 /**
 * The standard log2 number of iterations for password stretching. This should
- * increase by 1 at least every other Drupal version in order to counteract
- * increases in the speed and power of computers available to crack the hashes.
+ * increase by 1 every Drupal version in order to counteract increases in the
+ * speed and power of computers available to crack the hashes.
 */
 define('DRUPAL_HASH_COUNT', 14);

@@ -31,6 +31,11 @@
 */
 define('DRUPAL_MAX_HASH_COUNT', 30);

+/**
+ * The expected (and maximum) number of characters in a hashed password.
+ */
+define('DRUPAL_HASH_LENGTH', 55);
+
 /**
 * Returns a string for mapping an int to the corresponding base 64 character.
 */
@@ -49,7 +54,7 @@ function _password_itoa64() {
 * @return
 *   Encoded string
 */
-function _password_base64_encode($input, $count)  {
+function _password_base64_encode($input, $count) {
  $output = '';
  $i = 0;
  $itoa64 = _password_itoa64();
@@ -93,7 +98,7 @@ function _password_base64_encode($input, $count)  {
 *   A 12 character string containing the iteration count and a random salt.
 */
 function _password_generate_salt($count_log2) {
-  $output = '$P$';
+  $output = '$S$';
  // Minimum log2 iterations is DRUPAL_MIN_HASH_COUNT.
  $count_log2 = max($count_log2, DRUPAL_MIN_HASH_COUNT);
  // Maximum log2 iterations is DRUPAL_MAX_HASH_COUNT.
@@ -113,19 +118,23 @@ function _password_generate_salt($count_log2) {
 * for an attacker to try to break the hash by brute-force computation of the
 * hashes of a large number of plain-text words or strings to find a match.
 *
+ * @param $algo
+ *   The string name of a hashing algorithm usable by hash(), like 'sha256'.
 * @param $password
 *   The plain-text password to hash.
 * @param $setting
- *   An existing hash or the output of _password_generate_salt().
+ *   An existing hash or the output of _password_generate_salt().  Must be
+ *   at least 12 characters (the settings and salt).
 *
 * @return
 *   A string containing the hashed password (and salt) or FALSE on failure.
+ *   The return string will be truncated at DRUPAL_HASH_LENGTH characters max.
 */
-function _password_crypt($password, $setting)  {
+function _password_crypt($algo, $password, $setting) {
  // The first 12 characters of an existing hash are its setting string.
  $setting = substr($setting, 0, 12);

-  if (substr($setting, 0, 3) != '$P$') {
+  if ($setting[0] != '$' || $setting[2] != '$') {
    return FALSE;
  }
  $count_log2 = _password_get_count_log2($setting);
@@ -139,22 +148,21 @@ function _password_crypt($password, $setting)  {
    return FALSE;
  }

-  // We must use md5() or sha1() here since they are the only cryptographic
-  // primitives always available in PHP 5. To implement our own low-level
-  // cryptographic function in PHP would result in much worse performance and
-  // consequently in lower iteration counts and hashes that are quicker to crack
-  // (by non-PHP code).
-
+  // Convert the base 2 logrithm into an integer.
  $count = 1 << $count_log2;

-  $hash = md5($salt . $password, TRUE);
+  // We rely on the hash() function being available in PHP 5.2+.
+  $hash = hash($algo, $salt . $password, TRUE);
  do {
-    $hash = md5($hash . $password, TRUE);
+    $hash = hash($algo, $hash . $password, TRUE);
  } while (--$count);

-  $output =  $setting . _password_base64_encode($hash, 16);
+  $len = strlen($hash);
+  $output =  $setting . _password_base64_encode($hash, $len);
  // _password_base64_encode() of a 16 byte MD5 will always be 22 characters.
-  return (strlen($output) == 34) ? $output : FALSE;
+  // _password_base64_encode() of a 64 byte sha512 will always be 86 characters.
+  $expected = 12 + ceil((8 * $len) / 6);
+  return (strlen($output) == $expected) ? substr($output, 0, DRUPAL_HASH_LENGTH) : FALSE;
 }

 /**
@@ -182,7 +190,7 @@ function user_hash_password($password, $count_log2 = 0) {
    // Use the standard iteration count.
    $count_log2 = variable_get('password_count_log2', DRUPAL_HASH_COUNT);
  }
-  return _password_crypt($password, _password_generate_salt($count_log2));
+  return _password_crypt('sha512', $password, _password_generate_salt($count_log2));
 }

 /**
@@ -201,7 +209,7 @@ function user_hash_password($password, $count_log2 = 0) {
 *   TRUE or FALSE.
 */
 function user_check_password($password, $account) {
-  if (substr($account->pass, 0, 3) == 'U$P') {
+  if (substr($account->pass, 0, 2) == 'U$') {
    // This may be an updated password from user_update_7000(). Such hashes
    // have 'U' added as the first character and need an extra md5().
    $stored_hash = substr($account->pass, 1);
@@ -210,7 +218,23 @@ function user_check_password($password, $account) {
  else {
    $stored_hash = $account->pass;
  }
-  $hash = _password_crypt($password, $stored_hash);
+
+  $type = substr($stored_hash, 0, 3);
+  switch ($type) {
+    case '$S$':
+      // A normal Drupal 7 password using sha512.
+      $hash = _password_crypt('sha512', $password, $stored_hash);
+      break;
+    case '$H$':
+      // phpBB3 uses "$H$" for the same thing as "$P$".
+    case '$P$':
+      // A phpass password generated using md5.  This is an
+      // imported password or from an earlier Drupal version.
+      $hash = _password_crypt('md5', $password, $stored_hash);
+      break;
+    default:
+      return FALSE;
+  }
  return ($hash && $stored_hash == $hash);
 }

@@ -234,7 +258,7 @@ function user_check_password($password, $account) {
 */
 function user_needs_new_hash($account) {
  // Check whether this was an updated password.
-  if ((substr($account->pass, 0, 3) != '$P$') || (strlen($account->pass) != 34)) {
+  if ((substr($account->pass, 0, 3) != '$S$') || (strlen($account->pass) != DRUPAL_HASH_LENGTH)) {
    return TRUE;
  }
  // Check whether the iteration count used differs from the standard number.

--- a/includes/session.inc
+++ b/includes/session.inc
@@ -206,7 +206,10 @@ function drupal_session_initialize() {
    // processes (like drupal_get_token()) needs to know the future
    // session ID in advance.
    $user = drupal_anonymous_user();
-    session_id(md5(uniqid('', TRUE)));
+    // Less random sessions (which are much faster to generate) are used for
+    // anonymous users than are generated in drupal_session_regenerate() when
+    // a user becomes authenticated.
+    session_id(drupal_hash_base64(uniqid(mt_rand(), TRUE)));
  }
  date_default_timezone_set(drupal_get_user_timezone());
 }
@@ -284,7 +287,7 @@ function drupal_session_regenerate() {
  if ($is_https && variable_get('https', FALSE)) {
    $insecure_session_name = substr(session_name(), 1);
    $params = session_get_cookie_params();
-    $session_id = md5(uniqid(mt_rand(), TRUE));
+    $session_id = drupal_hash_base64(uniqid(mt_rand(), TRUE) . drupal_random_bytes(55));
    setcookie($insecure_session_name, $session_id, REQUEST_TIME + $params['lifetime'], $params['path'], $params['domain'], FALSE, $params['httponly']);
    $_COOKIE[$insecure_session_name] = $session_id;
  }

--- a/includes/update.inc
+++ b/includes/update.inc
@@ -294,7 +294,7 @@ function update_fix_d7_requirements() {
  global $update_rewrite_settings, $db_url;
  if (!empty($update_rewrite_settings)) {
    $databases = update_parse_db_url($db_url);
-    $salt = sha1(drupal_random_bytes(64));
+    $salt = drupal_hash_base64(drupal_random_bytes(55));
    file_put_contents(conf_path() . '/settings.php', "\n" . '$databases = ' . var_export($databases, TRUE) . ";\n\$drupal_hash_salt = '$salt';", FILE_APPEND);
  }
  if (drupal_get_installed_schema_version('system') < 7000 && !variable_get('update_d7_requirements', FALSE)) {

--- a/modules/aggregator/aggregator.install
+++ b/modules/aggregator/aggregator.install
@@ -170,10 +170,10 @@ function aggregator_schema() {
      ),
      'hash' => array(
        'type' => 'varchar',
-        'length' => 32,
+        'length' => 64,
        'not null' => TRUE,
        'default' => '',
-        'description' => 'Calculated md5 hash of the feed data, used for validating cache.',
+        'description' => 'Calculated hash of the feed data, used for validating cache.',
      ),
      'etag' => array(
        'type' => 'varchar',
@@ -275,7 +275,7 @@ function aggregator_schema() {
 * Add hash column to aggregator_feed table.
 */
 function aggregator_update_7000() {
-  db_add_field('aggregator_feed', 'hash', array('type' => 'varchar', 'length' => 32, 'not null' => TRUE, 'default' => ''));
+  db_add_field('aggregator_feed', 'hash', array('type' => 'varchar', 'length' => 64, 'not null' => TRUE, 'default' => ''));
 }

 /**
@@ -297,3 +297,4 @@ function aggregator_update_7002() {
  ));
  db_add_index('aggregator_feed', 'queued', array('queued'));
 }
+
--- a/modules/aggregator/aggregator.module
+++ b/modules/aggregator/aggregator.module
@@ -614,12 +614,12 @@ function aggregator_refresh($feed) {
  list($fetcher, $parser, $processors) = _aggregator_get_variables();
  $success = module_invoke($fetcher, 'aggregator_fetch', $feed);

-  // We store the md5 hash of feed data in the database. When refreshing a
+  // We store the hash of feed data in the database. When refreshing a
  // feed we compare stored hash and new hash calculated from downloaded
  // data. If both are equal we say that feed is not updated.
-  $md5 = md5($feed->source_string);
+  $hash = hash('sha256', $feed->source_string);

-  if ($success && ($feed->hash != $md5)) {
+  if ($success && ($feed->hash != $hash)) {
    // Parse the feed.
    if (module_invoke($parser, 'aggregator_parse', $feed)) {
      // Update feed with parsed data.
@@ -630,7 +630,7 @@ function aggregator_refresh($feed) {
          'link' => empty($feed->link) ? $feed->url : $feed->link,
          'description' => empty($feed->description) ? '' : $feed->description,
          'image' => empty($feed->image) ? '' : $feed->image,
-          'hash' => $md5,
+          'hash' => $hash,
          'etag' => empty($feed->etag) ? '' : $feed->etag,
          'modified' => empty($feed->modified) ? 0 : $feed->modified,
        ))

--- a/modules/aggregator/tests/aggregator_test.module
+++ b/modules/aggregator/tests/aggregator_test.module
@@ -25,7 +25,7 @@ function aggregator_test_menu() {
 */
 function aggregator_test_feed($use_last_modified = FALSE, $use_etag = FALSE) {
  $last_modified = strtotime('Sun, 19 Nov 1978 05:00:00 GMT');
-  $etag = md5($last_modified);
+  $etag = drupal_hash_base64($last_modified);

  $if_modified_since = isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) : FALSE;
  $if_none_match = isset($_SERVER['HTTP_IF_NONE_MATCH']) ? stripslashes($_SERVER['HTTP_IF_NONE_MATCH']) : FALSE;

--- a/modules/book/book.admin.inc
+++ b/modules/book/book.admin.inc
@@ -154,7 +154,7 @@ function _book_admin_table($node, &$form) {
  $tree = book_menu_subtree_data($node->book);
  $tree = array_shift($tree); // Do not include the book item itself.
  if ($tree['below']) {
-    $hash = sha1(serialize($tree['below']));
+    $hash = drupal_hash_base64(serialize($tree['below']));
    // Store the hash value as a hidden form element so that we can detect
    // if another user changed the book hierarchy.
    $form['tree_hash'] = array